Why Compliance Matters for Small and Medium Sized Businesses
Compliance has continuously risen in importance on the corporate agenda. In the past few years, a myriad of new legislation was introduced, most notably in data protection, anti-corruption and even sustainability. Furthermore, the threats facing companies also continue to rise, with fraud and cybercrime being at the front of every business owner’s mind.
While larger companies and enterprises, compliance has long been on top of their agenda. When it comes to small and medium sized businesses, they have started to catch up. Small and medium sized businesses, while often understanding the importance of compliance, similarly often fail to consider it attention grabbing enough as it comes wrapped into exorbitant costs and bureaucracy. Industry, media and legal scrutiny in the past were also focused on large organizations, making some feel that they are under the radar. Combining it with not enough resources to manage compliance like large organizations, and we can see how SMBs are slow towards the compliance road.
Compliance has also been on the top of mind of many of our clients that have started to see its significance (and repercussions!) and are looking for ways to make their SMB compliant to all applicable regulations.
If you have also embarked on the path on meeting compliance regulations, but still aren’t sure if it’s needed for your business or how to start, we have taken the time and put together this base compliance guide for SMBs. But first, let’s see what compliance actually is and what it means for your SMB.
What is compliance?
Compliance, even as just a verb without corporate (or business in general) context, means to conform to a rule. Guided by that definition, we can understand what the concept means in the context at hand.
Compliance is a set of internal and external rules and policies and controls which a business, and all of its employees, must abide to. In short, it simply means to comply with laws and regulations.
A compliant company is one whose activities are all in line with the rules applied to its operations. This may include regional and industry laws, company values, ethics policy, and policies for complying with legal obligations. Compliance has two areas:
- Regulatory Compliance: Regulatory compliance refers to following state, federal and international laws and regulations that are applied to its operations.
- Corporate Compliance: Corporate compliance, on the other hand, differs from regulatory as there are no requirements mandated by law. It refers to the ways in which a business ensures they are following their own internal policies, rules and procedures.
Both types of compliance are equally important to businesses of all sizes. Not complying with regulatory compliance can lead to the company facing legal charges and fines, and without following their corporate compliance rules, they may have unethical practices and can impede efficiency of its own operations.
Why is compliance important for SMBs
We mentioned what can come out of not complying with both regulatory and corporate compliance requirements, but let’s look at what benefits does that “compliance badge” bring to small and medium sized businesses.
Avoiding legal repercussions
First and foremost when talking about compliance is addressing the risk of legal fines, penalties and lawsuits. We have all heard about unraveling of large organizations after a data breach that was caused by non-compliance and the hefty legal fines that every media outlet reported on.
There are many different local, state, federal and industry regulations a business must comply with and every part of their operations need to be managed and handled in compliance with all rules. If your manufacturing procedures, advertisement methods or workspace safety don’t fill the required standards, you can have a lawsuit on your hands. For small businesses this can often lead to hindrance or even a shutdown of their business.
Better brand reputation and trust
Besides legal fines and lawsuits that can await you if you aren’t compliant, your reputation can suffer too. We mentioned the media scrutiny that comes from non-compliance and what might even be worse than the monetary losses is the loss of trust of the general public towards the non-compliant company, but they lose industry credibility as well. In the age of social media, where information flows fast and wide, a PR catastrophe such as non-compliance and recklessness when it comes to data security or workspace safety simply isn’t worth avoiding a few bureaucracy messes.
It’s also not rare to see many company websites proudly display different compliance badges that provide visitors and customers with a feeling of trust in dealing with that company. So why wouldn’t you embellish your own websites?
This point is especially important for small and medium sized businesses that often don’t have the resources at hand to deal with compliance unravelings and need to focus on efficiency across their entire organization firstly. Most corporate compliance regulations deal with employee protection and ensure all have a fair, professional and safe workplace environment. And happy, well-compensated and respected employees are more eager to put in the work and be productive and efficient. Furthermore, compliance regulations streamline many processes inside a company, leaving space to be spent on more business-critical operations and decision-making.
Driver for growth
Compliance is basically following a set of rules, it can be viewed as restrictive. But businesses that ignore compliance can’t really see any future in the current market. Attracting investors and securing bank credits depends on your reputation and poor compliance can only hinder your chances.
Common compliance certifications for small and medium sized businesses
We have outlined some of the most common compliance standards and certification that we have run across recently while talking with our clients.
Controlled Unclassified Information, or CUI is information that is sensitive and of interest to the US, but is not regulated by the Federal government. Each government agency has a public registry of their CUI categories and subcategories for handling the sensitive and unclassified information and defines what the CUI is. NIST 800-171 — the National Institute of Standards and Technology Special Publication 800-171 governs CUI and is a set of standards and requirements that dictate how to protect and distribute this information.
