China

China backs Hong Kong chief, slams protesters for violence

HONG KONG (AP) — China's government strongly backed Hong Kong Chief Executive Carrie Lam's embattled administration on Tuesday, saying the occupation and vandalizing of the city's legislature by pro-democracy protesters amounted to "serious illegal acts" that endangered the social order.

Foreign Ministry spokesman Geng Shuang said Beijing condemned the acts that saw several hundred demonstrators break through glass and steel barriers to enter the building on Monday night.

Geng said China's central government strongly supported Hong Kong's government and its police force in dealing with the incident in accordance with law.

"The violent attacks …Read more on NewsOK.com

Protests escalate as Hong Kong marks handover to China

HONG KONG (AP) — Frustration among opposition protesters in Hong Kong boiled over on Monday, with one group laying siege to the legislative building and tens of thousands of others marching through the city to demand expanded democracy on the 22nd anniversary of the former British colony's return to China.

Black-clad protesters wearing hard hats and face masks smashed a floor-to-ceiling window at the legislature.

The protesters repeatedly rammed a cargo cart and large poles into the glass while police with riot shields stood guard inside to prevent anyone from entering.Read more on NewsOK.com

Ideas on How to Improve Your Product Backlog Management Techniques

TL; DR: Ideas on How to Improve Your Product Backlog Management Techniques
Scrum is a simple, yet sufficient framework to build emerging products, provided you identify in advance what is worth building. But even after a successful product discovery phase, you may struggle to make the right thing in the right way if your Product Backlog is not up to the job; garbage in, garbage out—as the saying goes. The following article points at ideas on how to improve your product backlog management techniques — including the Product Backlog refinement process.

The Product Backlog According to the Scrum Guide
First of all, let’s have a look at the current issue of the Scrum Guide on the Product Backlog:
“Product Backlog refinement is the act of adding detail, estimates, and order to items in the Product Backlog. This is an ongoing process in which the Product Owner and the Development Team collaborate on the details of Product Backlog items. During Product Backlog refinement, items are reviewed and revised. The Scrum Team decides how and when refinement is done. Refinement usually consumes no more than 10% of the capacity of the Development Team. However, Product Backlog items can be updated at any time by the Product Owner or at the Product Owner’s discretion.
Higher ordered Product Backlog items are usually clearer and more detailed than lower ordered ones. More precise estimates are made based on the greater clarity and increased detail; the lower the order, the less detail. Product Backlog items that will occupy the Development Team for the upcoming Sprint are refined so that any one item can reasonably be “Done” within the Sprint time-box. Product Backlog items that can be “Done” by the Development Team within one Sprint are deemed “Ready” for selection in a Sprint Planning. Product Backlog items usually acquire this degree of transparency through the above-described refining activities.
The Development Team is responsible for all estimates. The Product Owner may influence the Development Team by helping it understand and select trade-offs, but the people who will perform the work make the final estimate.”
Source & Copyright: ©2016 Scrum.Org and ScrumInc. Offered for license under the Attribution Share-Alike license of Creative Commons, accessible here and also described in summary form.
Common Product Backlog Anti-Patterns
Despite being relatively straightforward, the process of creating and refining a Product Backlog often suffers from various anti-patterns. I have identified five different categories for Product Backlog techniques:
General Product Backlog Techniques

