Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


03:11 AM
Dark Reading
Dark Reading
Quick Hits

Achieving Security Compliance In Small And Midsize Businesses

How can smaller businesses meet compliance requirements with limited resources? Here are some tips

The following is excerpted from "Achieving Security Compliance in Small and Midsize Businesses," a new report posted this week on Dark Reading's SMB Security Tech Center.]

When it comes to compliance, small and midsize businesses have it rough. Like larger organizations, they have real and difficult-to-achieve regulatory mandates. Indeed, depending on the business they're in, the services they provide, and the type of data they process and store, SMBs can have just as many regulatory and compliance considerations as larger companies.

However, unlike their larger cousins, they often don't have room in the budget for teams of dedicated personnel or specialized compliance expertise. This means that while their regulatory compliance requirements might be the same, SMBs' and larger firms' abilities to respond are not.

All of this creates a quandary for SMBs: How can they be sure to address regulatory mandates without pulling resources away from critical tasks that enable the business to thrive?

It's a Catch-22: If they channel resources into compliance activities, they might negatively impact their ability to compete, but that ability to compete could be reduced if they don't address regulatory compliance considerations. Fortunately, there are a few strategies and resources that can help -- most importantly, the "kill two birds with one stone" model.

First and foremost, it's important to clear up a myth many practitioners have about regulatory compliance in an SMB context -- specifically, that because they're small they don't need to worry about compliance in the first place.

This is a dangerous assumption. In fact, the exact opposite is true. Governing regulations are very seldom tied to an organization's size. They may have a provision or two that addresses how approaches should be tailored to organizational context and risk (which might include size), but even if that's the case, the requirements themselves don't differ. Instead, where they have an impact on IT, regulations are usually tied to data.

For example, in the case of the Health Insurance Portability and Accountability Act (HIPAA), the salient factor governing applicability is whether the law applies is whether the organization processes protected health information; in the case of the Payment Card Industry Data Security Standard (PCI DSS), it's whether or not the organization handles cardholder information; for state breach disclosure legislation, the determining factor is exposure of personally identifiable information.

In all of these cases, it's the data that governs how information should be protected -- not the size, structure or other characteristics of the organization protecting it.

SMBs can benefit from studying the people and companies that have come before them -- or have essentially been there and done that when it comes to compliance.

For example, SMBs can leverage free and low-cost resources to help with the selection and implementation of controls for meeting regulations, to help deploy controls where they will provide the most value and to obtain technical guidance about implementation.

All of this is not to say that SMBs can just ride on others' coattails without any effort whatsoever. Rather, SMBs will have to spend significant time reading through documents, understanding their applicability and planning how to use them strategically. It's really a front-loaded exercise -- there's some work required before the benefit can be realized.

So what resources are appropriate for SMBs in this context? In terms of thoroughness, it's hard to beat the U.S. National Institute of Standards and Technology's 800 series of special publications. Because these documents are freely available and designed with a full range of organizational sizes in mind (a number of government agencies have fewer than 100 employees), they can be a way for SMBs to get additional technical guidance for only the cost of the time it takes to read through the documents.

Particularly helpful is SP 800-53, which contains a road map of controls designed to secure federal information systems. Why would that be helpful to a private sector SMB? Because of what happens once those controls are mapped to the regulatory requirements in the SMB's scope. By mapping either directly (for example, mapping a regulation like HIPAA or an industry standard like PCI DSS to the controls in SP 800-53) or indirectly (via an intermediate layer such as ISO/IEC 27002:2005), an SMB can get a comprehensive playbook of technical guidance about the implementation of specific controls.

To read more about the resources and data available to help SMBs achieve compliance -- and for some tips on how they can get there -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.
PUBLISHED: 2020-05-26
lib/QoreSocket.cpp in Qore before lacks hostname verification for X.509 certificates.
PUBLISHED: 2020-05-26
A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files.
PUBLISHED: 2020-05-26
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76.