Complying With Compliance: Managed Service Providers Help SMBs Handle New Regulations

No matter which political party controls the White House or Congress, there seems to be one constant for SMBs. Over time, the regulations they must follow become more ponderous, complex and challenging.

Data security and storage are often at the root of compliance mandates, which places much of the burden for regulatory adherence on IT departments. Unfortunately, most SMB IT staffs lack the necessary personnel, tools and training. Without sufficient IT resources, smaller businesses may have difficulty meeting their burgeoning regulatory requirements.

That’s why SMBs increasingly are turning to managed service providers, which are adding security services to their menu of offerings. Providers are going beyond their traditional role of simply supplying transport and bandwidth: They are now delivering the knowledge, tools and technologies that SMBs need to do business in a regulation-heavy and security-conscious environment.

Mountains of Mandates
Today’s regulatory landscape can be confusing for any company. For smaller companies, there simply may be too many details to master and manage. While business long has co-existed with vigorous regulatory agendas, recent rule changes and additions are making the burden truly onerous.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to ensure health care portability for employees. Three years later, the Gramm-Leach-Bliley Act (GLBA) arrived, providing protections against the sale of data from private financial transactions. Sarbanes-Oxley came next, adding a slew of new regulations to boost accountability for publicly traded companies. And now, many SMBs must comply with the Payment Card Industry Data Security Standard (PCI-DSS), which establishes a set of unified procedures to secure the storage, transmission and processing of credit card data. Data security and integrity, in fact, are essential for any SMB that wishes to follow each of these regulations properly.

In this environment, the regulatory burden can play a huge role in fundamental business decisions. It may be a factor in key determinations regarding how the company grows, what its personnel policies are, or whether the company considers going public. Operationally, regulatory adherence dramatically can increase administrative and legal costs, while distracting a company from its core business.

In almost every case, technology can ease substantially the burden of complying with these regulations. Moreover, SMBs are more likely than larger enterprises to outsource as many noncore activities as possible to hold down costs and retain their focus on their customers, products and overall mission. As a result, managed service providers have a unique opportunity to address the needs of these businesses.

Easing Adherence
When it comes to regulatory compliance, SMBs have very specific requirements. Service providers therefore should focus on a few core areas.

Security
Network, device and data security is paramount in the new era of regulatory adherence. Financial and medical information must be protected from theft and compromise. In this environment, SMBs require a host of managed services, including network protection, secure network management, and network and security support and consulting. Increasingly, encryption is considered essential for securing data at rest and in transit, boosting the need for outside security expertise.

Storage
Many SMBs store data off-site, whether for primary use or for backup and business continuity. Stored data must be protected from theft, as well as from unauthorized copying and disclosure, creating an opportunity for providers of secure managed storage services. As it is for data stored locally, encryption rapidly is becoming standard for data in remote storage.

Reporting
Managed service providers can add tremendous value by easing the substantial reporting challenges of regulatory compliance. They can help SMBs track information, manage logs and create timely, accurate reports for auditing and assessments. Regulations like Sarbanes-Oxley mandate stiff penalties, including jail time, for false and misleading information, making data integrity and report accuracy essential.

Understandably, some SMBs might be hesitant to relinquish control of their networks and entrust their sensitive data to an outside party. Others may hesitate because they’re unsure of their company’s security policies and postures. Administrators also might be reluctant to outsource certain functions lest they displace their own jobs. Fortunately, service providers can develop ways to get beyond these inhibitors.

Guarantees of Confidentiality
Clients must know that their service provider, while providing security, will not have access to the organization’s sensitive data. Therefore, providers should offer written guarantees of confidentiality. Furthermore, they should fully expose their level of access. Clients should have a means to see that their providers are collecting network metrics, not sensitive content.

Service-Level Agreements (SLAs)
SLAs offer clients another level of protection and an added measure of assurance. SLAs set expectations for service and support at a known cost, allowing clients to conduct their business with confidence. Providers can differentiate themselves by offering strong agreements, as stringent SLAs are invaluable to SMBs.

Differentiated Offerings
With security services, one size does not fit all. Different industries require different types of products, as do individual companies. Some organizations are comfortable outsourcing most of their security requirements; others definitely are not. Therefore, managed service providers should offer a menu of security products from which companies can pick and choose.

Scalability
SMBs often grow quickly. Providers need to be able to support more users, additional offerings and greater capacity. A provider that cannot scale its support will lose clients over time.

Bundling
With bundling, a provider offers clients a suite of its most popular services, usually at a discount from the cost of services delivered individually. Bundling gives clients an incentive to order more services, while providing a high customer attach rate.

Companies today are under tremendous pressure to abide by stringent, detailed financial, health, security and employment regulations, a burden that is only likely to increase. Failure to comply can result in severe penalties. SMBs are under particular stress, since they often lack the expertise and resources necessary for compliance. Managed service providers can step into this void. They can offer affordable security, storage and IT services so that SMBs can meet their regulatory obligations while retaining a focus on their core businesses.

Kunjal Trivedi is manager of managed security solutions marketing at Cisco Systems Inc. He can be reached at kutrived@cisco.com.

Cisco Systems Inc. www.cisco.com

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines