Secure Value: Small Business

Small Business

08/04/2011

Forget customer privacy for a moment ... are you protecting your key business information?

With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.

This is a list of information that you should also work to protect:

1.    Information about your systems and networks. When I backpack I don't do very well if I have to go off trail and I don't have a map. The same is true for someone trying to break into your information systems. If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information. Are you making your network an outside explorers paradise?

2.    Your company's secret sauce. You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces. For Jacadis, it is the unique way we deliver many of our services. For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers. That process has helped them win business because other printers aren't doing it. Years ago we did work for a company that made a unique material used in the florist business. They were the only company in the world that could produce the material at quantity and had factories world wide that did it. Their key asset was the chemical formula and process to produce that material. Are you protecting your secret sauces?

3. Intellectual property, according to wikipedia, refers "to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law.   Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and words, phrases, symbols, and designs. Common types of intellectual property include copyrights, trademarks, patents, industrial design rights and trade secrets in some jurisdictions." To maintain those rights you need to actively assert those rights, which as I understand it from my friends in the legal profession, includes protecting the digital versions of those rights. Are you asserting your IP rights?

3.    Work. Think of the endless hours that you spent putting together that killer sales presentation. Should it be corrupted or removed from your computer you’ll have to redo the work. The same is true for data entry, etc. The work itself might not be “secret” but should you lose it you’ll really be losing time and value. As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com). For your business your work may be many other things. My sales team would tell me that their biggest collection of work is the information they have on clients. A friend of mine has a laser cutting business. Unique programs are written to consistently and repeatedly cut 3D designs into different materials. These programs are his work. Another friend has a much lower tech manufacturing business, an old sand mold foundary. His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted. In the end the loss of work means the loss of time or information. You'll have to invest time to recreate the information. In some cases you may not be able to recreate it. Are you protecting your work?

4.    Personal information about your executives, leaders and key employees. Again, to explore something you need a map. To attack a target you need a map. Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map. This is a tricky subject though. I won't do business with a company if I can't see some information about its ownership. Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust. Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up. On a simple level, executive emails sprinkled all over a web site invite spam. On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks. Are you protecting your key people? Are you protecting all of your people?

5. Personal, though non-protected, information about your customers and prospects. Again, protect the map. Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation. Protecting your customers information promotes trust. Are you promoting trust with your customers?

What types of information that must be protected did I miss?

Posted by Douglas Davidson at 09:54 AM in Assessments and Tests, Committee Action, Competitive Advantage, Continuity Planning, Information Security, Information Security Basics, Innovation, Online Business, Risk Analysis, Risk Management, Secure Value, Small Business | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: information security, Intellectual property, risk management

05/13/2011

Small Business Innovators Must Design Web Applications with Security In Mind

We had a unique call come in yesterday, one I wish we had more of, but we don't.

A small business owner with a brokerage of sorts wanted to develop a website that would allow the producers and the buyers to post information, in some cases highly personal information, review non-confidential subsets of the data about the other and keep the whole thing secured from the outside.

She asked if we could help and provide "small business pricing quotes."

In fact, I don't think many security firms get those calls.

Most of our calls are after the fact either after the app or system has been developed or just after it has been breached.

She called us asking questions because she didn't have any answers. I think that approach serves us well in many endeavors.

We can help her. We offered to help her develop a list of functions and safeguards she needed in her application, help her manage the procurement process and then to test the application for security before she accepted it from her developer.

In 10 years of business that was a first.

Most web applications, particularly web applications are built with out much thought to information security, customer privacy or regulations covering the information.

Truthfully no application is 100% secure. But an application that has been designed and developed with careful consideration for its information security, user privacy and regulatory requirements stands a great defensive chance once it has been launched. Testing that application before launch further raises the defensive posture. Regular testing and a proper operational routine after it has been released to production even further raises that posture.

Again, our experience has been that most businesses, particularly small business, design and develop applications, release them to production and then through some event realize that security is a concern. There is a breach or a break-in. The site is knocked off line by a denial of service attack and revenue streams are interrupted. The invoice from the payment card processor is higher than they want to pay and they find it is because of non-compliance with PCI. And so on.

This occurs because two things don’t happen up front:

Security just isn’t talked about as part of the deisgn process. It must be!
An assumption is made that developer and hosting providers on the project will handle security. In most cases they won’t unless you demand it of them and back the demand up with contracts and tests.

