SBDC expands cybersecurity training for small biz


A cybersecurity breach can break a small business, and now the Pikes Peak Small Business Development Center has launched a statewide program to help small-business owners get ahead of the threats.

“We have now fully launched our cybersecurity for small business program, which we lovingly call Cyber CYA — Covering Your Assets,” said Pikes Peak SBDC Executive Director Aikta Marcoulier.

The Cyber: CYA training and workshops meet an urgent need, she said. With 43 percent of cyber attacks targeting small businesses, understanding cybersecurity is as essential to survival as understanding cash flow.

Bonnie Moss, executive director of SMB iSAO [Small and Mid-Sized Business Information Sharing and Analysis Organization], said the majority of small and micro companies go under following a cybersecurity breach.

“Small businesses suffer the most egregious attacks because hackers are very aware of their vulnerabilities,” Moss said in an email. “Worse, SMBs are overlooked in the cybersecurity space. They’re often left to their own defenses which can mean limited resources, finances and cybersecurity education.

“Small businesses need to stay ahead of threats so that when (not if) they get hacked, they have a better chance of surviving and keeping their business afloat.”

The Cyber: CYA program was developed in response to a void in the state’s cybersecurity readiness landscape.

“The one thing that isn’t being done is a focused effort on a series just for small business,” Marcoulier said. “I want people to know that we’re not waiting on other groups to make this happen, because this is our area of expertise. We’re workshop people; we do it really well.”

Cyber: CYA is designed to bring small-business owners the information they need, in language they can understand, in their own cities.

Pikes Peak SBDC manages and operates the cybersecurity program statewide, and is “taking it on the road,” Marcoulier said, with Cyber: CYA facilitators and consultants traveling to give workshops at SBDC offices all over Colorado, as well as offering virtual training and free one-on-one consulting.

The aim is to have every SBDC office offering the same level of cybersecurity training for small businesses on a continual basis.

“We’re doing this so they get the standard that we’re setting for the state, and they’ll teach [cybersecurity] all the time, just as often as they teach bookkeeping, or just as often as they teach ‘Using Facebook for Your Business,’” Marcoulier said.

While the Pikes Peak SBCD offers consultants to travel statewide, the aim is for the 14 main SBDC offices throughout Colorado to source their own local cybersecurity experts to teach small businesses in their areas.

“We like to support our experts locally because then it’s more accessible for other businesses to utilize than coming to Colorado Springs from Grand Junction, for example,” Marcoulier said. “So the idea is that at some point, all of our offices are self-sufficient.”

Moss said small businesses play a vital role in the overall cybersecurity of the state and the nation.

“The small business market is the backbone of the U.S. economy. If we don’t take care of this market, our nation suffers as a whole,” she said. “Likewise, small businesses have a responsibility to bolster their cybersecurity posture. One way to share this responsibility is to join an [Information Sharing and Analysis Organization], which facilitates this effort.

“Obviously, I would love for business owners to join our ISAO as it’s tailored to SMBs … but it’s imperative that they join one.

“An ISAO membership will not only afford certain legal protections under [the Cybersecurity Information Sharing Act], but the shared threat intelligence information will help their community and our country thwart cybersecurity attacks,” Moss said.

CISA is a federal law passed in 2015 to improve cybersecurity nationwide through enhanced sharing of information about cybersecurity threats.

Consulting and classes range from cloud computing to securing technology in order to meet government procurement and compliance standards.

Getting small business owners to understand that cybersecurity is critically important to their livelihood is “the hard part,” Marcoulier said.

“Positioning workshops in a way that make sense is really important,” she said. “Cybersecurity seems so big and fancy but it’s not. There are simple things you can do, that we’re teaching.

“Around the holidays it’s about securing your customer data. When you say, ‘Do you want to be hacked like Target?’ When you put a title like that on it, it makes more sense for businesses to be like, ‘No! What do I need to do?’ We put it in a way that makes sense.”

Right now, she said, most small businesses are not proactive about cybersecurity, and don’t look for help until they’ve suffered a breach or attack.

“It’s like getting a security system after you get robbed,” Marcoulier said.

“What we’re trying to do is have [cybersecurity training] consistent enough that when it comes to light for their business, it’s ready for them.”

Cyber: CYA is focusing on five areas to start with — “all the stuff we found out small to big businesses need now,” Marcoulier said, “where they don’t know the basics.”

The first is NIST SP 800-171 — known less colloquially as the National Institute of Standards and Technology Special Publication 800-171 — which is a set of 110 cybersecurity controls and reporting standards mandated by Defense Federal Acquisition Regulations System. Companies doing business with the Department of Defense or DoD contractors must comply with NIST SP 800-171 by Dec. 31, or face losing their contracts.

The other areas for training are virtual private networks; managing mobile devices; protecting customer data; and protecting your business and employee data.

“Our classes have about 20 [people] in each, so we’re making an impact — but it just has to be there all the time,” Marcoulier said.

She urges business owners not to put off their cybersecurity training.

“I think it’s ‘We only do this, so it’s not going to happen to us.’ But with the [Payment Card Industry] compliance measures that have to be put in place, for example, there are a lot of people not abiding by that because they don’t want to purchase the software to protect them.

“Even the smallest [business] — ‘I’m using the Square to sell my jewelry at a craft show’ — if they get hacked, the cost of recovery far outweighs the cost of being compliant from the beginning.”

Marcoulier said cybersecurity for small businesses is becoming a national concern, and is vital to Colorado Springs’ cybersecurity ecosystem.

“This is a piece of us being Cyber City USA,” she said. “What we’re missing … the piece that really needs to be highlighted in my world is small business education.

“The small business owner is the CEO of their business, that’s the way I look at it. Those are our CEOs, and that educational piece is where we fit.”

Pikes Peak SBDC is the designated SBDC Technology TechSource Smart Zone for cybersecurity. The SBDC recently received a $50,000 supplemental grant which, in addition to sponsors and other funding sources, is helping implement cybersecurity training for small businesses.

Local Cyber: CYA facilitators and consultants, which Marcoulier describes as “our dream team,” come from Colorado Computer Support, Conundrum Creek Consulting, Corvus Technologies, the Department of Homeland Security, Firma IT Solutions & Services, Murray Security Services & Consulting, Rim Technologies, SMB iSAO and Toggle Industries.