The ever increasing demands of keeping up with industry standards and regulations are only expected to grow more in the coming years, according to compliance experts.
As operators of Canadian businesses ponder compliance strategies, a recent survey conducted by security software firm Symantec Corp. provides some useful hints on how to improve data integrity and protection.
“The company that has less compliance deficiency experiences less data loss,” said Jim Hurley, managing director of the IT Policy Compliance Group of Symantec.
The ITPCG conducts periodic studies of 200 to 300 cross industry firms worldwide. The group queries c-level executives, managers, directors and staff members on issues regarding compliance.
In recent years, Canadian businesses have been airing concern over the pressures of fulfilling standards and regulation. Industry-specific requirements affecting SMBs include the Personal Information Protection and Electronic Document Act (PIPEDA), which requires firms to unsure personal information of clients is protected, and the Sarbanes-Oxley Act (SOX), which requires that information used in a company’s financial statements are accurate.
Aside from meeting these requirements, SMBs are also concerned about cutting cost associated with compliance, according to Andrew Berkuta, senior security strategist for McAfee Inc., a Plano, Texas-based security software firm.
Berkuta said the top three concerns aired by Canadian business are: the need for guidance in dealing with multiple compliance requirements, lack of resources to meet regulations and the threat of losing business over non-compliance.
He said SMBs can quickly cut down the number of compliance issues by identifying the common denominators required by various regulations to reduce redundancies.
Companies can also improve internal controls by conducting a detailed risk assessment to pinpoint where compliance is most needed. For SMBs with limited budgets and personnel, this step could be accomplished by hiring a third party specialist that can assist in developing a compliance strategy, Berkuta said.
Once a compliance strategy is set Hurley said companies must make sure to keep an eye on the following:
Keep compliance deficiency down
Make sure all your compliance bases are covered. The ITPCG study indicates that 68 per cent of companies that suffered data loss had 23 or more compliance deficiencies.
Conduct frequent compliance assessments
There’s a correlation between the effectiveness of controls and the frequency with which they are checked.
Compliance laggards (companies with 10 to 100 deficiencies) tended to check controls only once a year. Firms that experienced two or less instances of data loss in a year tended to check controls once a week.
Reduce control objectives
Streamline your control or compliance objectives to reflect only the essential requirements. Reducing redundancies and non-essential targets cut down on time and money spent on compliance. A company that scaled back objectives from 100 to 30 managed to reduce its compliance expenditure by about 49 per cent.
Automate key processes
Automating data gathering and reporting can reduce hours used on compliance work and free-up staff to do their key duties.
Educate employees
Technology alone will not solve compliance issues. The workforce needs to be aware of the importance to the business of meeting standards and regulations. The survey showed that organizations that spent less time educating staff had more compliance issues.
Introduce incentives and disincentives
A version or the carrot and the stick might be effective. There are no quantifiable data on this, but Hurley said one firm reported encouraging results. The firm gives bonuses to employees whenever the company completes a period without any compliance issues.
Comment: [email protected]