Here is a list of non-technical questions you need to consider as part of your design conversation. Getting technical on some of these issues may require a member of your IT staff or an outside consultant. But any small business owner should be able to answer these questions if they are trying to build a business using technology:

What is the sensitivity of the data on our planned site? Is it regulated data?
Who regulates the information or audience that uses our site? What are your obligations to protect it? What are your obligations to maintain user privacy? Does your privacy policy match that obligation? Will the site be developed with the guidance of a privacy policy?
How long can the site be offline before it negatively impacts our business? When will customers usually visit the site to transact business? If we are off line an hour of peak traffic time how much revenue will we lose? Profit?
What do our customer’s expect from us in regard to protecting their privacy?
Will you have user forums or accounts on the site? How will you verify those signed up are really customers? Or really people?! Does that matter? Will you allow any and all comments in your forums? Do you need to edit them or block them?
How does the developer ensure the web application is secure? The database?
How does the hosting provider help secure your application? How will you know they are doing their job?

You then need to make sure that your development partner builds the site to meet the requirements these questions should raise to the surface.

That site must be deployed in a technical environment that is at minimum protected by:

A firewall
An uninterruptable power supply (UPS)
Regular back ups
Anti-virus
Proper and verified operating system and application hardening procedures
Separation of the development (where you’ll continue to create and innovate as well as test) and production

We then recommend you test the site against your requirements to make sure they were met (best to do that before that last check goes to the developer!). We also suggest you conduct a vulnerability scan against the site to make sure that it wasn’t developed with technical weaknesses a hacker could use to create havoc for you.

And then finally we recommend that you, as a matter of routine, continue running those tests to make sure the sight maintains the secure posture you paid for in the first place.

Posted by Douglas Davidson at 01:03 PM in Information Security Basics, Innovation, Online Business, PCI, Risk Management, Secure Coding, Secure Value, Secure Web Development, Small Business, Vendor Selection | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Business, Conventional PCI, Information security, Information technology, Security, Services, Small business, Web application

05/05/2011

Train Sales People in Security Basics if Your Product Serves Security & Privacy Concerned Markets

Yesterday, I had a prospective vendor tweet out details of our infrastructure right after he got off the phone with one of our engineers. I guess he thought letting me know he was working for me was cute. He lost a deal because he violoated my trust.

Today, we had a client ask if we could speak to their sales people about the importance of information security and privacy from their customer's view.

Do you sell products or services into markets that have information security risks or fears? Do you consider security to be a feature of your product? Do your customer's routinely include questions about how you handle information security in their RFQs and RFPs? Do your contracts include clauses that allow your customer's to audit your infrastructure? Do you sell products or services into regulated industries such as healthcare (HIPAA/HITECH) or public companies (SARBANES-OXLEY) and so on?

If you said yes to any of those questions do your sales people understand the importance of security in building and maintaining customer trust?

Do you train them? Do you make their role in building and maintain trust an obvious part of their performance expectations?

Security training for sales professionals selling into protected markets should include:

1. Information Security 101 covering basic terms that your customer's auditors and IT staff will use as a matter of everyday language. They should be comfortable with terms such as risk, vulnerability, threat, safeguard, confientiality, integrity and availability.

2. Industry issues related to security, privacy and regulatory compliance. A salesperson serving health care markets needs to have a different knowledge base than a salesperson selling into financial markets and so on. We've been involved with clients purchasing technology from vendors who have sales people claiming knowledge about regulatory issues that is wrong. They don't get those sales.

3. Product and service features that support a client's information security, privacy and compliance pains.

4. Basic online ettiquite and secure online behavior. Preparing sales people to participate securely and privately in communications particularly if social media is part of your communication strategy or part of the culture of your work force.

5. General trends in information security including some pointers on news sources that can keep your sales team informed.

An example:

After Epsilon was hacked two weeks ago, I had two conversations with senior executives from two differenct firms that provided consumer oriented services that had never heard of the Epsilon. Epsilon is an email marketer that provides email marketing services to large companies. They were hacked and the customer emails of some 50 companies were taken. You can expect firms in the direct consumer market to be concerned with the risks of having their customers exposed through other services. These execs had no idea. Without some idea of what to watch for in the news I wouldn't expect them to, but it would give an edge in customer conversations because the customers are very aware and knowledgeable.

We've seen good sales people with bad security habits lose business. We've helped some of them change and with their companies create competitive advantage as this knowledge prepares them to begin building trust at the inception of the first lead contact. I prefer to have my sales people be as productive as possible. If you sell into security concerned markets this is a tool you should consider.

Posted by Douglas Davidson at 03:17 PM in Committee Action, Innovation, Leadership, Living Securely, RoadWarrior, Secure Value, Small Business | Permalink | Comments (1) | TrackBack (0)

04/25/2011

HIPAA Compliance Requires You Know Something About HIPAA

"I don't want to know anything about HIPAA. I just want to be compliant.

