Mid-market companies often have few choices when it comes to ensuring compliance with federal regulatory edicts for customer identity and financial records. Big companies use business process management (BPM) and enterprise resource planning (ERP) systems to track everything their employees do. Mid-size companies have to spend a small fortune or manage with manual spreadsheets and homegrown solutions.
Credit unions and banks, regional hospitals, and smaller retailers are three types of businesses operating in this mid-market category. Mid-market businesses often hold their breath and hope that auditors will not show up at their doors checking compliance levels on electronic records concerning negotiated terms, agreement versions and changes and all transactions with vendors or suppliers that exceed a certain amount.
Federal regulations and guidelines set requirements through the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) compliance rules. Companies with budgetary and IT resource limitations can find these requirements burdensome, forcing them to sacrifice business speed and agility in exchange for providing minimal business value.
“New regulations tend to come out every month. So mid-market companies need an effective system to keep watch over their compliance efforts. For instance, data retention rules change regularly. E-mail archival is a major responsibility,” Allen Zuk, senior consultant at GlassHouse, told the E-Commerce Times. His company consults with mid-market firms to gauge their ability to meet requirements.
As the business world transitions from hard copy documents in file cabinets to conducting business transactions in electronic forms, companies now have to validate and safeguard the electronic documents. The rules require that they be validated, stored and produced for inspection upon demand, Zuk explained.
One of the newest rules is the need to retrieve data in its original form upon demand. For many smaller companies this is a real quagmire. There are penalties for not meeting rules, but the actual penalties levied are not clearly defined, he said.
In general, there are regulatory agencies that have to process violations complaints to a court of law to assess penalties. In some cases, the punishments are nothing more severe than a slap on the wrist, according to Zuck.
“It is not just Big Brother motivating mid-market companies to comply,” Dominique Levin, executive vice president of marketing, products and business development at LogLogic, told the E-Commerce Times. “These companies are also driven by the wrath of the consumer, who expects privacy compliance. The common thread for all new regulations is the control over personally identifiable data. That is the big driver.”
Complying with ever-changing regulations poses a financial hurdle for mid-market companies. Not all vendors have been able to tailor their compliance management products to meet this specific market niche, Levin noted. The trick is to find affordable products that mid-market firms can afford.
“There is always a budget impact. We were doing a lot of the regulations required already. We took the first step before being told to do [it],” Pete Boergermann, AVP Tech Support Manager/IT Security Officer for Citizens and Northern Bank, told the E-Commerce Times.
The bank added log managing tools, intrusion protection and an upgraded firewall to ensure it was compliant, he said.
Mid-market firms have fewer funds available to spend on security concerns addressed by regulations. Smaller companies can either spend money on targeted solutions or do nothing and face the financial burden of penalties when and if they are caught violating compliance rules.
“In smaller companies, there is a single system administrator wearing multiple hats with few options. We call this the ‘ostrich philosophy.’ These people need out-of-the-box solutions,” Levin said.
What to Expect
Putting compliance programs into place changes the behavior of employees at work, according to Levin. Employees work knowing that there is a record of who is doing what.
Violations and breaches are never 100 percent preventable, but these systems can reduce the chances of serious violations, she explained.
Log management systems maintain a record of all user and systems activity. The software can see what users are doing online, in their e-mails and with company records. Sometimes companies have problems dealing with the volumes of records compliance tools create.
The problem is that all vendors’ compliance software tools generate logs; however, people usually don’t do anything with the logs. Every vendor has its own format. So no unified method of extracting data exists. These compliance monitoring tools can generate in excess of 1,000 logs hourly.
The typical company doing business with credit cards, negotiations and e-mail correspondence with customers should be doing many of the basic procedures now spelled out by regulatory agencies. There are few difference in what mid-market firms and large corporations have to do.
“The PCI standards set the bottom line. Most companies should be doing 90 percent of its requirements no matter what type of business they are. These include protecting the network with a strong firewall, monitoring logs of records access and storing transactions,” Boergermann said.
His bank began the first round of making sure it met compliance rules in September of 2006. His IT staff only began taking a survey of the bank’s compliance in the last few months. The TJX breach reported by the news media got his bank going on compliance issues, he said.
More than anything else, reports in the news are what get firms moving on compliance issues, according to Boergermann. Most people follow the old adage: it won’t happen to us, he said.
In some ways, Boergermann’s bank was ahead of the game. But companies can never know for sure about their compliance status until auditors show up at the door, he said.
“We found that some requirements are vague, so it is hard to know exactly what is required. Companies have to balance the cost of compliance with the risk of exposure,” he warned.
- Courion’s Enterprise Provisioning Suite sells Suite Jump Start Options specifically designed to address the identitymanagement needs of the mid-market. These tools include out-of-the-box provisioning and password functionality. The suite eliminates the cost and infrastructure requirements that prohibit many companies from deploying identity management solutions.
Courion’s Jump Start options include Basic Access, which enables business managers to quickly add or remove network access for new hires and former workers. One component in the tool set, Orphan Account Finder, addresses one of the biggest security threats and compliance issues by disabling access to those employees no longer with the organization.
- LogLogic recently launched a do-it-yourself kit for mid-market companies. The user places an appliance box next to the central collection server on its site. IT staff can access data from any browser.
- Qualys recently introduced the QualysGuard Security and Compliance Suite, a suite of Software as a Service products that help organizations to manage the operational challenges and costs associated with securing their IT infrastructure and comply with new regulations.