Canadian businesses are feeling extreme pressure to comply with ever increasing standards and regulations, according to security technology experts.
Organizations want guidance on how to rationalize compliance management and recoup its associated costs, said Andrew Berkuta, senior security strategist for Plano, Texas-based security software company McAfee Inc.
“Every company needs to comply with one or more types of regulations,” said Berkuta, who is part of a McAfee team currently touring Canada to gauge the concerns of businesses.
He said companies here are complaining “there are just too many regulations,”
Berkuta and Carl Banzhof, vice-president and chief technology evangelist for McAfee, spoke at a press briefing yesterday in Toronto after meeting with customers.
The McAfee team’s findings were echoed by a Canadian technology integrator that deals with numerous SMBs.
“It’s getting more and more difficult for small companies to do business with larger enterprises because of compliance demands,” said Vijay Thomas, partner at Banyan Commerce, a Toronto-based radio frequency identification (RFID) systems provider.
Industry-specific compliance requirements affecting SMBs include the Personal Information Protection and Electronic Documents Act (PIPEDA),which requires firms to ensure personal information of clients is protected, and the Sarbanes-Oxley Act (SOX), which essentially requires that information used to form a company’s financial statements are accurate.
Large companies often refuse to deal with firms that do not meet such regulations for fear of opening themselves to legal repercussions, Thomas said
Thomas said apart from fulfilling various industry specific standards, SMBs also have to meet business-to-business requirements or lose out on a bid.
For instance, most large retailers require suppliers to have electronic data interchange (EDI) capability, but not all SMBs have the budget to deploy the technology at a level demanded by big businesses.
According to McAfee, the top three concerns aired by Canadian businesses are: the need for guidance in dealing with multiple compliance requirements, lack of resources to meet regulations, and the threat of losing business over non-compliance.
“Businesses find they are spending a lot of manpower and money in collecting data, analyzing and creating various reports,” Banzhof said.
In numerous instances, compliance initiatives overlap indicating that some processes are possibly being needlessly repeated thereby creating a drain in company resources.
He said reaction of companies vary: “some embrace compliance while others chose to ignore it.”
But non-compliance often comes with a stiff penalty.
For example retailers who fail to comply with the Payment Card Industry (PCI) data security standard set by major credit card companies, could be slapped with a fine and be charged premium fees rather than discounted rates for credit card transactions.
Hypothetically, Banzhof said, a US$2.5-billion business that fails to comply with PCI standards for one quarter could be fined $25,000. However, the loss of discount fees could raise the company’s credit card transaction expenditures to about US$12.5 million.
Berkuta said McAfee provides a suite of software products that help organizations automate and streamline compliance reporting.
Basically the products help compliance managers “identify the common denominator required by the different regulations” to reduce redundant processes.
“We take the big components first and then start identifying the smaller items.”
The product standardizes the audit tracking and reporting process to reduce downtime.
Internal controls play a big role in meeting standards, said Thomas.
In order to improve compliance, SMBs should consider getting a detailed risk assessment from a vendor specializing in the area, he said. This process will help pinpoint where compliance is most needed and allow personnel to focus in key aspects of the business.