These standards and requirements must be met by anyone who possesses, stores and/or transmits CUI for federal and state agencies, including through contractual relationships. This means that NIST is designed for non-government systems to protect CUI data. In order to access CUI and be NIST 800-171 complaint, you need to implement and verify compliance and have 110 security controls in place that are grouped in 14 distinct areas:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Physical protection
- Personnel security
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
Companies that contractually work with the US federal government are required to comply with the Defense Federal Acquisition Regulation Supplement — DFARS. DFARS defines a set of cybersecurity regulations and standards in order to protect contractors that possess CUI. Any company that is engaged with DoD contracts is in the scope of DFARS clauses. In order to meet the requirements under the regulations, companies need to implement and comply with the same 14 families as in NIST 800-171.
CMMS stands for Cybersecurity Maturity Model Certification. CMMC builds upon a clause in the DFARS that is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”. Covered defense information, or CDI includes unclassified controlled technical information or other information as found in the CUI Registry, a government-wide online repository for federal-level guidance CUI policy and practice.
All DoD contractors will eventually be required to obtain a CMMC certification and this includes all suppliers across the supply chain, commercial and foreign contractors and of course, small businesses. CMMC contains 5 levels of certification that give the contractor a score determining their ability to bid on DoD contracts. These 5 levels are:
- Level 1: This is where you should be concerned with the basic cyber hygiene practices such as using antivirus software and have a password policy in place for employees accessing Federal Contract Information — FCI. FCI is information that is not intended for public release and is provided and generated from the government contract.
- Level 2: Going further up in the level of cyber hygiene, these practices are described as “intermediate”. On this level you should be concerned to protect CUI through implementation of some of the NIST requirements.
- Level 3: On this level, companies need to have a standardized management plan to implement security practices to safeguard CUI and needs to implement all NIST requirements as well as some additional standards.
- Level 4: Here we come to the processes that are needed for continuous evaluation and measuring of effectiveness of security practices as well as additional enhanced ones that are concerned with detecting and responding to advanced persistent threats — APTs.
- Level 5: At this level of certification, a company already has a process in place for advanced and enhanced practices and provides even more capabilities to handle APTs.
CIS (CSC) Controls
The Center for Internet Security CIS Top 20 Critical Security Controls is a set of best practices that is designed to most sophisticated and dangerous threats in the current threat landscape. Developed by leading security experts from around the world, CIS Controls are validated each year to ensure relevancy.
Many standards and compliance regulations are designed to be more industry-specific, CIS SCS is created to be industry-wide applicable. It maps to most major compliance standards, such as NIST, PCI DSS, HIPAA and FISMA. In contrast to other standards and certifications on this list, CIS CSC is not a regulatory compliance and is not mandated by law. As mentioned, there are 20 CIS CSC controls, with the first six considered the Basic control every company should implement in order to be cyberthreat resilient. The two other tiers are Foundational and Organizational security controls:
Basic CIS Controls
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
- Maintenance, monitoring and analysis of audit logs
Foundational CIS Controls
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Organizational CIS Controls
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
The Payment Card Industry Data Security Standard, or PCI DSS, is a regulatory standard that was developed by credit card companies. It consists of a set of requirements that ensures all companies that process, store or transmit credit card data do so in a secure environment. The PCI DSS applies to any organization, regardless of size or industry, that handles cardholder data. There are 12 requirements in order for your company to be PCI DSS compliant:
- Use and maintain a firewall
- Maintain password security and protection
- Protect stored cardholder data
- Encrypt transmitted cardholder data
- Use and maintain an anti-virus solution
- Keep all software and apps updated
- Cardholder data needs to be accessible only to those that need to see it
- Use unique IDs for everyone with access
- Restrict physical access to cardholder data
- Monitor access to resources and data
- Test your systems with vulnerability scanning
- Document policies that address data security
One of the best known regulatory compliance frameworks is the Health Insurance Portability and Accountability Act, or better known as HIPAA. HIPAA sets the standard for sensitive patient data protection and it covers any business, contractors, subcontractor or entity that deals with protected health information — PHI. In order to be HIPAA compliant, companies must have physical, network and administrative security measures and perform regular audits.
HIPAA has several sections, called titles and Title I and Title II being the most important. Title I covers the “Portability” part of the law and usually doesn’t concern small businesses, IT vendors and contractors that work with sensitive health data. Title II that covers the “Accountability” part. It mandates that anyone that is in contact with sensitive patient data needs to follow best practices in order to ensure the data remains private and secure.
Ready to take advantage of compliance benefits?
Now that you understand the reason for all of the different rules, practices and regulations and how they can help you improve your business and positioning on the marketplace, it’s important to know all of the regulations and standards that apply to your business.
Attitude Integrations prides itself in providing proactive and innovative IT solutions to small and medium sized businesses, helping them to achieve their IT goals. We’re here to help you understand how your IT solutions and the ones we bundle can help you be compliant.