Nearly half of small business owners say they don’t take more than 3 days off from work per year. However, if you’re mandated to keep compliance, you’re actually losing two full weeks of work annually.
Surveys show that small businesses spend 80 hours per year, on average, addressing federal regulations alone. [Source: 2017 NSBA] That’s not even to mention state-level compliance mandates.
Spending so much time (and money) trying to take the right steps to achieve compliance and maximize security can feel like a significant weight on your business.
However, small business compliance and security don’t have to be so difficult—especially if you simplify the steps and partner with experts who can guide you through the process.
Truth About Compliance and Security
For many business leaders, compliance and security are two separate conversations with their own unique challenges. Thinking about the two as complementary can simplify the path to success.
The reality is that compliance (as frustrating as it may seem) is in place to both prevent security breaches and provide guidelines for what to do if a breach occurs. And that’s the key word here—guidelines.
There are so many different regulatory bodies. In finance, there’s the New York Department of Financial Services (NYDFS) and PCI Security Standards Council. In the insurance industry, you have the National Institute of Standards and Technology (NIST) as well as the Financial Banking and Information Infrastructure Committee (FBIIC). And in healthcare, there’s the Healthcare Industry Cybersecurity Task Force established by the Cybersecurity Act of 2015.
All of these governing bodies, regardless of the industry, have one thing in common—they provide security guidelines for companies, not strict rules. Whether it’s GDPR, Know Your Customer, HIPAA, PCI, regulations give small businesses a generic set of rules that create the foundation for well-rounded security.
It may seem like a steep hill to climb, but compliance (and ultimately security) is a high-stakes game—your company’s reputation is on the line. If customers can’t trust you with their data, they’ll move to one of your competitors.
Road to Compliance: First Step
Sometimes, it might feel like you’d be better off with more prescriptive regulatory guidelines. The gray area is often difficult to navigate and it’s not as if you come out the other side with a certificate that proves your success.
Not only that, but compliance is a moving target because the threat landscape changes so rapidly. Twenty-five years ago, we didn’t need protection against internet threats. Then, suddenly, we did. And now, we still need those original defenses in place as well as the many new ones to address modern threats. Worse yet, a new malware threat is created every 4 seconds and we have to be ready for all of them.
With the right steps, compliance and security don’t have to be overwhelming. The first thing any small business owner needs is a baseline—a 30,000-foot view of existing security measures throughout the organization.
We like to look at the following 12 areas to create a proper baseline:
- Do you have antivirus in place?
- Is your network protected by a firewall?
- What data are you encrypting (and do you need more)?
- How do you manage network-connected devices?
- Are there disaster recovery plans in effect?
- Do you use backup solutions?
- To what extent is there a business continuity strategy?
- Is there any sort of employee training program specifically for security?
- What tools and solutions do you use for network monitoring?
- Has storage kept pace with changes in security demands?
- How does the organization handle software patching?
- Are there any content filtering solutions in place?
Once you have answers to these questions, you’ll have a baseline capable of informing a game plan that will keep your business both compliant and secure.
Too many small business leaders think the game plan is all about investing in the right technology. And while technology is certainly an important piece of the security puzzle, there’s one thing you should spend more time focusing on—your people.
Awareness First, Technology Second for Compliance and Security
Did you know that 90% of all cyber attacks are caused by human error?
You can invest millions of dollars in cybersecurity solutions, have all the best technology in place, and still fall short in terms of compliance as attacks break through the network. A simple memo explaining the importance of security vigilance to employees isn’t enough.
To supplement the technology side of compliance and security, you need a comprehensive training program that makes threat awareness second nature for employees. After all, it’s far easier for attackers to fool unsuspecting employees than to spend time evading top-of-the-line security solutions.
Once you’ve given awareness and training their due attention, you can start focusing on putting the right technology in place and keeping it secure. Beyond antivirus and firewalls, here are a few things you’ll need to make your small business compliant and secure.
- Email Spam Filters: Email-based phishing attacks are one of the easiest ways for attackers to fool employees. Click on one malicious link and suddenly the whole network is compromised. Awareness and training are important, but email spam filters keep malicious emails out of employee inboxes in the first place.
- Strong Password Security Policies: This isn’t necessarily technology, but it’s important to ensure employees use strong passwords and change them regularly.
- Regular Software Patching: Technology is constantly changing, and new software vulnerabilities are spotted every day. Missing critical security patches is a surefire way to lose compliance and open the door for threats. Putting technology in place to automate the patching process can help.
- Multi-Factor Authentication: If you’ve ever had to use a text-based code to log into your email account, you’re familiar with two-factor authentication. Wherever possible, you should make it so that a single password isn’t the only line of defense.
- Content Filtering: There are websites in the world that are known security risks—sites that you certainly don’t want employees visiting the company network. With content filtering, you can restrict certain websites. Also, pattern recognition features go beyond simple whitelisting, spotting malicious code even on websites you wouldn’t expect to ensure the network isn’t compromised. It’s far better to get a helpdesk call about a blocked site than a call about an infected machine.
- Intrusion Detection Systems: When a threat makes it past preventative systems, you need an intrusion detection system in place to spot malicious activity within the network.
- Dark Web Research: The dark web isn’t just a subject in fiction novels—it’s real and it’s something you need to know about. Think of the major data breaches in recent years, like Target, Anthem, and Equifax. Attackers take all that stolen data—credit card info, passwords, social security numbers, health records—and sell it on the dark web. It’s good to know what information is out there so you can take the proper steps to protect your network.
- Backup: So many small businesses either don’t have backup solutions or don’t have something adequate for day-to-day operations. It’s more than just recovering a corrupt document that you spent hours putting together. True backup is about business continuity—preventing application downtime when something breaks. The key here is identifying and prioritizing data sets. You know email is critical for business, so you want to ensure that service doesn’t experience any downtime. Other services can stand to have lesser priority in the face of network issues.
- Cyber Insurance: Cyber insurance is not part of your typical business insurance policy. Even if you use a managed security provider, you still want your own cyber insurance in case something goes wrong when working with customers and third-party partners.
Employee awareness along with these technologies/processes will put you on a strong path toward compliance and security no matter what regulations you’re up against. There might be nuances to certain standards that you have to address, but this breakdown should give you a pain-free head start.
The Zero 1 Zero Innovations Rewind
We’ve covered a lot in this article about compliance and security for small businesses. Hopefully, though, it doesn’t feel quite as overwhelming. All in all, here’s what you need to remember:
- Compliance gives you the guidelines to ensure small business security
- Get a baseline of your current compliance and security status before making improvements
- Follow the tips to put tools in place for both threat prevention and recovery
- Invest in a cyber insurance policy on top of your compliance and security efforts
And, if you don’t have the time to give compliance and security enough attention, we’re happy to help simplify the challenges.