Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


03:11 AM
Dark Reading
Dark Reading
Quick Hits

Achieving Security Compliance In Small And Midsize Businesses

How can smaller businesses meet compliance requirements with limited resources? Here are some tips

The following is excerpted from "Achieving Security Compliance in Small and Midsize Businesses," a new report posted this week on Dark Reading's SMB Security Tech Center.]

When it comes to compliance, small and midsize businesses have it rough. Like larger organizations, they have real and difficult-to-achieve regulatory mandates. Indeed, depending on the business they're in, the services they provide, and the type of data they process and store, SMBs can have just as many regulatory and compliance considerations as larger companies.

However, unlike their larger cousins, they often don't have room in the budget for teams of dedicated personnel or specialized compliance expertise. This means that while their regulatory compliance requirements might be the same, SMBs' and larger firms' abilities to respond are not.

All of this creates a quandary for SMBs: How can they be sure to address regulatory mandates without pulling resources away from critical tasks that enable the business to thrive?

It's a Catch-22: If they channel resources into compliance activities, they might negatively impact their ability to compete, but that ability to compete could be reduced if they don't address regulatory compliance considerations. Fortunately, there are a few strategies and resources that can help -- most importantly, the "kill two birds with one stone" model.

First and foremost, it's important to clear up a myth many practitioners have about regulatory compliance in an SMB context -- specifically, that because they're small they don't need to worry about compliance in the first place.

This is a dangerous assumption. In fact, the exact opposite is true. Governing regulations are very seldom tied to an organization's size. They may have a provision or two that addresses how approaches should be tailored to organizational context and risk (which might include size), but even if that's the case, the requirements themselves don't differ. Instead, where they have an impact on IT, regulations are usually tied to data.

For example, in the case of the Health Insurance Portability and Accountability Act (HIPAA), the salient factor governing applicability is whether the law applies is whether the organization processes protected health information; in the case of the Payment Card Industry Data Security Standard (PCI DSS), it's whether or not the organization handles cardholder information; for state breach disclosure legislation, the determining factor is exposure of personally identifiable information.

In all of these cases, it's the data that governs how information should be protected -- not the size, structure or other characteristics of the organization protecting it.

SMBs can benefit from studying the people and companies that have come before them -- or have essentially been there and done that when it comes to compliance.

For example, SMBs can leverage free and low-cost resources to help with the selection and implementation of controls for meeting regulations, to help deploy controls where they will provide the most value and to obtain technical guidance about implementation.

All of this is not to say that SMBs can just ride on others' coattails without any effort whatsoever. Rather, SMBs will have to spend significant time reading through documents, understanding their applicability and planning how to use them strategically. It's really a front-loaded exercise -- there's some work required before the benefit can be realized.

So what resources are appropriate for SMBs in this context? In terms of thoroughness, it's hard to beat the U.S. National Institute of Standards and Technology's 800 series of special publications. Because these documents are freely available and designed with a full range of organizational sizes in mind (a number of government agencies have fewer than 100 employees), they can be a way for SMBs to get additional technical guidance for only the cost of the time it takes to read through the documents.

Particularly helpful is SP 800-53, which contains a road map of controls designed to secure federal information systems. Why would that be helpful to a private sector SMB? Because of what happens once those controls are mapped to the regulatory requirements in the SMB's scope. By mapping either directly (for example, mapping a regulation like HIPAA or an industry standard like PCI DSS to the controls in SP 800-53) or indirectly (via an intermediate layer such as ISO/IEC 27002:2005), an SMB can get a comprehensive playbook of technical guidance about the implementation of specific controls.

To read more about the resources and data available to help SMBs achieve compliance -- and for some tips on how they can get there -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...