Prioritization by proxy: A single stakeholder or a committee of stakeholder prioritize the Product Backlog. (The strength of Scrum is building on the strong position of the Product Owner. The PO is the only person to decide what tasks become Product Backlog items. Hence, the Product Owner also decides on the priority. Take away that empowerment, and Scrum turns into a pretty robust waterfall 2.0 process.)
100% in advance: The Scrum Team creates a Product Backlog covering the complete project or product upfront because the scope of the release is limited. (Question: how can you be sure to know today what to deliver in six months from now?)
Over-sized: The Product Backlog contains too many items. (This way, the Product Owner probably creates waste by hoarding issues that might never materialize. Depending on the specific context, many products might benefit from limiting the Product Backlog to three, possibly four Sprints, particularly in highly competitive markets.)
Outdated issues: The Product Backlog contains items that haven’t been touched for six to eight weeks or more. (That is typically the length of two to four sprints. If the Product Owner is hoarding backlog items, the risk emerges that older items become outdated, thus rendering previously invested work of the Scrum Team obsolete.)
Everything is estimated: All items of the Product Backlog are detailed and estimated. (That is too much upfront work and bears the risk of misallocating the Scrum Team’s time.)
Component-based items: The Product Backlog items are sliced horizontally based on components instead of vertically based on end-to-end features. (This may be either caused by your organizational structure. Then move to cross-functional teams to improve the team’s ability to deliver. Otherwise, the team – and the Product Owner – need a workshop on writing items.)
Missing acceptance criteria: There are items in the Product Backlog without acceptance criteria. (It is not necessary to have acceptance criteria at the beginning the refinement cycle although they would make the task much more manageable.)
No more than a title: The Product Backlog contains items that comprise of little more than a title. (See above.)
Issues too detailed: There are items with an extensive list of acceptance criteria. (This is the other extreme: the Product Owner covers each edge case without negotiating with the team. Typically, three to five acceptance criteria are more than sufficient.)
Neither themes nor epics: Neither themes or epics do structure the Product Backlog. (This makes it hard to align individual items with the “big picture” of the organization. The Product Backlog is not supposed to be an assortment of isolated tasks or a massive to-do-list. Please note that both themes and epics are not elements of the Scrum Guide.)
No research: The Product Backlog contains few to no spikes. (This often correlates with a team that is spending too much time on discussing prospective problems, instead of researching them with a spike as a part of an iterative item creation process.)

Techniques at Portfolio and Product Roadmap Level

Roadmap? The Product Backlog is not reflecting the roadmap. (The Product Backlog is supposed to be detailed enough only for the first two or three sprints. Beyond that point, the Product Backlog should rather focus on themes and epics — see above — from the product roadmap. If those are not available, the product backlog is likely to granular.)
Annual roadmaps: The organization’s portfolio plan, as well as the release plan or product roadmap, are created once a year in advance. (If the Product Backlog stays aligned to these plans, it introduces waterfall planning through the backdoor. Agile planning is always “continuous.” At the portfolio level, the plan needs to be revised be least every three months.)
Roadmaps kept secret: The portfolio planning and the release plan or product roadmap are not visible to everybody. (If you do not know where you are going any road will get you there. This information is crucial for any Scrum Team and needs to be available to everybody at any time. )
China in your hands: The portfolio planning and the release plan or the product roadmap are not considered achievable and believable. (If this is reflected in the Product Backlog, working on items will probably be a waste.)

Product Backlog Techniques of the Product Owner

Storage for ideas: The Product Owner is using the Product Backlog as a repository of ideas and requirements. (This practice is clogging the Product Backlog, may lead to cognitive overload and makes alignment with the ‘big picture’ at portfolio management and roadmap planning level very tough.)
Part-time or busy PO: The Product Owner is not working daily on the Product Backlog. (The Product Backlog needs to represent at any given time the best use of the Development Team’s resources. Updating it once a week before the next refinement session does not suffice to meet this requirement.)
Copy & paste PO: The Product Owner creates items by breaking down requirement documents received from stakeholders into smaller chunks. (That scenario helped to coin the nickname “ticket monkey” for the product owner. Remember: item creation is a team exercise.)
Dominant PO: The Product Owner creates items by providing not just the ‘why’ but also the ‘how,’ and the ‘what.’ (The team answers the ‘how’ question – the technical implementation –, and both the team and the PO collaborate on the ‘what’ question: what scope is necessary to achieve the desired purpose.)
INVEST? The Product Owner is not applying the INVEST principle by Bill Wake to items.
Issues too detailed: The Product Owner invests too much time upfront thus making them too detailed. (If an item looks complete, the team members might not see the necessity to get involved in further refinement. This way, a “fat” item reduces the engagement level of the team, compromising the creation of a shared understanding. By the way, this didn’t happen back in the days when we used index cards given their physical limitation.)
What team? The Product Owner is not involving the entire Scrum Team in the refinement process and instead is relying on just the “lead engineer” (or any other member of the team independently of the others).
‘I know it all’ PO: The Product Owner does not involve stakeholders or subject matter experts in the refinement process. (A Product Owner who believes to be either omniscient or a communication gateway is a risk to the Scrum Team’s success.)

