Technology can be a huge benefit for an organization.
It aids in both user and industry efficiency, increases production, automates processes and makes communication more accessible for both systems and people groups.
It’s also ever-changing and evolving.
Carl Sagan may have said it best when he stated: “We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.”
Regardless of your personal thoughts on technology or your particular adoption style, technology, as we know it, isn’t going anywhere. It’s here to stay.
How to Make Sound Technology Decisions
With so many options available, it can be hard to know how to make sound, long-term decisions and feel truly confident that you and your organization are making good financial and time investments.
There’s a delicate balance to be managed as decisions are made about what technology should be updated, replaced or retired. In fact, you could argue that well-rounded, strategic thinking in the area of technology might be one of the keys to the proverbial kingdom.
Which then begs the question: How do I ensure my team is making good, sound decisions in this area?
Below, I’ve outlined eight maxims that can guide you and your organization in the right direction when it comes to making decisions about technology.
1. Begin with security in mind.
Cybersecurity should be a consideration for every business in every technology decision, and it’s important to establish it as a priority for your organization.
Security is a major point of concern in the world of technology, and companies can’t afford to ignore this aspect when making a decision of any kind. Whether it’s software or technical services, overall security has to be of the utmost concern.
Many decision makers tend to believe that the likelihood their organization will experience a breach is low. They may not believe their organization is of much interest to a hacker, or their trust in an internal or external IT resource might be high.
The truth is that no business that uses the internet as part of their operations is completely immune from a cyber attack, so the sooner you can establish cybersecurity’s importance in your organization, the better.
2. Expect the best, but plan for the worst.
What would happen to your business if you woke up tomorrow to find all your information missing?
If you aren’t currently utilizing a true backup and business continuity solution, don’t let another day go by without addressing this problem. Your business’s success and longevity may depend on it.
Data loss and system outages due to natural disasters, hardware failures and malicious attacks need to be at the forefront of a business owner’s or decision maker’s mind. This is a reality every organization should proactively address.
Data loss can take many forms; 58% of executives at small- and medium-sized businesses said that they were more worried about losing their data than a physical detriment—such as a fire or break-in at their location.
But it isn’t enough to have a backup solution in place. Your organization also needs a tried-and-true, written incidence response plan. In the event of an actual incidence or emergency, it’s important that your management and each of your employees know what is expected of them and who to reach out to for assistance.
There need to be formal, written policies and procedures in place that clearly define expectations and protect the interest of your organization. A few examples of this would be an acceptable use policy and a bring-your-own-device (BYOD) policy. These should address how your employees store and utilize company information on their personal devices.
Finally, use a service provider you know and trust to extend you this service.
3. Consider costs for the long term—not just today.
Sometimes, decision makers in an organization make choices that boil down to plain old-fashioned gambling. They know their software or hardware is at the end of its life, and they are aware that they are no longer receiving security upgrades (if your organization is operating on Windows 7, for instance).
Unfortunately, this outlook (that is often rooted in frugality) can be very costly. Are you trying to save a dollar today at the risk of a much greater expense tomorrow?
If so, I’d suggest you play this seemingly small decision out into the future by answering the following questions:
- How much money would be spent to proactively mitigate risk or invest in a current solution?
- In the event your organization chooses to do nothing, what is the potential impact of a failure or breach?
- Have all costs been accounted for? (For example, have you considered the cost of a breach occurring where your client’s information was exposed? What about if your accounting platform were encrypted until a hefty ransom has been paid? In addition to the exposure and ransom that must be paid, what kind of negative publicity would you receive, and what would be the cost of remediation to regain your sense of normalcy and privacy?)
- Does your organization fail to address any compliance requirements, and are there fines and penalties for this failure?
In other words, has the risk been calculated from a true cost-versus-benefit standpoint relative to how this could affect our organization?
If an attack occurs, cybersecurity can be very costly, and data breaches cost organizations an average of $3.86 million in 2018. If your organization is electing to do nothing, your future costs are quietly climbing exponentially, and the day is coming when you’d wish life came with a rewind button.
One of the best ways to address this area proactively is to perform an IT risk assessment, which provides a review and documentation of your organization’s physical infrastructure.
It also reviews security policies and procedures, checks for an active, and successful, business continuity plan and aids in ensuring compliance requirements are met. In addition, an IT risk assessment also looks at access controls, both logical and physical, such as a phone, computer or iPad, and assesses how this puts your organization at risk.
A quality IT risk assessment will produce a report of findings that not only provides you with a current “State of the Union,” but it also gives you a recommendation for remediation to assist you with future decision making.
