The Regulation Equation: How Do You Solve a Problem Like Compliance?
The implementation of the European Union’s General Data Protection Regulation in 2018 raised a whole new slate of concerns for small-to-medium-sized businesses, who might have felt they were suddenly grappling with enterprise-level questions about regulatory compliance. It doesn’t help that big names like Facebook and Equifax have made headlines for garnering huge fines in relation to the GDPR, for failing to properly secure European citizens’ personal data.
If you’re reading this and thinking “but I don’t have any European clients!” you might be missing the point—California passed its own consumer privacy act in 2018, and with many sectors migrating data into the cloud, everyone from regulatory agencies and lawmakers to consumers are paying much closer attention to how companies save, store, and protect sensitive data.
In reality, though, the GDPR is just one of many regulatory issues facing any business owner. Anyone who works with the healthcare industry is likely well-versed in HIPAA, and those who support clients in the financial sector do so under the watchful eye of agencies like the Federal Reserve Board and Securities and Exchange Commission.
Solving for compliance starts with security
So how do you solve a problem like compliance? Well for starters, your company’s compliance journey shouldn’t actually start with compliance, but rather: security.
According to Brandon Nohr, Chief Technology Officer at SUCCESS Computer Consulting, focusing on strengthening your operation’s cybersecurity will also simultaneously mitigate many compliance issues. From there, a SMB can do what it does best, nimbly pivoting to tailor compliance solutions to each unique situation, building on their solid foundation of proactive internal and external cybersecurity measures.
“It doesn’t mean you have good security if you’re just checking compliance boxes,” Nohr explains. “It’s not that compliance isn’t important; but from an execution standpoint solving for security usually gets you further down the road, and also checks off some of the boxes for compliance.”
In the long run, this security-centric approach can actually have the effect of addressing regulations and compliance concerns across multiple industries. “So you’re not trying to solve for HIPAA and PCI, you’re solving for what good security looks like,” Nohr says. From there, you can use your stellar security practices as a base for working with clients across highly regulated fields, adapting to the industry standards as necessary.
Taking this focused approach to cybersecurity as a means of achieving regulatory compliance can also conserve valuable resources. If good security is woven into all your processes and procedures to serve as the foundation for compliance, you’ll already have many of the bases covered, and won’t be wasting money trying to meet regulatory standards for just one industry.
Ask the right questions
While there’s no magic wand to wave that will make your SMB compliant with every industry, the same common-sense questions you would normally ask of vendors—or anyone in contact with your data—apply in the compliance realm as well. While you can obtain a third-party compliance audit, there are ways you yourself can evaluate your cybersecurity and compliance efforts.
SUCCESS has detailed some of these questions in the past; these are questions that you should be asking not only of, for example, a cloud services provider, but also of yourself and your own business, in an effort to audit your potential security pitfalls.
- How are we backing up data?
- Who has access to our data?
- Is data encrypted—in transit and at rest?
- If a customer or auditor asks us these questions or wants us to report on our security measures, will we be able to give them proof?
When businesses are audited by regulatory agencies, they will look for documentation and reporting surrounding these issues, and you should be prepared to relay this information to clients as well, who might have questions for you about where and how their data is protected and stored. This can be an excellent time for an internal audit of policies and procedures, to ensure that good security and compliance is built into every step of all of your company’s processes.
Hope vs. know
SUCCESS works from a security-first model rather than a compliance-first model, one of the things that sets it apart from its managed service provider peers. Nohr says it’s a matter of taking your security a step beyond protection, to detection—a proactive approach that lets you know you’re taking all the strongest measures, not just hoping the basic protective measures will suffice.
Many security teams, “hope they’re doing the right thing, they hope they’re not breached, but they can’t say they know that,” Nohr says. It’s why SUCCESS puts the focus squarely on security, to serve as a framework not just for compliance, but for everything else that keeps your business running smoothly.
When you partner with a qualified managed security services provider like SUCCESS Computer Consulting, you can know, rather than hope, that your proactive focus on security will benefit your ability to be in compliance within highly regulated industries, as well. Interested in learning more?