Development Team Techniques

Submissive team: The Development Team submissively follows the demands of the Product Owner. (Challenging the Product Owner whether his or her selection of issues is the best use of the Development Team’s time is the noblest obligation of every team member: why shall we do this?)
What technical debt? The Development Team is not demanding adequate resources to tackle technical debt and bugs. (The rule of thumb is that 25% of resources are allocated every sprint to fixings bugs and refactor the code base.)
No slack: The Development Team is not demanding 20% slack time from the Product Owner. (This is overlapping with the sprint planning and the team’s forecast. However, it cannot be addressed early enough. If a team’s capacity is always utilized at 100 %, its performance will decrease over time. Everyone will focus on getting his or her tasks done. There will be less time to support teammates or to pair. Small issues will no longer be addressed immediately. And ultimately, the ‘I am busy’ attitude will reduce the generation of a shared understanding among all team members why they do what they are doing.)

Product Backlog Techniques of the Scrum Team

No time for refinement: The team does not have enough refinement sessions, resulting in a low-quality backlog. (The Scrum Guide advises spending up to 10% of the Scrum Team’s time on the Product Backlog refinement. Which is a sound business decision: Nothing is more expensive than a feature that is not delivering any value.)
Too much refinement: The team has too many refinement sessions, resulting in a too detailed backlog. (Too much refinement isn’t healthy either.)
No DoR: The Scrum Team has not created a ‘definition of ready’ that Product Backlog items need to match before becoming selectable for a sprint. (A simple checklist like the ‘definition of ready’ can significantly improve the Scrum Team’s work. It will increase the quality of both the resulting item as well as the general way of working as a team. Please note that the SG only mentions “ready” in the following sense: “Product Backlog items that can be “Done” by the Development Team within one Sprint are deemed “Ready” for selection in a Sprint Planning.”)

Conclusion
Even in the case, you have successfully identified what to build next, your Product Backlog, as well as its refinement process, will likely provide room for improvement. Just take it to the team and address possible Product Backlog techniques.
Are Product Backlog techniques missing that you have observed? Please share with us in the comments.

China criticizes ‘negative content’ in US defense bill

BEIJING (AP) — Beijing on Friday criticized "negative content" about China in legislation before the U.S. Congress, saying it would further damage relations already roiled by disputes over trade and technology.

Foreign ministry spokesman Geng Shuang said the draft National Defense Authorization Act, if passed, would undermine efforts to mutually overcome obstacles.

"We express firm opposition to the U.S. Senate's approval of the act containing negative content related to China," Geng told reporters at a daily briefing.Read more on NewsOK.com

China says international counterterror forum a success

BEIJING (AP) — China successfully concluded a counterterrorism forum last week in Beijing that attracted representatives from the military and police forces of 31 nations, including France, Pakistan and Israel, a defense ministry spokesman said Thursday.

The four-day Great Wall 2019 International Forum on Counterterrorism themed "special force sniping" allowed participants to exchange strategies and experiences, Ren Guoqiang told reporters at a monthly briefing.

China has been accused of using terrorism accusations to justify crackdowns on peaceful protests and religious cultural activities, especially among minority groups such as Tibetans and Uighurs.

An estimated 1 million Uighurs and members of other Muslim minority groups such as Kazakhs are held in prison-like detention centers — many for indefinite terms — amid reports of harsh treatment and poor living conditions.

After at first denying their existence, China now says they are training schools meant to teach life skills to those at risk of being recruited by Islamic extremists and "terrorists.Read more on NewsOK.com

28 Product Backlog Anti-Patterns

TL; DR: 28 Product Backlog Anti-Patterns
Scrum is a simple, yet sufficient framework to build emerging products, provided you identify in advance what is worth building. But even after a successful product discovery phase, you may struggle to make the right thing in the right way if your Product Backlog is not up to the job; garbage in, garbage out—as the saying goes. The following article points at 28 Product Backlog anti-patterns — including the Product Backlog refinement process — that limit your Scrum Team’s success.

