FTC to Small Businesses: Gather Round

Share This Page

Legend has it that King Arthur gathered his knights at a round table. Because the table had no head, it signaled that everyone seated at it was respected, and their contributions were welcome. At the FTC, we love the concept of a round table. It's a way to bring together stakeholders for a mutually beneficial discussion. In fact, we're planning a series of roundtable discussions about the challenges small businesses face dealing with cyber threats and data security, and we'd appreciate your thoughts.

Under Acting Chairman Maureen Ohlhausen's leadership, we are prioritizing outreach and education for small businesses on data security issues. For example, we recently launched a site with resources to help small businesses stay ahead of the latest scams, reduce the risk of cyber threats, and respond in case of a data breach. Tools like these put easy-to-understand, practical tips in businesses' hands.

King Arthur was said to have won his seat by pulling a sword from a stone. No such feat is required to give us your thoughts about small businesses and data security. Just post a comment on this blog. We’re especially interested in hearing from people at very small businesses – like sole proprietors and companies with just a few employees – who generally do not have full-time information technology or human resources staff.

Here are some of our questions:

Challenges

  • What are you most concerned about regarding your business's data security efforts?
  • What challenges do businesses like yours face when it comes to protecting data and sensitive information?
  • Do you think your business has been targeted by a cyber-attack? What do you do, or who do you turn to if you think you’re under attack?

Knowledge

  • Where do you get your data security information?
  • How do you recognize cyber threats?
  • What kinds of good practices have you found to secure your business's technology? Why do you like them?

Information

  • How can the government help you improve your cybersecurity?
  • Are there particular industries we should focus our education initiatives on?
  • What would help you use and share information with your employees? What format might your employees read, understand, and use? (For example, videos, print, web-based training sessions, online resources, workbooks.)
  • Which issues are you most interested in getting information about? (For example, ransomware, email authentication, vendor oversight, encryption, segmentation or authentication.)

We'll talk about these and other questions at our first roundtable event, held July 25th in Portland, Oregon, in partnership with the Small Business Administration (SBA), the National Cyber Security Alliance (NCSA), and other organizations. Next, we're going to Cleveland where we'll host a roundtable discussion with business owners from that city at the offices of the Council of Smaller Enterprises serving Northeastern Ohio, in collaboration with the SBA's district office there. And following Cleveland, we'll be in Des Moines, Iowa. Our theme for these Small Business & Data Security Roundtables is Engage, Connect, Protect.

Of course, we also take our job as the nation's primary data security cop on the beat seriously. We've used our enforcement authority against about 60 businesses that allegedly failed to provide reasonable protections for consumers' personal information. That experience informs our educational materials for businesses.

It would be nice if there were a suit of armor to protect businesses from ransomware, botnets or viruses. But the quest to shield small businesses from cyber threats and data security risks is complex and ongoing. Posting a comment to this blog about the issues you face in your small business is a great first step on our shared journey. If you'd rather email us, please use smallbizcyber@ftc.gov.

 

Comments

I am interested topics relevant to small business.
Thank you for your work to keep us safe.

Hello, we are responding as a SMB and as MSSP. Looking forward to the next round table discussions. To answer your following questions:

What are you most concerned about regarding your business's data security efforts?
Response: Since we provide services and product solutions to other SMB's we're primarily concerned with becoming compromised on our production network and any of our technologies that hold sensitive data on a customer site on-premise. In particular, compliance data such as ePHI, PCI, etc.

What challenges do businesses like yours face when it comes to protecting data and sensitive information?
Response: The same as every other SMB and enterprise. Insider threats, external APT perimeter attacks, leaks, and 0-day exploitation + phishing

Do you think your business has been targeted by a cyber-attack? What do you do, or who do you turn to if you think you’re under attack?
Response: Definitely. We've been tracking basic atomic indicators and IP reputation feeds; of course it's next to impossible in conventional ways to determine true attribution but aside from common script kiddie scans we've seen some highly tuned phishing emails sent to our receptionist staff that mimic our C-suite. We also notice social engineering attempts against our vendor partners.

Data security is still a challenge for small businesses like mine. I've an online diamond jewelry store, spending handful amount on marketing but I still face questions about the credit card data security from my customers. However, my website is SSL enabled but some of my prospective customers believe it's not enough to avoid cyber crimes. Unfortunately, it was the only way suggested by my web hosting company so I implemented this. I hope it works!

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.