Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, August 11, 2010

Small And Midsize Businesses Look For Ways To Cut Compliance Costs

According to The 451 Group, an IT security analyst firm, there are nine different security technologies required for PCI compliance alone: antivirus, firewalls, intrusion detection systems, encryption for data at rest, file integrity, log management, multifactor authentication, a Web application firewall (or a security development lifecycle), and a vulnerability management solution.  Then there are the services: a qualified security assessor, an approved scanning vendor, and in the case of a breach, the qualified incident response assessor.  For small and medium businesses, the costs can be overwhelming, says Joshua Corman, research director for The 451 Group’s security practice.

While a large company can shell out hundreds of thousands of dollars for assessment and compliance solutions, that sort of money is not in the budget of most smaller firms.  Yet, even small companies may need to comply with at least one—and sometimes more—security regulations that govern the data that they store on their servers.

Medical firms need to abide by the Health Insurance Portability and Accountability Act (HIPAA).  Small banks have to comply with the Gramm-Leach-Bliley Act (GLBA).  And any firm holding credit-card data needs to be compliant with the Payment Card Industry (PCI) Data Security Standards.

For small and midsize businesses, perusing the PCI standards is a good first step, Corman says, because most businesses accept credit cards and because many other standards use the PCI requirements as a starting point.  The first is initial design and implementation of systems to collect the data and create the reports needed to pass future audits.  Because many smaller businesses do not have dedicated IT staff—never mind IT security staff—the company usually has to pay a security consultant or assessor to do this work.

The second major cost is the ongoing effort needed to collect the data necessary for compliance validation.  “One client kept track of the time spent on compliance and found that, in year one, they spent 60 percent of staff time on collecting log data for reports,” he says.

Finally, SMBs must pay an auditor to verify that they are complying with regulations.  Many companies look to minimize their compliance costs and go for the checkboxes, without really paying much attention to real security—even though fixing their security problems can mean avoiding a costly breach.  Companies that minimize the number of systems that handle data can significantly reduce the cost of an audit as well, Corman says.

“SMBs might want one-stop shopping to save money, but it is a healthy practice to make sure that you are not getting your auditing from companies the sell products,” he says.

Posted on 08/11