The Product Backlog According to the Scrum Guide
First of all, let’s have a look at the current issue of the Scrum Guide on the Product Backlog:
“Product Backlog refinement is the act of adding detail, estimates, and order to items in the Product Backlog. This is an ongoing process in which the Product Owner and the Development Team collaborate on the details of Product Backlog items. During Product Backlog refinement, items are reviewed and revised. The Scrum Team decides how and when refinement is done. Refinement usually consumes no more than 10% of the capacity of the Development Team. However, Product Backlog items can be updated at any time by the Product Owner or at the Product Owner’s discretion.
Higher ordered Product Backlog items are usually clearer and more detailed than lower ordered ones. More precise estimates are made based on the greater clarity and increased detail; the lower the order, the less detail. Product Backlog items that will occupy the Development Team for the upcoming Sprint are refined so that any one item can reasonably be “Done” within the Sprint time-box. Product Backlog items that can be “Done” by the Development Team within one Sprint are deemed “Ready” for selection in a Sprint Planning. Product Backlog items usually acquire this degree of transparency through the above-described refining activities.
The Development Team is responsible for all estimates. The Product Owner may influence the Development Team by helping it understand and select trade-offs, but the people who will perform the work make the final estimate.”
Source & Copyright: ©2016 Scrum.Org and ScrumInc. Offered for license under the Attribution Share-Alike license of Creative Commons, accessible here and also described in summary form.
Common Product Backlog Anti-Patterns
Despite being relatively straightforward, the process of creating and refining a Product Backlog often suffers from various anti-patterns. I have identified five different categories for Product Backlog anti-patterns:
General Product Backlog Anti-Patterns

Prioritization by proxy: A single stakeholder or a committee of stakeholder prioritize the Product Backlog. (The strength of Scrum is building on the strong position of the Product Owner. The PO is the only person to decide what tasks become Product Backlog items. Hence, the Product Owner also decides on the priority. Take away that empowerment, and Scrum turns into a pretty robust waterfall 2.0 process.)
100% in advance: The Scrum Team creates a Product Backlog covering the complete project or product upfront because the scope of the release is limited. (Question: how can you be sure to know today what to deliver in six months from now?)
Over-sized: The Product Backlog contains more items than the Scrum Team can deliver within three to four sprints. (This way the Product Owner creates waste by hoarding issues that might never materialize.)
Outdated issues: The Product Backlog contains items that haven’t been touched for six to eight weeks or more. (That is typically the length of two to four sprints. If the Product Owner is hoarding backlog items, the risk emerges that older items become outdated, thus rendering previously invested work of the Scrum Team obsolete.)
Everything is estimated: All items of the Product Backlog are detailed and estimated. (That is too much upfront work and bears the risk of misallocating the Scrum Team’s time.)
Component-based items: The Product Backlog items are sliced horizontally based on components instead of vertically based on end-to-end features. (This may be either caused by your organizational structure. Then move to cross-functional teams to improve the team’s ability to deliver. Otherwise, the team – and the Product Owner – need a workshop on writing user stories.)
Missing acceptance criteria: There are user stories in the Product Backlog without acceptance criteria. (It is not necessary to have acceptance criteria at the beginning the refinement cycle although they would make the task much more manageable. In the end, however, all user stories need to meet the definition of ready standard, and acceptance criteria are a part of that definition.)
No more than a title: The Product Backlog contains user stories that comprise of little more than a title. (See above.)
Issues too detailed: There are user stories with an extensive list of acceptance criteria. (This is the other extreme: the Product Owner covers each edge case without negotiating with the team. Typically, three to five acceptance criteria are more than sufficient.)
Neither themes nor epics: Themes or epics do not structure the Product Backlog. (This makes it hard to align individual items with the “big picture” of the organization. The Product Backlog is not supposed to be an assortment of isolated tasks or a massive to-do-list.)
No research: The Product Backlog contains few to no spikes. (This often correlates with a team that is spending too much time on discussing prospective problems, instead of researching them with a spike as a part of an iterative item creation process.)

