We’ve seen it all in IT, including small businesses that have lost business because their IT wasn’t up to standards. Not because their business required IT compliance, but because a key customer required compliance. We call this “compliance-adjacent” and it has tripped up way too many small-medium size businesses. Here are four big mistakes SMBs make and how you can avoid them.
Most small businesses have their “big customer”—the one that does a lot of business with them, usually a larger company or corporation relying on the SMB for critical services such as legal, accounting, marketing, PR, parts-manufacturing, etc. And nearly all larger companies/corporations have IT compliance issues—things they must adhere to for technology in order to keep certifications or stay in inspectors/government agencies good graces. In New York, for example, Department of Financial Services has IT compliance regulations for companies that deal in financial transactions—everything from banks to credit unions to land title companies. NYS DFS CR 500 compliance isn’t hard to follow but it does require that if you are providing services to a DFS covered entity you either need to be compliant yourself or be able to prove you are exempt according to definitions (usually around if you are handling personal and financial data such as full names and account information).
We’ve been asked to help a lot of SMBs with compliance issues, and with some of the these we’re dealing with “compliance-adjacent” questions such as, “As a law firm, we handle XYZ type cases for financial firms… do we have to be DFS compliant?” Or, “We do marketing for doctor’s offices, sending emails to patients… do we have to be HIPAA compliant?” Sometimes by the time we try to get involved it’s too late. We might get a call from a company (not a client) telling us they’ve been fined/sued due to compliance issues and if we can help after-the-fact.
To avoid these terrible situations, here are four mistakes we commonly see and how to avoid them.
- Don’t Ask, Don’t Tell: too often SMBs are worried about asking their customers if they have any compliance issues they need to follow as a service provider. They might feel this will open a Pandora’s Box of questions that would risk getting the new contract or business. We find it to be the opposite—not asking, not knowing will eventually catch up to you. Don’t be afraid of compliance issues! Oftentimes they can be resolved/implemented quickly. More on that in moment.
- Don’t Look At IT: too often SMBs don’t inspect their own IT systems for worrisome holes. We’re not just talking about patches and firmware updates—we’re talking about looking at how you and your employees use technology. For example, is it okay for your employees to have spreadsheets saved to their desktop(s) that have customers personal information/account information, or if you’re a manufacturer, have your design files backed up to data centers overseas? Take a look at your IT (or, even better, have us do it for you) and see not just what but how you are using it.
- Don’t Police Your Policies: do you even have an Information Security Policy? Does it still talk about using a PDA circa 1990s? Often, this is a small paragraph or two in an employee handbook written years ago. Update it and be sure it covers where files must be saved/stored. What information should be considered “protected” and what that means? Nowadays, you need to have strong password policies, mobile device policies, and what we call “change management”—most commonly tracking changes to your users such as hiring new ones and having permissions assigned, and when there is termination, how can you prove the former employee no longer has access?
- Trust and Don’t Verify: this is a common mistake that can trip up compliance requirements… an SMB may put in place policies and procedures but never verify them with an independent third-party, such as Groff NetWorks. A few hours of consulting time each year shows any auditor that you are vigilant, not negligent—and if a mistake happens, having an annual IT audit is a big plus in your favor.
Don’t be afraid of IT compliance as an SMB. It’s not going to go away, it’s only going to get worse, and sticking your head in the sand is not an effective strategy. We’re here to help you face these issues without getting sand kicked in your face by the Compliance Bully.