While a large company can shell out hundreds of thousands of dollars for assessment and compliance solutions, that sort of money is not in the budget of most smaller firms. Yet, even small companies may need to comply with at least one — and sometimes more — security regulations that govern the data that they store on their servers.
Medical firms need to abide by the Health Insurance Portability and Accountability Act (HIPAA). Small banks have to comply with the Gramm-Leach-Bliley Act (GLBA). And any firm holding credit-card data needs to be compliant with the Payment Card Industry (PCI) Data Security Standards.
For small and midsize businesses, perusing the PCI standards is a good first step, Corman says, because most businesses accept credit cards and because many other standards use the PCI requirements as a starting point. The first is initial design and implementation of systems to collect the data and create the reports needed to pass future audits. Because many smaller businesses do not have dedicated IT staff — never mind IT security staff — the company usually has to pay a security consultant or assessor to do this work.
The second major cost is the ongoing effort needed to collect the data necessary for compliance validation. “One client kept track of the time spent on compliance and found that, in year one, they spent 60 percent of staff time on collecting log data for reports,” he says.
Finally, SMBs must pay an auditor to verify that they are complying with regulations. Many companies look to minimize their compliance costs and go for the checkboxes, without really paying much attention to real security — even though fixing their security problems can mean avoiding a costly breach. Companies that minimize the number of systems that handle data can significantly reduce the cost of an audit as well, Corman says.
“SMBs might want one-stop shopping to save money, but it is a healthy practice to make sure that you are not getting your auditing from companies the sell products,” he says.
http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=226700099