Perimeter
2/3/2012
09:14 AM
50%
50%

Compliance And 'The Little Guys'

Small and midsize businesses often let the cost of compliance obscure important benefits

Compliance is not cheap. We all know that. But as a percentage of a company’s gross revenue, the work necessary for compliance is more expensive for small and midsize businesses (SMBs) than the big boys. This is a key reason so many SMBs’ compliance efforts are woefully inadequate.

Many SMBs fail to properly consider the cost of compliance when building or updating their business models. There is a lot of opportunity for this oversight because it can happen with so many different people: the owners, upper management, technical leadership, and sometimes all of them. Regardless of the cause, this inadequate planning leaves funding for compliance lacking. In most cases, this funding shortage is directly related to the manpower needed for the ongoing tasks required for proper industry compliance.

There is still a lot “the little guys” in business can do toward compliance, the first being to embrace the benefits of compliance. Avoiding or ignoring compliance is not viable option, because it is not a safe answer for your business.

Regardless of your industry, and even if you are never audited, noncompliant technical and business operations are typically at much greater risk for complicated and expensive problems. A data breach or a flawed back-up process can cost money, time, and even reputations. Organizations with a reasonable compliance effort have inherently better-protected business processes and technology. A commitment to compliance efforts may be forced business discipline, but it’s an important and healthy discipline.

For those SMBs that have acknowledged and accepted that their compliance efforts are inadequate, here are five tips for better compliance when resources are limited:

1. Make a list. The Web is filled with clear, easy-to-read lists highlighting the important areas of every compliance regulation, rule, and law. Find the lists that apply to your business, and then match the issues or requirements to your business.

2. Prioritize the list. With limited resources, you cannot address every issue immediately. And trying to do everything at once can be a chaotic approach ending with many important elements never addressed properly.

3. Take it one step at a time. Start at the top of your prioritized list, address it methodically to get it under control, and repeat. As the old joke goes, “How do you eat an elephant? One bite at a time.”

4. As you work through your list, be sure that you are working to make compliance part of your ongoing business processes, not something that will be implemented later. If compliance tasks are seen as extra work, staff (and this may include you) will adopt an attitude of “I’ll do that later when I have time” toward compliance, and it will fail to become a priority.

5. Once you get to the bottom of the list, start back at the top, and work to refine each item further. Each pass through the list will get easier and will better help you understand your own business operations better. You’ll find that the process gets faster, more efficient, and eventually becomes a routine part of your standard business operations. This is a good thing.

Most SMBs will be reluctant to attempt to become and remain compliant, often because of the perceived cost. They must understand that a committed, realistic, well-planned approach can provide benefit to their businesses far beyond that of simple compliance. They will learn more about exactly how they do what they do, which almost always means they will find a way to do it better. And make more money doing it.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

CVE-2015-0802
Published: 2015-04-01
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a p...

CVE-2015-0803
Published: 2015-04-01
The HTMLSourceElement::AfterSetAttr function in Mozilla Firefox before 37.0 does not properly constrain the original data type of a casted value during the setting of a SOURCE element's attributes, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) ...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.