Anti-Patterns at Portfolio and Product Roadmap Level

Roadmap? The Product Backlog is not reflecting the roadmap. (The Product Backlog is supposed to be detailed enough only for the first two or three sprints. Beyond that point, the Product Backlog should rather focus on themes and epics from the product roadmap. If those are not available, the product backlog is likely to granular.)
Annual roadmaps: The organization’s portfolio plan, as well as the release plan or product roadmap, are created once a year in advance. (If the Product Backlog stays aligned to these plans, it introduces waterfall planning through the backdoor. Agile planning is always “continuous.” At the portfolio level, the plan needs to be revised be least every three months.)
Roadmaps kept secret: The portfolio planning and the release plan or product roadmap are not visible to everybody. (If you do not know where you are going any road will get you there. This information is crucial for any scrum team and needs to be available to everybody at any time. )
China in your hands: The portfolio planning and the release plan or the product roadmap are not considered achievable and believable. (If this is reflected in the Product Backlog, working on user stories will probably be a waste.)

Product Backlog Anti-Patterns of the Product Owner

Storage for ideas: The Product Owner is using the Product Backlog as a repository of ideas and requirements. (This practice is clogging the Product Backlog, may lead to cognitive overload and makes alignment with the ‘big picture’ at portfolio management and roadmap planning level very tough.)
Part-time or busy PO: The Product Owner is not working daily on the Product Backlog. (The Product Backlog needs to represent at any given time the best use of the Development Team’s resources. Updating it once a week before the next refinement session does not suffice to meet this requirement.)
Copy & paste PO: The Product Owner creates user stories by breaking down requirement documents received from stakeholders into smaller chunks. (That scenario helped to coin the nickname “ticket monkey” for the product owner. Remember: item creation is a team exercise.)
Dominant PO: The Product Owner creates user stories by providing not just the ‘why’ but also the ‘how,’ and the ‘what.’ (The team answers the ‘how’ question – the technical implementation –, and both the team and the PO collaborate on the ‘what’ question: what scope is necessary to achieve the desired purpose.)
INVEST? The Product =wner is not applying the INVEST principle by Bill Wake to user stories.
Issues too detailed: The Product Owner invests too much time upfront in user stories making them too detailed. (If an item looks complete, the team members might not see the necessity to get involved in further refinement. This way, a “fat” item reduces the engagement level of the team, compromising the creation of a shared understanding. By the way, this didn’t happen back in the days when we used index cards given their physical limitation.)
What team? The Product Owner is not involving the entire scrum team in the refinement process and instead is relying on just the “lead engineer” (or any other member of the team independently of the others).
‘I know it all’ PO: The Product Owner does not involve stakeholders or subject matter experts in the refinement process. (A Product Owner who believes to be either omniscient or a communication gateway is a risk to the Scrum team’s success.)

Development Team Anti-Patterns

Submissive team: The Development Team submissively follows the demands of the Product Owner. (Challenging the Product Owner whether his or her selection of issues is the best use of the Development Team’s time is the noblest obligation of every team member: why shall we do this?)
What technical debt? The Development Team is not demanding adequate resources to tackle technical debt and bugs. (The rule of thumb is that 25% of resources are allocated every sprint to fixings bugs and refactor the code base.)
No slack: The Development Team is not demanding 20% slack time from the Product Owner. (This is overlapping with the sprint planning and the team’s forecast. However, it cannot be addressed early enough. If a team’s capacity is always utilized at 100 %, its performance will decrease over time. Everyone will focus on getting his or her tasks done. There will be less time to support teammates or to pair. Small issues will no longer be addressed immediately. And ultimately, the ‘I am busy’ attitude will reduce the generation of a shared understanding among all team members why they do what they are doing.)

