SMBs Face Big Challenges in Meeting Regulatory Requirements

Managed services and better policies can help SMBs deal with costs associated with archiving and protecting data in the name of compliance.

When it comes to regulatory and industry compliance, SMBs (small and midsized businesses) face the challenge of meeting the same burdens as enterprises but with less of a workforce and budget. Meeting that challenge means SMBs may have to consider both their internal data management and security policies as well as using managed services, analysts advised.

"SMBs are having trouble meeting regulatory requirements for data protection because they dont have the resources to deal with regulations," said Khalid Kark, an analyst at Cambridge, Mass.-based Forrester Research. "In a lot of cases, the same person is responsible for creating and implementing data protection policies. This may be a big issue for some regulators who profess separation of duties."

Most SMBs struggle to allocate enough resources to protect their assets, let alone prove to regulators that they are actually protecting those assets, Kark asserted. He suggested SMBs develop principles-based security programs rather than compliance-based ones, define a framework for their protections and map all regulatory requirements to it.

"Most have gone the route of taking compliance as a one-off effort that has led to a lot of duplication and inefficiencies," Kark said. "Regulations are all about process—not about technology—(and) SMBs need to ensure efficient processes and augment processes with automation where necessary. They should not look for technology to help them solve their compliance problems, but should look at it as an enabler in the process."

/zimages/4/28571.gifClick here to read more about SMBs eyeing managed services.

Sometimes, the difficulty SMBs face in meeting regulatory- or industry-compliance standards results in businesses not utilizing certain technologies. For example, Steve Yin of St. Bernard Software in San Diego said the company found in a survey of the IT managers surveyed dont allow external instant messaging. The reason, he said, is because IT managers realize if they do, they would have to begin archiving and tracking it and so forth.

"So rather than taking that plunge, they just dont allow it," Yin said. "Theyre under the same pressure as large enterprise, yet they dont have nearly the resources to build out their infrastructure to address it in the same way a large enterprise might be able to address it. So their choices are either heavy investment, or perhaps dont allow certain types of communication, which obviously is not ideal."

St. Bernard Software offers a managed service targeted at SMBs called LivePrism that in addition to providing security by isolating malware and other threats at the network perimeter, also provides secure archiving to help businesses keep data preserved and retrievable in an age of evolving compliance regulations, Yin said.

Gary Chen, an analyst with the Yankee Group in Boston, said vendors are not doing a great job of building SMB-focused products to help businesses meet the demands of federal and industry regulations for preserving and retrieving data.

"Its quite challenging, you need to have all the complexity and features of a heavyweight enterprise one, but you then also have to make it really easy to implemement, manage and use," Chen said. "Managed services are being positioned to solve some of these problems."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.