Can't you just tell me what I need to do and then give me a certificate or something?"

So one of our sales reps was asked last week ...

To many an entrepreneur government regulatory requirements are simply a bother that gets in the way of us doing what we love in running our businesses.

In this case the firm in question is a Software as a Service provider in a niche part of the health care market. The business is under 5 people; the licensing for the service costs less than having a lawyer review each HIPAA BA agreement sent their way.

But because HIPAA compliance in how they protect and use the protected health information hosted in their application and touched by their staff during support interactions HIPAA is a part of the feature set. Like their desire to know Web 2.0 and other evolving technologies, knowledge of secruity and privacy

It isn't a whole lot different than a chef that just wants to create fabulous meals with no care or concern for a clean kitchen or the health inspector that is sure to come one day.

If you are going to play in the health care space providing services to HIPAA Covered Entities you must educate yourself and understand that part of your environment as much as you understand the technical and operational aspects of your business.

A great place to start is at the Health Information Privacy site at Health and Human Services web site.

We provide services to educate companies of any size on the HIPAA Security and Privacy Rules, to assess how they stand in compliance with those rules and to plan for closing any gaps our assessments may uncover. We also help firms operationalize their HIPAA compliance because the law doesn't say "get there" in regards to compliance with the HIPAA Security and Privacy Rules but "get there, stay there" which means HIPAA must become a regular part of your day to day.

An integral part of our being able to help any company is a willingness to learn HIPAA and understand how it will impact your company.

An integral part of becoming and staying HIPAA compliance is a willingness to learn HIPAA and understand it on an ongoing basis.

Posted by Douglas Davidson at 10:25 AM in Committee Action, Compliance, HIPAA, HITECH, Secure Value, Small Business | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Health care, Health Insurance Portability and Accountability Act, Protected health information, Regulatory compliance, Security, United States Department of Health and Human Services

04/07/2011

Epsilon Aftermath Will Expand Seriousness of 3rd Party Verification for Suppliers -- Is your firm ready?

Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.

Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.

Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.

In fact it isn't just us that thinks that. The Wall Street Journal reported in Insulating Your Firm from Third Party Breaches that:

Experts suggest that companies that outsource technology services take some of the following steps:

Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.

Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.

This will impact you if you answer yes to any of the questions below:

Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?

Take action

If you answered yes to any of those questions we suggest the following:

1. Look at your customer agreements with firms in the categories above.

Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?

2. Sit down with your technical leadership and discuss:

Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?

If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.

Posted by Douglas Davidson at 10:45 AM in Committee Action, Competitive Advantage, Compliance, HIPAA, HITECH, Information Security, Information Security Basics, Leadership, Online Business, PCI, Policy, Secure Value, Security in the Business News, Small Business, Trust, Vendor Selection | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Audit; Small business; Verification; Assurance; Compliance; Governance; Epsilon

04/04/2011

Aftermath of Epsilon Hack ... More FUD on Horizon, Third Party Verification Gets Boost, Confirm You Have Strong Passwords ...

Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company. The hack affects a long list of major brands and probably includes some companies that you use.

If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.

No big deal? Maybe, maybe not.

Some security experts think it means more spearfishing attacks on businesses and individuals. Others don't think it is all that big of a deal.

I predict three outcomes and suggest remedies:

First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase. With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack. Be an informed buyer, particularly of items as critical as security technologies.

Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands. I've worked with small businesses that provide services to some of these firms. We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits. If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.

Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:

Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
Accounts that depend on your email address might be at risk. Better safe than sorry. I would suggest you change your passwords on those accounts and make sure they are strong passwords.

What impacts to business and personal security do you think will be the aftermath of the Epsilon hack? What fears do you have about how it impacts your business or yourself?

Posted by Douglas Davidson at 08:38 PM in Living Securely, Online Business, Secure Value, Security Awareness, Security in the Business News, Small Business, Threats, Vendor Selection | Permalink | Comments (3) | TrackBack (0)

Technorati Tags: Epsilon

03/27/2011

My Lunch Discussion with Representative Steve Stivers

Last week I had the pleasure of a lunch with a handful of local business leaders and entrepreneurs and Representative Steve Stivers. Jacadis is an active member of the Hilliard Chamber of Commerce which hosted the event.

He prefaced the mostly question and answer session with a few comments about the goings on in Washington. His overall theme was a recognition that to move the country forward we need to tighten our belts. He shared the Republican controlled house's committment to that tightening and acknowledged the difficulty of getting things done with an opposition Senate. The elections in 2012 will matter.