Product Backlog Anti-Patterns of the Scrum Team

No time for refinement: The team does not have enough refinement sessions, resulting in a low-quality backlog. (The Scrum Guide advises spending up to 10% of the Scrum team’s time on the Product Backlog refinement. Which is a sound business decision: Nothing is more expensive than a feature that is not delivering any value.)
Too much refinement: The team has too many refinement sessions, resulting in a too detailed backlog. (Too much refinement isn’t healthy either.)
No DoR: The scrum team has not created a ‘definition of ready’ that Product Backlog items need to match before becoming selectable for a sprint. (A simple checklist like the ‘definition of ready’ can significantly improve the scrum team’s work. It will increase the quality of both the resulting user stories as well as the general way of working as a team.)

Watch the Replay of the Product Backlog Anti-Patterns Webinar
The replay of the webinar on Product Backlog anti-patterns is available on Youtube:

Conclusion
Even in the case, you have successfully identified what to build next, your Product Backlog, as well as its refinement process, will likely provide room for improvement. Just take it to the team and address possible Product Backlog anti-patterns.
Are Product Backlog anti-patterns missing that you have observed? Please share with us in the comments.

China police raids rescue 1,100 trafficked women

BEIJING (AP) — Chinese police rescued 1,130 abducted foreign women in the second half of last year in coordinated operations with five Southeast Asian countries, the Ministry of Public Security said Friday.

Police arrested 1,322 suspects, including 262 foreigners, for allegedly luring and kidnapping women after promising jobs or marriages, the ministry said, in what appears to be the largest such operation to date.

"In recent years, some lawless locals and foreigners have conspired to abduct women from neighboring countries and sell them as wives in China," public security spokesman Guo Lin said at a news conference in Beijing.Read more on NewsOK.com

No Business is Too Small for These 5 Digital Policies

Bob Beauprez once said, “In America, small business is a big deal.” Indeed, it is hard to overestimate the role small businesses play in the American economy:

Businesses with fewer than five employees account for 62% of all businesses in the U.S.
More than half of all Americans own or work for a small business.
Small businesses are responsible for two-thirds of all new jobs created each year.

When you look at the magnitude of their economic impact, it would be easy to assume that small businesses know exactly what they’re doing and would be the obvious place to look for advice and best practices.
The truth, however, is that small businesses power the economy despite lacking the resources of larger organizations:

77% of small businesses rely on the owner’s personal savings for their original funding.
Only 40% of small businesses are profitable.
The vast majority of businesses that fail, do so because of cash flow problems.
Employees of small businesses wear many hats, starting at the top. The owners or leaders of small businesses are typically responsible for three or more of the following functions: operations, finance, sales, marketing, HR, customer service, product development, or IT.

When you look at it that way, it’s not hard to understand why many small businesses regard digital policies — if they think about them at all — as something they’ll get to “some day.” But that’s very unwise when you consider that few small businesses have the resources to survive the fallout from a crisis involving their online activity.
Owning a small business myself, I understand what it’s like to have to make choices about where to spend your resources. I certainly wouldn’t give you the same advice I give my global clients. Instead, I’ve narrowed digital policy development down to five things you absolutely must do to protect your business, your employees, and your customers.
5 digital policy initiatives to start right now
Take privacy seriously.
Know which privacy regulations you’re required to meet.
Laws and regulations regarding online privacy vary by country, state, and even industry — as do the penalties, which tend to be significant. Here are just a few examples:
The General Data Privacy Regulation (GDPR)
The GDPR is an EU law that went into effect in May of 2018. It seeks to protect the private data of EU citizens by addressing how companies collect and use data as well as the security of how that data is stored.
What many U.S. companies don’t realize is that jurisdiction is determined by the citizenship of the individual, not the physical location of the company. So any American business that collects, processes, or stores data on customers with EU citizenship is obligated to comply with GDPR requirements.
The California Consumer Privacy Act (CCPA)
The California legislature passed the CCPA in June of 2018, shortly after the GDPR went into effect. It’s quite similar in its bias toward consumer privacy and its potential impact on businesses. And, as the GDPR extends beyond the EU’s boundaries, the CCPA extends beyond California’s state lines. So you can’t assume you get a free pass just because you’re not physically located in California.
However, while there are many similarities between the two laws, there are also a number of technical differences. Resources like this can help you achieve compliance with both laws (if necessary) with a minimum of redundancy.
Brazil General Data Protection Law (LGPD)
The LGPD is Brazil’s data protection law, which will go into effect in 2020. The LGPD isn’t quite as comprehensive as the GDPR, but it does put similar emphasis on the concept that individuals, not businesses, own their data. It details both compliance requirements as well as penalties for noncompliance.
More companies are passing their own digital privacy laws all the time. In addition, certain industries, like finance and pharmaceuticals, have their own regulatory requirements.
Make a list of action steps
Once you’ve identified the laws and regulations that apply to you, make a list of all of the requirements. I recommend creating a spreadsheet that documents which laws/regulations apply to you, which countries they apply in, and what you need to do to become compliant.
One tip I like to share with my clients is to prioritize actions that satisfy more than one requirement at a time. (For example, both Russia and China prohibit transferring their citizens’ information outside of national borders, so deciding whether and how to establish a local service hub in those countries would take care of two things at once.)
Identify your priorities
If you’re starting from scratch, it would be almost impossible to do everything at once. Your best strategy would be to prioritize policy development based on:

