In most SMEs, the discussion on ‘Compliance in IT’ is ignored until the company is sued or mired in some legal trouble. The author, Chaitanya Dhareshwar, is Head IT at Banyan Tours and Travels and he discusses the subject of ‘compliance in IT’ from an SME’s perspective.
The recent amendments in the Information Technology Act, 2000 has put a tremendous focus on regulatory compliances. Enterprises are embracing technology in order to monitor employee internet use. With the advent of social media and consumerization of IT, CIOs need to metamorphose their security strategies. According to a report by Gartner, 60 percent CIOs are expected to watch workers’ social media use for security breaches. While big organizations are expanding their security budgets to brace new measures, small and medium enterprises are still struggling to save cost and enforce regulatory compliances concurrently.
Larger enterprises often have an in-house legal team and contract a large legal organization as per requirement. But typically, SMEs do not have a legal department and the work is mostly outsourced to a small legal panel. Therefore, the ability to interpret legal laws becomes a major shortcoming. The techno-legal opinion required is not always available. SMEs rigidly focus on cost saving. Taking the unnecessary overhead of having to figure out legal intricacies, especially, "perceived compliance issues" are touted as undesirable and unnecessary.
Even the CIOs in large enterprises are expected to monitor employee accounts to detect security breaches, the technology leaders in SMEs are often not so well equipped to understand legal ramifications, and may not have adequate legal support to get to the baseline.
Therefore, the lack of awareness around regulatory compliances, cost issues and a dearth of employee privacy policies are the biggest challenges faced by SMEs. The key to success is to have only one person responsible for it. A competent IT leader must take responsibility while adopting a standard governance model. Normally it’s the CIO but it may vary for different organizations.
SMEs must take the following best practices into consideration while forming a governance model:
- Understanding the implications of applicable regulations throughout an organization
- Performing a security risk assessment
- Creating and implementing a set of policies and controls
- Monitoring, enforcing and documenting the controls
But the question is: How many SMEs follow these best practices? Not more than 80 percent of the medium enterprises and about 5 percent of the small enterprises. The main reason being the expense and time taken to understand the legal implications, policy, and standards is simply not worth the risk. Or they believe that it's not worth until calamity strikes.