I’ve been spending a lot of time lately with early startups and small business owners talking about privacy and security. My previous jobs sent me into some very large enterprises to solve for some very large privacy and security concerns. One has to ask, are these two worlds so different? I’d have to say yes and no. A recent series of outages involving an industry-specific ERP vendor understandably had business leaders in the marketplace upset. Many days worth of revenue was lost and regulatory reporting was halted which, in turn, froze commerce in its tracks. In fact, there is a certain amount of outrage amongst the customers experiencing the outages; there’s also a certain amount of learned helplessness. This got me to thinking: how can we apply a little Fortune 500 wisdom to help out the folks just getting started?
In general, businesses should adopt a holistic approach to their commercial continuity needs. While the challenges of fledgling industry software and service vendors may share the responsibility, there are broader issues business leaders should consider when developing their plans to accelerate commerce and ensure regulatory compliance. Just as “compliance by design” is a mantra of certain industry pioneers, “availability by design” and “(cyber) security by design” are two best practices commonly employed by traditional lines of business; likewise, these measures should be adopted by emerging enterprises as well.
Continuity of critical business function has been a mainstream technology concern as far back as the 1970’s when federal regulations required the telecommunications industry to provide highly available 911 services through their networks. “Five nines” of availability was the brass ring and billions of dollars were spent to achieve it. Today, many of those lessons learned can be applied to our “as-a-service” economy. Just as traditional businesses require high-availability from their vendors, small enterprises should vet their service providers for continuity, redundancy, and disaster recovery considerations.
Securing applications and productivity technology must also be a part of this plan. Cybersecurity has recently become a hot topic and there is a lot of hype. While nearly all business executives agree it is critical and cyber risk is now a board-level topic, the industry itself is constantly evolving. No matter how large or small, it’s not a matter of if but when a business will be breached.
But where to start securing your business? Consider taking a look at the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs). CIS is a non-profit entity comprised of global IT professionals who’s charter is to promote best practices for safeguarding against cyber crimes. A copy of their SME guide can be found here: https://www.cisecurity.org/white-papers/cis-controls-sme-guide/. Recently, the California Attorney General endorsed CIS security controls as the “minimum level” of “reasonable security” measures. Further, the AG’s report goes on to state, “failure to implement all the [CIS] controls that apply to an organization’s environment constitutes a lack of reasonable security.” Anyone looking to do business in the Golden State should definitely familiarize themselves with the CIS Top 20.
With the widespread adoption of cloud computing, mobile accessibility, and social media, these are really exciting times. Never before has it been easier to start something new and big. Along with the opportunity comes some bumps in the road but business leaders don’t necessarily have to go it alone. While the products and markets may be new and fresh, chances are someone has already spent sleepless nights solving the technology problems.
*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.