My perspective on the conversation is from two vantatge points.

First, though we've successfully grown over the last few years of economic difficulty we've been slowed by the finanical crisises and poorly performing economy. We are like your business.

Second, among the work we do, we help businesses manage their security and privacy operations to meet their regulatory options.

From those filters, here are my thoughts from the lunch:

It is difficult to get an accurate and complete measure of a man's character, viewpoints, and committments from an hour's lunch, but Representative Stivers impressed me as a neighbor and peer who goes to Washington to work for us. He didn't come off as a sleazy yes man like some politicians. He mentioned proudly that he is an Eagle Scout. I was most impressed by how he handled said "No" regarding more spending.

Several of the questions and much of Representative Stivers conversation centered on budget and the structural impact Federal spending and debt has placed on the credit markets. Access to credit and cash flow management go hand in hand. Typically those are the biggest limiting factors to small business growth.

Stivers is in favor of finding ways to significantly cut spending. He referenced his young daughter and her future as he discussed the future impacts of our current budget situation.

I asked him to speak to the issues of overregulation. Referencing the Federal Trade Commission's Red Flags and HITECH I asked him his views of government regulation.

(NOTE: In quick summary: Red Flags is a rule promulgated by the FTC during the Bush Administration. It's effective date has been moved 4 times. Early adopters were penalized; late adopters don't believe the FTC will enforce the rule. HITECH came to us as part of the stimulus bill. Those in the health industry are legally accountable to rules that are not yet written yet).

Representative Stivers spoke to the issue of government regulation. In his view government regulation should level the playing field for the market as a whole. The government should not pick winners and losers but allow the market to decide. As we discuss security and privacy regulations I think those are a great yardstick from which to measure healthy regulation.

He spoke to the issue, bundled in my question, of Congress ceding its governing authority to the executive branch. In my view, the crazy implementation of FTC's Red Flags was because the rule making was a political process. As interest groups representing higher education, health care and the legal community identified their opposition to Red Flags the rules were altered and the enforement date was moved back. He acknowledged that Congress needed to work hard to gain that governing authority back after years (not a D or an R thing as it has happened across decades) of letting the technocracy drive rulemaking.

What most impressed me was a moment where Stivers told us no. One business owner, a retailer in Northern Columbus, is impacted by the poor traffic patterns around the OH-23 and I-270 interchange. She inquired if Stivers knew where the funding stood and asked for his support. He committed to checking into it but shared with her that if funding wasn't already approved he was most likely a "NO" vote on it. He went on to explain that we all were going to have to deal with the reality of "No's" on government spending if we had an expectation that the government should live within its means.

And that sounded about right to me.

In the end I was pleased with the lunch. The food at Heritage Country club where the Hilliard Chamber so often meets was good. Our guest, Representative Stivers was a good listener and a straight shooter in discussing the issues. And, in what could have been a grip and gripe session, the business leaders in the room as was Stivers were all positive about the future.

How does the regulatory environment interfere with your business growth? I'd love to hear your stories.

Posted by Douglas Davidson at 09:56 AM in Compliance, Secure Value, Small Business, Speaking Engagement | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: compliance, Eagle Scout, Federal Trade Commission, Regulation, small business, Steve Stivers

02/23/2011

Show B2B Customers Your Firm is Trusted - Win Business!

Does your business process customer data? Show your business to business customers that your firm handles their information in a secure fashion and you may win new business.

Jacadis works with emerging firms (those in start up mode or those in high growth arcs) that suddenly find themselves with information security and privacy concerns. Usually, they have been so focused on building business features and functions that security has been an afterthought. Customers raise concerns about how information is handled, many times because the customer is regulated and is expecting our client to properly handle their data. By the time Jacadis gets involved these concerns are creating barriers to new markets or have become minimum requirements to win new business or retain existing business.

Our mantra is that if you can show yourcustomers, particularly your regulated business-to-business customers you operate in a manner that you can be trusted you have the potential to create competitive advantage and win new business.

And it is true.

Yesterday, we got word from a client that our efforts in implementing a security program for them had translated into a higher level trusted relationship with a key client AND a new $200,000 order. The joy the sales manager had in telling me reminded me of the excitement my 8-year old has when he comes home from a great day at school.

Being secure does create competitive advantage.

Do you have those same concerns?

One tool we used was QualysGuard. We used it to measure the vulnerabilities (fancy security jargon word meaning weaknesses) to attack that their technical infrastructure. We used it initially to create a prioritized list of corrective steps for our client to take and now use it to maintain the current security levels and show the client's customers they are attending to security properly.

You can test your network on your own with Qualys' free scan.

