How small businesses can deal with getting regulated

Even SMBs have to deal with big regulations thanks to GDPR and more. One startup has an answer for how to manage compliance and security.


Image: monkeybusinessimages, Getty Images/iStockphoto

It used to be only big companies and, really, only big companies in certain industries (e.g., finance, healthcare), were forced to fixate on regulations. Today, however, any company on the internet is basically in a regulated industry. If you’re online, a customer from Europe can get to you and, just like that, you are subject to

rules. Companies are increasingly regulated on how they deal with customer data. More and more, regulatory stress is coming to SMBs and startups–and they don’t know how to deal with it.

According to market researchers, compliance is nearly a $70 billion annual industry, but that’s almost all spent by Global 2000 enterprises. And if even Amazon, Apple, Facebook, and Google have data privacy challenges with governments threatening fines and investigations–despite their billions of dollars of quarterly earnings and armies of security specialists on call 24/7–what’s a small company to do?

SEE: SMB security pack: Policies to protect your business (Tech Pro Research)

Helping small companies act big

Enter a startup called Aptible, which just announced a $12 million Series A financing round. Founded by compliance and security experts from Eli Lilly and the Pentagon, it is one of the first entrants into this potentially huge market helping SMBs with compliance and security. Aptible is aiming to remove most of the friction and cost of compliance by automating key workflows and giving customers easy-to-follow templates to make security a baked-in part of just doing daily business.

The stakes are high. 

SEE: SMB tech budgets: 10 biggest priorities for 2019 (TechRepublic)

It’s not just cost and rules and avoiding fines and restrictions from industry regulators, significant as those are–there are also manifest benefits of running a business where customers can be confident that their data is secure and protected. Doing this right gains companies access to valuable new markets by demonstrating higher levels of security–table stakes for selling into the enterprise–it also allows a company to breeze through vendor security assessments. And if Global 2000 enterprises can almost go out of business after a major breach, the margin of error for smaller companies is orders of magnitude less. One mistake can turn off the lights forever.

What’s interesting about Aptible is its approach to solving this challenge. The platform it delivers is SaaS-based so customers don’t have to hassle with on-premises implementation, deployment, and operations. It’s designed in many ways to mimic modern CI/CD practices that take scores of complex steps with single dependencies and create simple, fast, automated mechanisms to put code into production faster while incorporating the process into familiar workflows. Just as software development following modern CI/CD practices gives organizations more confidence in the quality of their code, the same holds true for compliance and security.

Figuring out scale

The more complexity in an organization’s technology, people, and number of requirements, the more difficult it is to maintain security practices at scale. For a startup or SMB, facing an audit to show compliance is typically a one-off event that they likely have never had to deal with before. It’s terribly time-consuming and complex sorting out what needs to be done in the first place, designing new workflows to follow the guidelines, and then instituting processes that employees actually follow to confirm compliance. Enterprises invest billions and employ armies of specialists to solve for this. They do it over and over. But if you’re a startup or SMB, it’s almost day one every time.

SEE: 10 books every small business entrepreneur should read (free PDF) (TechRepublic)

Aptible wants to help. The company argues that security management is more than a set of policies or security products. It’s an ongoing process that elevates security to the same level of importance as other key business functions, like software development, keeping financial records, or servicing customers.

If you already know that the protocols for HIPAA, GDPR, and CCPA have clearly defined scopes (and require specific agreements from your SaaS vendors beyond SLAs), but that voluntary certification programs like ISO 27001 or SOC 2 allow for more discretion, then your organization may not need help from companies like Aptible. For everyone else (and there are a lot of “everyone else’s”), a company like Aptible can be a game changer even as the internet has pushed all companies, large and small, into the wonderful world of a “regulated industry.”

Also see