4. Know your vulnerabilities and limitations.
From a best-practice perspective, I strongly recommend every organization perform quarterly vulnerability scanning and annual penetration testing.
Hackers around the world are searching systems to find the one vulnerability that gives them access to a company’s most valuable information— from credit card numbers and expiration dates to customer names, address and even Social Security numbers.
Vulnerability scanning will aid in discovering the internet-facing technologies of the organization and will identify vulnerabilities that exist in your computer or network. Consider it a regular inventory to help make sure your organization is in the driver’s seat.
Penetration testing is the performance of an ethical hack, where someone with good intentions manually attempts to exploit vulnerabilities that exist within your organization. A report of findings will be delivered that essentially says, “If we (the good guys) can get in and/or exploit your organization this way, they (the unethical) can also get in.”
The information noted should be used to improve the system’s security and develop a roadmap to either remediate, if needed, or to create a strategic plan relative to upcoming IT decisions surrounding hardware, software and personnel.
5. Demand “Proof of Life.”
It’s great if you have an IT resource you trust to make safe, best-practice decisions about your organization.
However, as added due diligence, ask them to simulate how quickly they could restore your information in the event of an outage or breach. Ask them to show proof of regular, successful backups.
Don’t hesitate to ask a third-party resource to come in and poke around a little bit in the form of an IT risk assessment or perform the vulnerability scanning and penetration testing mentioned above.
An organization that is doing its job won’t be threatened by that approach. In fact, they might appreciate it, as it would likely add authenticity to their proposed services.
In the event of an outage or breach, especially if compliance requirements are involved, having the ability to demonstrate that risk is addressed proactively, and having an unbiased party attest to this fact, will go a long way.
If nothing else, it will allow you to sleep better at night knowing your business is safe.
6. Be aware of the current industry trends, and know your options.
Technology, for many reasons, is trending toward the cloud. Better availability of options, accessibility, scalability, easy resource provisioning and built-in business continuity are just a few reasons for this trend.
It also doesn’t hurt that the cloud allows for ease of adjustment if your business increases, decreases or adds new ideas and/or resources, or if your technology rapidly advances or compliance/security requirements are levied or changed.
If an on-premise solution—where you purchase all software, hardware, etc. and keep it onsite at your location—is the preferred method, there are often large price tags for quality infrastructure, and the reality is that these solutions have a life cycle that ends far sooner than most organizations like to hear.
In a cloud or “as-a-Service” (-aaS) environment, infrastructure, software and the overall platform in general is handled in a pay-as-you-go model. This eliminates the capital expense of deploying in-house hardware and software and allows your organization to operate on an enterprise-grade solution for a reasonable budget.
Also, it often addresses compliance-related concerns.
7. Education, Education, Education. (And then when you’re done, more Education.)
Your employees are most likely your greatest asset and simultaneously your greatest element of risk when it comes to technology and cybersecurity.
Most organizations tend to fully trust that their internal users, vendors or business associates are being as careful as the organization itself, or as careful as they would like for them to be.
Education is a vital aspect of the effective use of technology, and companies are only as secure as their employees’ actions. In fact, user error and accidents account for 95% of data breaches.
It’s extremely important to recognize that responsible behavior and clear expectations aren’t a given. It is also extremely important to create, implement and maintain a plan.
After one day, 70% of information presented in a training isn’t retained by employees, which means that important information (like cybersecurity guidelines) shouldn’t be a one-and-done agenda item for your business. It should be incorporated into your calendar and your culture.
You may also want to consider the format of your employee training courses to both ensure that your team has the support they need and answers to their questions, but to also make sure that your employees are truly digesting the information.
Here are a few suggestions in this area:
- Document the policy and control environment
- Assign appropriate compliance management oversight
- Require personnel screening and access control
- Implement regular maintenance and auditing of IT controls
- Enforce the control environment consistently
- Prevent and respond to incidents and gaps in IT controls
8. Partner with those who are willing to advise you instead of sell to you.
Finally, I would suggest you engage resources that truly care about your organization’s well-being versus their own bottom line.
Find a resource who can help aid in your decision making process, keep you current on what your options are and help you feel confident about the future of your organization.
Finding someone you trust to help you navigate the waters makes the dynamic between your business and technology a much more pleasant experience.
Amy M. Williams serves as a Senior Business Development Consultant within Warren Averett’s Security, Risk and Controls Group. Amy offers insight that helps businesses navigate industry trends, implement security best practices and mitigate risk. Contact Amy Williams directly.
This blog was originally written on August 22, 2018. It was most recently updated on October 30, 2019