In its last year’s report, FDD’s Center on Cyber and Technology Innovation (CCTI) compared economic losses from cyberattacks on just one MSP supplier with those from hurricane Sandy. The losses from cyberattacks were 17% higher!
Cyberattacks pose a threat not only to small businesses, but also to national infrastructure as well as US governmental agencies.
An example of such an attack in 2021 is malware integration into MSP provider infrastructure that used VSA Kaseya local software.
Experts believe that hackers use a phishing scheme to penetrate the provider’s network, thus gaining access to clients and remaining unnoticed for extended periods of time. Hundreds of businesses nationwide may become victims of the phishing software threatening operation of various industries and critical infrastructure facilities. This will lead to about $80 bln in losses.
Underestimating such risks is unacceptable, which is why it is necessary to take measures, including changes in federal law. One of the most important additions must be a law enforcing notification about cyberattacks on companies and regulating cybersecurity measures for small, medium and big businesses.
Certain work in the field is already being done. Thus, a draft law by senators Mark Warner and Marco Rubio suggests that all critical infrastructure owners and contractors must inform federal authorities about cyberattacks within 24 hours since the moment of such violation. Currently these reports are voluntary and sent to state authorities.
US Congress is also working on requirements to private companies obliging them to notify about cybersecurity breaches in their networks that may pose threat to federal structures.
· To include cybersecurity report requirements into Sarbanes-Oxley act for all public companies.
· Cybersecurity reports to include an estimate of economic losses.
· To create a cybersecurity manual for small and medium businesses.