Small Defense Firms, the Pentagon Can Help You Fight Off Hacks — Just Ask

Hackers pummel small companies because they are easy targets, with poor security hygiene and network access to big business partners, say security specialists. That logic applies to small military contractors, too.

But the Pentagon’s Office of Small Business Programs has resources to help protect the little defense businesses – it just didn’t know it. That was the finding of a Government Accountability Office audit released Thursday. 

The office "had not identified or disseminated cybersecurity resources to defense small businesses that the businesses could use to understand cybersecurity and cyberthreats," Joseph Kirschbaum, GAO director for defense capabilities and management, said in the report. Office employees "were not aware of existing cybersecurity resources such as those we identified when we met with them in June 2015."

Even as the Pentagon was imposing data breach regulations on the $55.5 billion sector, the office essentially had other priorities than advocating information security awareness.

“There had been leadership turnover within the office, and the office had been focused on one of its key initiatives -- developing the training curriculum for DOD professionals who work with small businesses,” Kirschbaum found.

The absence of guidance for small businesses on how to secure military data comes at a time when those firms are being held accountable for breaches more than ever.  

In August, the Pentagon issued an interim rule for reporting data breaches. It stipulates that contractors, including lower-tier vendors, have to safeguard a larger amount of content than in the past. The policy covers confidential military technological and scientific data, known as “unclassified controlled technical information," as well as all other unclassified "protected" data, such as export-controlled information.

Simultaneously, 71 percent of security breaches hit small businesses, according to research from IDC. 

The new audit includes a list of 15 websites where small defense firms can read about digital risks and countermeasures, including the Pentagon's "Cybersecurity e-Learning Courses," the Small Business Administration's "Learning Center: Cybersecurity for Small Business" and the Federal Communications Commission's "Small Biz Cyber Planner 2.0." 

Auditors cautioned the list, which only encompasses federally funded materials, might not be exhaustive and the quality of the selected webpages sites was not assessed. 

The small business office said it was not required to educate small businesses on information security, but understood the importance of data protection. 

After auditors presented the office with the array of online materials, officials said they would tie cybersecurity into existing tutorials. 

Future outreach by the office "will increase awareness of cybersecurity education and training resources to defense small businesses," said Kenyata Wesley, acting director of the Defense Office of Small Business Programs, in a Sept. 11 written response to a draft report. The office also will publicize the materials to Pentagon small business personnel through events "and by issuing guidance to the military departments and defense agencies."