Select Page

Compliance Pressure Amplified for Small and Mid-Sized Businesses

Author: Tim Steele

When we think of compliance and the pressure it forces onto organizations, we tend to think of larger enterprises—like perhaps one of the many that have been affected by high-profile data breaches (e.g. Equifax, Facebook, eBay, and Target).

The reality is that regulatory compliance does not play favorites.

New data privacy regulations like the California Consumer Privacy Act are burdensome for all organizations, and especially for small and mid-sized businesses (SMBs).

In fact, SMBs operating in the U.S. are a favorite target for cyberattacks. For the third year in a row, they have reported a significant increase in cybersecurity incidents.

Compliance By the Numbers:

  • 500,000 or more U.S. companies will have to comply with CCPA, the vast majority of which are SMBs
  • 66% of SMB decision makers believe a cyber attack is unlikely
  • 67% of SMBs experienced a cyber attack last year

Sources: IAPP / Rita Heimes and Sam Pfeifle, Aberdeen, Keeper’s 2019 SMB Cyberthreat Study

Here are some of the most common mistakes we see from SMBs:

A segment of SMBs do sense the pressure of compliance and have logically made data security a priority. In a recent Deloitte report, “Information Security—a Major Concern for Mid-Market Leaders,” almost 60% of respondents said information security is now the top challenge in using cloud-based services. Managing data privacy is the next biggest challenge, at 51%, followed by ensuring data integrity, at 46%. 

Best Practices: Achieve Data Governance, Privacy & Integrity with Data Hygiene

Although SMBs do not enjoy the same resources of their larger counterparts, the initial steps to managing critical data are generally the same. 

It is important to first note that data exists across an enterprise and that best practices can be established from what other subject matter experts have observed. 

“SMBs can get ahead of requests for data by documenting early what consumer data they hold. Having a greater understanding of what personal data they have, where it came from and who it’s shared with can streamline the process if a customer requests their data.”

-Campbell Hutcheson, “How SMBs Can Ensure Compliance with New Regulations

It is important to remember that 80% of all data is unstructured and is growing by 63% per year. Unstructured data is largely unmanaged and unknown—70% is Redundant, Obsolete or Trivial (ROT). Unstructured data is also home to PII, the target of data breaches. 

Step 1 for SMBs is to gain control of this unstructured data. The goal is to achieve a posture of risk elimination and enable responsiveness to new compliance demands within the timeframe allowed and with the completeness of information required.

Discovery includes taking inventory of the unstructured data across all file repositories, without moving or duplicating data. Moving or duplicating unstructured data risks increasing PII data. 

Classifying data involves finding data that is valuable and securing it, and remediating data that is useless or risky according to an organization’s data governance model and data retention policy.  

Auditing entails deciding what data is retained and the purpose of that data, and then finding it a safe home. 

Step 2 is keeping your house in order. After a comprehensive data hygiene process, governance policies and procedures ensure compliance with regular monitoring. Apart from the risk of PII data, ransomware poses significant risk and must be part of your data governance procedures. 

Step 3 is responding to compliance demands from consumers and regulatory agencies. 

Step 4 is to ensure useless or risky data is continually remediated.

Schedule a demo today to see how easy it can be to manage your data privacy.