Technology aids in both user and industry efficiency, increases production, automates processes and makes communication more accessible for both systems and people groups. It’s also ever-changing and evolving. Carl Sagan may have said it best when he stated: “We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.” Regardless of your personal thoughts on technology or your particular adoption style, technology, as we know it, isn’t going anywhere. It’s here to stay. Therefore, a reasonable goal would be to ensure you and your organization stay on the cutting edge side of things instead of finding yourself on the bleeding edge.
With so many options available, it can be hard to know how to make sound, long-term decisions and feel truly confident that you and your organization are making good financial and time investments. There is a delicate balance to be managed as decisions are made about what technology should be updated, replaced or retired. In fact, one could argue that well-rounded, strategic thinking in the area of technology might be one of the keys to the proverbial kingdom.
Which then begs the question: How do I ensure my team is making good, sound decisions in this area?
Defined below are eight, very sensible ways I feel you can ensure you and your organization are headed in the right direction:
1. Begin with security in mind.
Cybersecurity is a major point of concern in the world of technology, and companies cannot afford to ignore this aspect when making any decision. Whether it’s software or technical services, overall security has to be of the utmost concern. If an attack occurs, cybersecurity can be very costly, and many decision makers tend to believe that the likelihood their organization will experience a breach is low. They may not believe their organization is of much interest to a hacker, or their trust in an internal or external IT resource might be high.
2. Expect the best, but plan for the worst.
Data loss and system outages due to natural disasters, hardware failures and malicious attacks need to be at the forefront of a business owner or decision maker’s mind. This is a reality every organization should proactively address.
One question your company should be able to consistently and confidently answer is: What would happen to your business if you woke up tomorrow to find all your information missing?
If you are not confident about your information’s security, and thus your organization’s business continuity, please consider and be aware of an eye-opening fact: Data breaches cost organizations an average of $3.5 million last year. The bottom line is that hackers around the world are searching systems to find the one vulnerability that gives them access to a company’s most valuable information— from credit card numbers and expiration dates to customer names, address and even social security numbers.
If you can’t answer the question about what would happen if your building ceased to exist or your hardware failed, and if you aren’t currently utilizing a true backup and business continuity solution, don’t let another day go by without addressing this problem. Your business’s success and longevity may depend on it.
Additionally, it is not enough to have a backup solution in place. Your organization also needs a tried-and-true, written incidence response plan. In the event of an actual incidence or emergency, it is important that your management and each of your employees know what is expected of them and who to reach out to for assistance. There needs to be formal, written policies and procedures in place that clearly define expectations and protect the interest of your organization. A few examples of this would be an acceptable use policy and a bring your own device (BYOD) policy. These should address how your employees store and utilize company information on their personal devices. Finally, use a service provider you know and trust to extend you this service.
3. Be proactive not reactive.
Sometimes, decision makers in an organization make choices that boil down to plain old-fashioned gambling. They know their software or hardware is at the end of its life, and they are aware that they are no longer receiving security upgrades. Companies often choose to limp along as is for as long as possible for a variety of reasons: monetary concerns, comfort with the current processes and procedures, etc. Or, perhaps they are simply not sure of how to take the next step, so nothing is done.
Here’s a question you, or those making decisions on your organization’s behalf, might ask: Are you trying to save a dollar today at the risk of a much greater expense tomorrow?
If so, I would suggest you play this seemingly small decision out into the future by answering the following questions:
- How much money would be spent to proactively mitigate risk or invest in a current solution?
- In the event your organization chooses to do nothing, what is the potential impact of a failure or breach?
- Have all costs been accounted for? For example, have you considered the cost of a breach occurring where your client’s information was exposed? What about if your accounting platform were encrypted until a hefty ransom has been paid? In addition to the exposure and ransom that must be paid, what kind of negative publicity would you receive, and what would be the cost of remediation to regain your sense of normalcy and privacy?
- Does your organization fail to address any compliance requirements, and are there fines and penalties for this failure?
Bottom line: Has the risk been calculated from a true cost versus benefit standpoint relative to how this could affect our organization?
I would submit that if your organization is electing to do nothing, your future costs are quietly climbing exponentially, and the day is coming when you’d wish life came with a rewind button.
