Keeping IT systems secure and running within regulatory compliance mandates, especially for mid-sized and even small businesses, seems next to impossible. There are many reasons for this – but fortunately, several recent technological trends show that it doesn’t have to be this way.
- Cyber-threats and regulations don’t care about business size
Most attackers don’t care whether they’re targeting a Fortune 25 firm or a small town manufacturer with 25 employees. What cyber criminals want is data and identities to steal and sell. Likewise, regulators are expecting the same security diligence from small and mid-sized firms as from large corporations. Consider the various data-breach disclosure laws that are in effect. They’re not based on the size of the company but the quantity and type of customer records that have been breached. And, while there may be slight differences in how regulations such as HIPAA, PCI DSS, and others affect mid-sized and even smaller firms, their overarching impact is the same.
- Software flaws: an ever-growing concern
The number of software vulnerabilities announced daily shows no sign of letting up. According to the Common Vulnerabilities and Exposures List, sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security, there have been more than 3,500 flaws reported during the first three quarters of 2010. That’s well over 10 newly announced software flaws every day. And these vulnerabilities, which make it possible for many forms of malware and attackers to gain entryto protected systems, are equally detrimental to businesses large and small. It’s not just end-point operating systems, servers, and on-premise software that are at-risk. It’s also Web applications. According to a recent study by Web security firm Dasient, more than a million Web domains were infected with malware in just a 90 day span of this year.
- The extended business risk: partners, suppliers, and other stakeholders
All businesses are under internal and external pressure. Increasingly, businesses are demanding to see the security and risk management plans of those with which they do a significant amount of business. They want to know about disaster recovery and business continuity procedures. They want to know how security defenses are managed. And they want to know how their confidential information is protected.
This paper covers how small and medium-sized organizations can manage their IT risks and maintain regulatory compliance with minimal staff and budget.