Biden's infrastructure bill won't protect your corporation from cyberattacks — you'll have to do that yourself

The Hill
·4 min read


In May 2021, the Colonial Pipeline ransomware attack compromised America's largest fuel pipeline and led to gas shortages all along the East Coast. It was a shocking demonstration of how vulnerable our systems really are - and just how damaging cyberattacks can be.

To address these growing threats, Congress recently passed a $1 trillion infrastructure bill with several cybersecurity provisions. The bill, which President Biden signed into law, allocates $1 billion for a federal grant program to help government entities protect themselves from cyberattacks, and to modernize systems that protect sensitive data, information and critical infrastructure.

In addition, the bill authorizes $100 million to help government agencies quickly respond to digital threats. It also sets aside $21 million in funding for the newly-created Office of the National Cyber Director to coordinate federal action.

Those cybersecurity provisions are a welcome step in the right direction for securing America's infrastructure. But they are limited to government bodies and public agencies at the local, state and federal levels. The bill's focus on the issue makes it clear that the government is taking digital threats more seriously than ever before, but the private sector must adopt a similar posture.

It is incumbent upon private sector entities and enterprises, which are no less vulnerable to digital threats than their public sector and government counterparts, to take the initiative and improve their enterprise privacy risk posture against such threats.

It won't be easy, and the risks they will have to mitigate are potentially massive. But being unprepared could court disaster.

Today, companies are enmeshed in a web of digital tools and services, from cloud platforms to web services. Not only that, but their employees and their customers are plugged into personal social media profiles and multiple digital accounts across both their work and personal devices. We are all digital dependents now.

But with this newfound level of digital dependency comes a host of unique risks - both to individuals and to the companies they work for. Every website login, online service, digital device or account is a potential attack surface. Sensitive information that hackers can use to launch corporate phishing attacks can be accessed almost everywhere.

The result is that cyberattacks are the fastest growing crime in the private sector and have caused catastrophic business disruption worth trillions of dollars in just the last year. In 2020, small companies with fewer than 50 employees lost an average of $24,000 as a result of cyberattacks, while enterprise-level companies with more than 1,000 employees lost an average of $504,000.

But companies, both small and large, must reckon with more than just the financial cost of a cyberattack. The damage to a company in terms of reputation can often be immeasurable. You might have spent years, even decades, building your business to what it is today. A simple data leak that leads to a cyberattack could eradicate consumer trust.

So, what are companies doing to protect themselves? Right now, larger companies are spending roughly 3 percent of total revenue on IT operations and reducing system exposure to digital threats. Smaller companies will normally spend less than $500,000 on these areas, whereas larger enterprises will spend up to $50 million.

Those are worthwhile investments. But they won't target many of the risks that companies face. Even the best IT training or the most secure firewalls can't prevent a hacker from scraping a social media profile of an executive and using his or her personal information in a phishing attack.

In the digital landscape of today, traditional investments don't capture the full scope of risk. Companies have to acknowledge that our world's newfound digital dependency has made every employee into a possible security vulnerability and transformed everyday communication and digital exposure into an enterprise security threat.

Although legislative measures such as President Biden's infrastructure plan have been touted as a helping hand to businesses, especially small businesses, such legislation is inadequate when it comes to the private sector's capacity to manage these threats.

Business leaders need to step up and make the investments needed to protect their systems and workplaces from digital threats, and to minimize the kinds of risks and data breaches that harm employees and consumers nationwide.

Tom Kelly is president and CEO of IDX, a Portland, Oregon-based provider of data breach and consumer privacy services such as IDX Privacy. He is a Silicon Valley serial entrepreneur and an expert in cybersecurity technologies.