One of the best ways to address this area proactively is to perform an IT risk assessment, which provides a review and documentation of your organization’s physical infrastructure. It also reviews security policies and procedures, checks for an active, and successful, business continuity plan and aids in ensuring compliance requirements are met. In addition, an IT risk assessment also looks at access controls, both logical and physical, such as a phone, computer or iPad, and assesses how this puts your organization at risk. A quality IT risk assessment will produce a report of findings that not only provides you with a current “State of the Union,” but it also gives you a recommendation for remediation to assist you with future decision making.
4. Know your vulnerabilities and limitations.
From a best practice perspective, I strongly recommend every organization perform quarterly vulnerability scanning and annual penetration testing. Vulnerability scanning will aid in discovering the internet-facing technologies (i.e., touches the outside world) of the organization and will identify vulnerabilities that exist in your computer or network. Consider it a regular inventory to help make sure your organization is in the driver’s seat. Penetration testing is the performance of an ethical hack, where someone with good intentions manually attempts to exploit vulnerabilities that exist within your organization. A report of findings will be delivered that essentially says, “If we (the good guys) can get in and/or exploit your organization this way, they (the unethical) can also get in.” The information noted should be used to improve the system’s security and develop a roadmap to either remediate, if needed, or to create a strategic plan relative to upcoming IT decisions surrounding hardware, software and personnel.
5. Demand “Proof of Life.”
It is great if you have an IT resource you trust to make safe best practice decisions about your organization. However, as added due diligence, ask them to simulate how quickly they could restore your information in the event of an outage or breach. Ask them to show proof of regular, successful backups.
Do not hesitate to ask a third-party resource to come in and poke around a little bit in the form of an IT risk assessment or perform the vulnerability scanning and penetration testing mentioned above. An organization that is doing its job is not going to be threatened by that approach. In fact they might appreciate it, as it would likely add authenticity to their proposed services. In the event of an outage or breach, especially if compliance requirements are involved, having the ability to demonstrate that risk is addressed proactively, and having an unbiased party attested to this fact, will go a long way. If nothing else, it will allow you to sleep better at night knowing your business is safe.
6. Be aware of the current industry trends, and know your options.
Technology, for many reasons, is trending toward the cloud. Better availability of options, accessibility, scalability, easy resource provisioning and built in business continuity are just a few reasons for this trend. It also doesn’t hurt that the cloud allows for ease of adjustment if your business increases, decreases or adds new ideas and/or resources, or if your technology rapidly advances or compliance/security requirements are levied or change. If an on-premise solution—where you purchase all software, hardware, etc. and keep it onsite at your location—is the preferred method, there are often large price tags for quality infrastructure, and the reality is that these solutions have a life cycle that ends far sooner than most organizations like to hear.
In a cloud or “as-a-Service” (-aaS) environment, infrastructure, software and the overall platform in general is handled in a pay-as-you-go model. This eliminates the capital expense of deploying in-house hardware and software and allows your organization to operate on an enterprise-grade solution for a reasonable budget. Also, it often addresses compliance-related concerns.
7. Remember that a company cannot outsource responsibility.
Most organizations tend to fully trust that their internal users, vendors or business associates are being as careful as the organization itself, or as careful as they would like for them to be. Instead, it is extremely important to recognize that responsible behavior and clear expectations are not a given. It is also extremely important to create, implement and maintain a plan. Here are a few suggestions in this area:
- Document the policy and control environment
- Assign appropriate compliance management oversight
- Require personnel screening and access control
- Ensure compliance through training and communications
- Implement regular maintenance and auditing of IT controls
- Enforce the control environment consistently
- Prevent and respond to incidents and gaps in IT controls
8. Partner with those who are willing to advise you instead of sell to you.
Finally, I would suggest you engage resources that truly care about your organization’s well-being versus their own bottom line. Find a resource who can help aid in your decision making process, keep you current on what your options are and help you feel confident about the future of your organization. Finding someone you trust to help you navigate the waters makes the dynamic between your business and technology a much more pleasant experience.
About Amy Williams:
Amy M. Williams joined Warren Averett Technology Group, a subsidiary of Warren Averett, LLC, in 2014 and serves as a Senior IT Business Consultant on behalf of the team. Amy works closely with a team of highly specialized Technical Engineers, Software Consultants and Security Specialists in order to assist and advocate on behalf of the needs of her clients. Amy is responsible for building strong client relationships and is fully committed to ensuring Warren Averett Technology Group provides a consistently superior client experience. She was also named one of Birmingham Business Journal’s Top 40 Under 40.