Witnesses urge public-private cyber training for small businesses as AI supercharges scams
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
National Cybersecurity Alliance and others told the committee that AI has amplified phishing and impersonation scams, small firms under-report incidents (~15%), and that scalable public-private education (CyberSecure My Business) and SBA engagement are essential.
Lisa Plagemire, executive director of the National Cybersecurity Alliance, told the committee that small businesses commonly lack basic IT hygiene—multi-factor authentication, patched systems—and that social engineering (phishing, vishing) has been made far more convincing and scalable by AI. Plagemire and members noted limited reporting: only about 15% of incidents are reported to IC3, complicating national estimates of business closures due to cybercrime.
Plagemire described the CyberSecure My Business training (one hour a week for six weeks) and urged broader public-private partnerships to deliver credible, accessible training via Small Business Development Centers and SBA channels. Members raised the cybersecurity information-sharing statute and CISA relationships; Plagemire said many public templates and tabletop exercises remain available via StaySafeOnline.org and partnerships with CISA and the SBA are ongoing.
Members discussed AI-specific risks and a pending AIWISE Act to educate small-business users about AI privacy and input-risk when using generative tools. Plagemire warned that sharing confidential business plans or customer data with AI tools can leak sensitive material and recommended focused training to give owners practical questions to ask vendors or in‑house IT staff.
The hearing closed with bipartisan interest in making cybersecurity training easier to access and in reauthorizing or preserving federal information-sharing mechanisms.