Your level of activity in a particular country, industry, etc.
The current legal environment surrounding that policy: Is the government aggressively enforcing compliance? Are consumers filing class action lawsuits? In other words, how likely is it that your noncompliance will come to light?
What are the penalties for noncompliance? If you do get caught, can you withstand the repercussions? Or would you be at risk of going out of business?

Assign responsibility
Once you’ve prioritized the policies you need to address first, assign responsibility and a deadline by which you’ll follow up.

Secure your fort from the barbarians at the door.
Think you’re too small to be hacked? Unfortunately, you’re wrong: 43% of cyber attacks target small businesses. And it’s a bigger deal than you might think:

60% of small businesses shut their doors within 6 months of a cyber attack.
Cyberattacks cost these companies almost $900,000 in damages or theft of IT assets.
Small businesses lost nearly $1 million due to the disruption of normal operations.

Despite plenty of statistics that prove the barbarians are indeed at the door, barely half of the small businesses dedicate budget resources to risk mitigation. But increasing your security would probably cost less than you think, and it would certainly cost less than a major breach. Here are some effective, relatively low-cost steps you can take right now:
Develop strict policies for internal security.
A whopping 87% of small business have no data security policies for their employees:

Many small businesses don’t have an employee password policy that addresses things like the characteristics that make a password secure, how often it should be changed, the importance of not writing it down or sharing it with anyone, etc. And, of those that do have a password policy, only 35% strictly enforce it.
Only 31% install regular software upgrades.
Only 22% encrypt their databases.

Common practices like bring-your-own-device (BYOD) don’t help. And then you have “low-tech” risks, like not restricting physical access to servers that store sensitive information.
This is also an easy and relatively cheap problem to fix. There are plenty of online resources for best-practices regarding employee data security. Find the ones that make the most sense for your company, document them in a digital policy (including the consequences for not following the policy), and implement it. If employees don’t take the policy seriously at first, you may have to consistently enforce the consequences until they do.
Outsource the big stuff.
One reason cybercriminals target small businesses is that they know how expensive top IT talent is — and they know that few small businesses can afford it. Fortunately, there are plenty of security-as-a-service firms that can afford top talent, and outsourcing to them is a smart choice for small businesses. Some functions that are smart to outsource include:

Website hosting
Payment processing
Data processing and storage
Vulnerability testing
Breach monitoring and mitigation