Posted by Douglas Davidson at 12:32 PM in Assessments and Tests, Committee Action, Competitive Advantage, Compliance, Information Security Basics, Innovation, Leadership, Online Business, Secure Value, Small Business | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Business-to-business, Competitive advantage, Information security

02/01/2011

Ponemon Research: The True Cost of Compliance – What about small business?

Ponemon Institute and Tripwire Inc. conducted The True Cost of Compliance research to determine the full costs associated with an organization's compliance efforts. The study was a benchmark study of multinational organizations which by definition represent the larger firms in the business landscape.

Secure Value focuses on small and midsized businesses. It is a sounding board for my experience as a small business owner and executive with Jacadis as well as a consultant solving Jacadis' clients security and compliance problems.

As I read through the study some thoughts came to mind:

The executive summary of the report starts: "Multinational organizations in all industries must comply with privacy and data protection laws, regulations and policies designed to protect individuals’ sensitive and confidential information."

Well, so do small and midsized businesses. In fact, many of these small entities are providing services that require them to steward (or take care of) the multinational's information and data. Often it is business won from a multinational or larger enterprise that drives a small business to focus on information security for any reason.

In the study Ponemon learned "that while the average cost of compliance for the organizations in our study is $3.5 million, the cost of non-compliance is much greater. The average cost for organizations that experience non-compliance related problems is nearly $9.4 million. Thus, investing in the compliance activities described in this study can help avoid non-compliance problems such as business disruption, reduced productivity, fees, penalties and other legal and non-legal settlement costs.”

For small and medium businesses the cost of lost business and unrealized business needs to be added to the list. We’ve seen new contracts won at the end of a security and compliance program investment that far outstrip the costs of the investment. I think compliance (and security) program investments in many businesses are great investments if your customers have concerns about their vendors handling their data and information.

Ponemon found that “laws and regulations are the main drivers for investment in compliance activities.”

My experience is that it is customer opportunities in the small and mid-sized business space that is the primary driver and not so much the actual laws and regulations. There are thousands of businesses operating without regard to HIPAA/HITECH, PCI, and state level data notification laws, etc. The instant that these businesses receive an audit request from a larger customer our phone rings because the potential loss of a customer or the potential gain of a new customer immediately makes it a concern.

The report lays no claims to give any insight into the SMB compliance issue. I would love to see these questions dealt with in a similarly well founded study focused on SMB security and compliance:

Are the drivers in the SMB space for investment in compliance activities different than those for multinationals?

How do the costs of compliance compare to the costs of non-compliance in the SMB market? Do potential customer acquisition or customer loss factors dramatically change that comparison?

What other questions about small and medium sized business compliance and security efforts would be useful?

Posted by Douglas Davidson at 03:03 PM in Committee Action, Compliance, Secure Value, Small Business | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Ponemon Institute; #compliancecost

01/17/2011

Wrestling with some thoughts about SMB security in 2011

Image via Wikipedia

I am sitting in a gymnasium in eastern Ohio watching my son work his way through a 64-team wrestling tournament. Between bouts there is not much else to do but read ... and wrestle with thoughts about SMB security and compliance in 2011.

SMB Security and Compliance Activity is Largely in Response to B2B Customer Concerns:

The current activity and interest in security from smaller companies is driven from supply chain compliance from larger firms initiating third party compliance programs.

Translated to High English ... bigger firms feel they have their own security houses in order. They have identified vendors, partners, customers and others connecting to their systems or using their data as risks. They are now actively putting contracts in place to ensure that their concerns are properly handled by these third parties.

Translated to the bottom line: Big firms say, prove to me your company is secure or don't do business with us!

Questions to ask:

Do you have network connections to larger firms?
Do you provide services to them that require you to process confidential data that they own?
Are any of your customer's in industries like health care where the privacy of information is regulated?
Are you aware of your corporeate customer security requirements are?

Securing the value in your small business shouldn't be all about meeting customer's needs. You need to protect your value in other ways too.

Two numbers to that effect caught my attention:

From a University of California Study: 93% of information created by corporations exists in electronic form
From a PriceWaterhouseCoopers study: 70% of the market value of a typical US company resides in intellectual property

Questions to ask:

Does your small business create value in digital form?
Do you protect it properly? Is it backed up?
Are your digital valueable protected with legal protections such as non-disclosure agreements, non-competes, trade marks, copyrights, etc?

Posted by Douglas Davidson at 03:29 PM in Happy Hour, Secure Value, Small Business | Permalink | Comments (0) | TrackBack (0)

Secure Value

Secure Value focuses on information security issues that impact the value of start up and growth oriented small and medium businesses.