How small and medium-sized organizations can manage their IT risks and maintain regulatory compliance with minimal staff and budget.
Keeping IT systems secure and running within regulatory compliance mandates, especially for mid-sized and even small businesses, seems next to impossible.
There are many reasons for this – but fortunately, several recent technological trends show that it doesn’t have to be this way.
Cyber-Threats and Regulations Don’t Care About Business Size
Most attackers don’t care whether they’re targeting a Fortune 25 firm or a small town manufacturer with 25 employees. What cyber criminals want is data and identities to steal and sell. Likewise, regulators are expecting the same security diligence from small and mid-sized firms as from large corporations.
Consider the various data-breach disclosure laws that are in effect. They’re not based on the size of the company but the quantity and type of customer records that have been breached. And, while there may be slight differences in how regulations such as HIPAA, PCI DSS, and others affect mid-sized and even smaller firms, their overarching impact is the same.
Software Flaws: An Ever-Growing Concern
The number of software vulnerabilities announced daily shows no sign of letting up. According to the Common Vulnerabilities and Exposures List, sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security, there have been more than 3,500 flaws reported during the first three quarters of 2010.
That’s well over 10 newly announced software flaws every day. And these vulnerabilities, which make it possible for many forms of malware and attackers to gain entry to protected systems, are equally detrimental to businesses large and small.
It’s not just end-point operating systems, servers, and on-premise software that are at-risk. It’s also Web applications. According to a recent study by Web security firm Dasient, more than a million Web domains were infected with malware in just a 90 day span of this year.
The Extended Business Risk: Partners, Suppliers, and Other Stakeholders
All businesses are under internal and external pressure. Increasingly, businesses are demanding to see the security and risk management plans of those with which they do a significant amount of business.
They want to know about disaster recovery and business continuity procedures. They want to know how security defenses are managed. And they want to know how their confidential information is protected.
Unfortunately, while the security and regulatory compliance threats and mandates affect all companies, it’s the mid-sized and small businesses that often don’t have the right staff or budget necessary to cost-effectively fight the threats and maintain compliance.
Consider a report from Applied Research (published by Symantec) that shows that small and mid-sized businesses spend two-third of their IT management time and $51,000 annually focused on security concerns.
That’s twice the amount of time and 27.5 percent more budget spent than they spend on other areas of computing. That’s simply too high a price for security.
When speaking with customers and listening to their experience, we hear a similar story. We heard about how too much time is wasted on installing, maintaining, and managing the software and the hardware behind those security efforts.
This paper will detail how businesses – without deep pockets or experienced experts on staff – can reduce risk and attain regulatory compliance in a simple, reliable, and cost-effective way.