If you do decide to outsource, your policies should address not only which functions you’ll outsource but also how you’ll select and vet security providers. Complying with Payment Card Industry Data Security Standards (PCI-DSS), for example, is a must-have. Don’t even consider working with a security firm that can’t provide proof of compliance. Other things to consider include their policies for making sure employees stay aware of evolving threats as well as familiarity with your IT systems, your market, and your industry (since some industries are more heavily regulated from a security perspective than others). In particular, breach reporting requirements can vary significantly, and you want a partner who knows the requirements for your particular niche.
Your policy should also stipulate that contracts be reviewed periodically based on objective performance metrics. So outsourcing digital security doesn’t mean you don’t need policies; it just means you need different policies than an organization that handles security in-house.
Protect your intellectual property.
Whether it’s an award-winning marketing campaign or the formula for a ground-breaking medical treatment, protect your intellectual property online as diligently as you do your tangible capital investments. Some companies have invested millions in software programs only to find pirated copies being sold overseas. Others have found key sections of coding incorporated into another company’s product.
Regardless of the specifics, theft of intellectual property can be quantified in terms of lost sales as well as in the amount of money it takes to rectify the situation. In a global market with a hodge-podge of laws and enforcement efforts, copyright infringement and theft of intellectual property is complex and expensive.
It’s much more efficient and cost-effective to protect your intellectual property on the front end before it’s been stolen or pirated. Protecting it with a copyright or trademark from the beginning can save you a lot of expense and hassle down the road.
On another note — be just as vigorous when it comes to respecting other organizations’ intellectual property. Doing otherwise can get you in serious legal trouble and damage your brand’s reputation beyond repair.
The resources below go into detail on some things, even the smallest businesses can do to protect their intellectual property. So decide which of these strategies you’re going to employ, formalize them in digital policy, and ensure that all employees follow the policy’s requirements.
Start working on accessibility today.
Failing to meet accessibility requirements is perhaps the biggest unknown risk in today’s digital landscape.
“Accessibility” refers to whether and how well your site is designed to accommodate users with challenges in sight, hearing, mobility, etc. While most American businesses are familiar with the Americans with Disabilities Act (ADA), many don’t realize that courts have ruled that it applies to digital spaces as well as to physical ones. The same is true in many jurisdictions around the world.
In fact, the number of lawsuits filed against businesses whose websites aren’t accessible has skyrocketed over the last few years. Not only is defending such a lawsuit expensive, there are other costs as well. About one in five Americans has some type of disability, and they have a combined disposable income of $645 billion per year. Add in their friends and family, and you have another 105 million people who probably won’t do business with you any more.
In other words, we’re talking about a huge market segment. Do you really want your website to broadcast a “You’re not welcome here” message?
Steps toward accessibility
One of the most important things you can do is add an accessibility statement to your website. The point is not to claim accessibility you haven’t achieved, but to make a good-faith statement describing your awareness of the problem and your commitment to fixing it.
Aside from adding an accessibility statement, there are a number of steps involved in achieving accessibility compliance. You can start by doing things like:

Adding captions to videos.
Adding descriptive alt-tags to images.
Using the high-contrast text on light backgrounds.
Providing a number for people to call if they’re having problems using your website.

But that’s just the low-hanging fruit. You can find additional tips for achieving accessibility in the links below and develop your policies based on what works best for your business.
Keep your digital channels up-to-date.
The internet can change in the blink of an eye. Your customers can abandon one channel for another. Things that were considered trend-worthy one day can be deemed offensive overnight.
And then there are the digital channels themselves. They change Terms of Service in response to new legislation. They change the login and other security protocols in response to a breach.
One of the products or services you use may send out an important patch that winds up at the bottom of everyone’s to-do list, representing a much bigger threat than most people realize. The Equifax breach provides a perfect example. They knew about the vulnerability, and they knew a patch was available — they just didn’t apply it.
In their defense, however, many organizations have such a myriad of software products that it’s almost impossible to keep up. And, in one study, 65% of respondentssaid they had a hard time prioritizing what to patch first. The time required to implement the patches — particularly for a small business whose employees might be somewhat inexperienced — adds to the cost and inconvenience.
The best way to address the issue is through digital policies. A policy that establishes a time table for reviewing channels and establishes triggers for taking action helps keep small problems from accumulating into an insurmountable mess. And, for organizations that do find themselves in such a mess, digital policies help avoid debates over how to fix the problem. When a policy tells employees what to do and the order in which to do it, you reduce the risk of a time-wasting debate and make sure the most important priorities are handled first.
Conclusion
Small businesses have a zillion things to do and limited resources with which to do them. The tips I shared here are only a small subset of the digital policies I work on with my global clients, but they’re both the bare minimum and an achievable goal for most small businesses. In other words, almost everybody can afford to do them, and the survival of your business is at serious risk if you don’t.