How Do SMEs Tackle Compliance Challenges in IT?

In most SMEs, the discussion on ‘Compliance in IT’ is ignored until the company is sued or mired in some legal trouble. The author, Chaitanya Dhareshwar, is Head IT at Banyan Tours and Travels and he discusses the subject of ‘compliance in IT’ from an SME’s perspective.

Chaitanya Dhareshwar,Head IT, Banyan Tours and Travels Aug 29th 2012 A-A+
Summary:

In most SMEs, the discussion on ‘Compliance in IT’ is ignored until the company is sued or mired in some legal trouble. The author, Chaitanya Dhareshwar, is Head IT at Banyan Tours and Travels and he discusses the subject of ‘compliance in IT’ from an SME’s perspective.

The recent amendments in the Information Technology Act, 2000 has put a tremendous focus on regulatory compliances. Enterprises are embracing technology in order to monitor employee internet use. With the advent of social media and consumerization of IT, CIOs need to metamorphose their security strategies. According to a report by Gartner, 60 percent CIOs are expected to watch workers’ social media use for security breaches. While big organizations are expanding their security budgets to brace new measures, small and medium enterprises are still struggling to save cost and enforce regulatory compliances concurrently.

Larger enterprises often have an in-house legal team and contract a large legal organization as per requirement. But typically, SMEs do not have a legal department and the work is mostly outsourced to a small legal panel. Therefore, the ability to interpret legal laws becomes a major shortcoming. The techno-legal opinion required is not always available.  SMEs rigidly focus on cost saving. Taking the unnecessary overhead of having to figure out legal intricacies, especially, "perceived compliance issues" are touted as undesirable and unnecessary.

Even the CIOs in large enterprises are expected to monitor employee accounts to detect security breaches, the technology leaders in SMEs are often not so well equipped to understand legal ramifications, and may not have adequate legal support to get to the baseline.

For instance, in 2010, a client walked into the office seeking details on how her private data was being protected. She demanded that we produce a ‘privacy policy’ document. Our operations team printed a document and submitted it to her. She expressed her distaste for a particular policy term which said "we will use the data as necessary for our business purposes." Had she filed a privacy breach case against our company, we would have lost at least 30 percent of our client base, and the company would have suffered a closure.

Therefore, the lack of awareness around regulatory compliances, cost issues and a dearth of employee privacy policies are the biggest challenges faced by SMEs. The key to success is to have only one person responsible for it. A competent IT leader must take responsibility while adopting a standard governance model. Normally it’s the CIO but it may vary for different organizations. 

 SMEs must take the following best practices into consideration while forming a governance model:

  • Understanding the implications of applicable regulations throughout an organization
  • Performing a security risk assessment
  • Creating and implementing a set of policies and controls
  • Monitoring, enforcing and documenting the controls

But the question is: How many SMEs follow these best practices? Not more than 80 percent of the medium enterprises and about 5 percent of the small enterprises. The main reason being the expense and time taken to understand the legal implications, policy, and standards is simply not worth the risk. Or they believe that it's not worth  until calamity strikes.

How Do SMEs Tackle Compliance Challenges in IT?

In most SMEs, the discussion on ‘Compliance in IT’ is ignored until the company is sued or mired in some legal trouble. The author, Chaitanya Dhareshwar, is Head IT at Banyan Tours and Travels and he discusses the subject of ‘compliance in IT’ from an SME’s perspective.

Chaitanya Dhareshwar,Head IT, Banyan Tours and Travels
Summary:

In most SMEs, the discussion on ‘Compliance in IT’ is ignored until the company is sued or mired in some legal trouble. The author, Chaitanya Dhareshwar, is Head IT at Banyan Tours and Travels and he discusses the subject of ‘compliance in IT’ from an SME’s perspective.

The recent amendments in the Information Technology Act, 2000 has put a tremendous focus on regulatory compliances. Enterprises are embracing technology in order to monitor employee internet use. With the advent of social media and consumerization of IT, CIOs need to metamorphose their security strategies. According to a report by Gartner, 60 percent CIOs are expected to watch workers’ social media use for security breaches. While big organizations are expanding their security budgets to brace new measures, small and medium enterprises are still struggling to save cost and enforce regulatory compliances concurrently.

Larger enterprises often have an in-house legal team and contract a large legal organization as per requirement. But typically, SMEs do not have a legal department and the work is mostly outsourced to a small legal panel. Therefore, the ability to interpret legal laws becomes a major shortcoming. The techno-legal opinion required is not always available.  SMEs rigidly focus on cost saving. Taking the unnecessary overhead of having to figure out legal intricacies, especially, "perceived compliance issues" are touted as undesirable and unnecessary.

Even the CIOs in large enterprises are expected to monitor employee accounts to detect security breaches, the technology leaders in SMEs are often not so well equipped to understand legal ramifications, and may not have adequate legal support to get to the baseline.

For instance, in 2010, a client walked into the office seeking details on how her private data was being protected. She demanded that we produce a ‘privacy policy’ document. Our operations team printed a document and submitted it to her. She expressed her distaste for a particular policy term which said "we will use the data as necessary for our business purposes." Had she filed a privacy breach case against our company, we would have lost at least 30 percent of our client base, and the company would have suffered a closure.

Therefore, the lack of awareness around regulatory compliances, cost issues and a dearth of employee privacy policies are the biggest challenges faced by SMEs. The key to success is to have only one person responsible for it. A competent IT leader must take responsibility while adopting a standard governance model. Normally it’s the CIO but it may vary for different organizations. 

 SMEs must take the following best practices into consideration while forming a governance model:

  • Understanding the implications of applicable regulations throughout an organization
  • Performing a security risk assessment
  • Creating and implementing a set of policies and controls
  • Monitoring, enforcing and documenting the controls

But the question is: How many SMEs follow these best practices? Not more than 80 percent of the medium enterprises and about 5 percent of the small enterprises. The main reason being the expense and time taken to understand the legal implications, policy, and standards is simply not worth the risk. Or they believe that it's not worth  until calamity strikes.