Are you properly managing risks to your IT?
Risk management, now frequently referred to as Enterprise Risk Management has been an area of business focus for decades. Businesses have long recognized that they need to look at the financial risks they might face if something happened to their physical assets, or were confronted with major litigation. However, in the past few decades, there has been a stronger and broader focus on the entire spectrum of risks that confront a business that has begun to push the issue to the C-suite level. Unfortunately, while large businesses devote serious resources at the highest level to managing risk to protect their organization, smaller firms often spend little or no time considering risk as an important business issue. Even smaller firms who do take the time to think about protecting against operational threats may be unlikely to consider threats that are a degree or two of separation away from their core business. That means that technology infrastructure may be ignored if, and when business continuity and disaster recovery plans are being considered.
This blog will discuss the role of a managed service provider in helping your business address risks to the technology used to operate and support your business. Managed service providers can identify all of the potential risks that your IT infrastructure may be vulnerable to and advise you how to avoid and mitigate risk to this critical part of your operations.
What is risk management?
Business school academics have varying definitions of risk and risk management, but the concepts are fairly simple for our purposes. Risk is the negative uncertainty that comes from any potential loss. Risk management is the collection of activities, a business undertakes to mitigate, avoid, and transfer the losses that might damage the business due to some negative event.
Background: Why is risk management gaining greater visibility? As noted, risk management isn’t new. However, the last few decades have seen the United States face two major catastrophic events: Hurricane Katrina in 2006 and the terror attacks in 2001. Both brought to the fore the consequences to businesses who are unprepared, as well as the reality that very bad things can happen.
Globalization has also shown that distance does not shield us from the consequences of far-away events. The earthquake and subsequent tsunami that hit Japan in 2011 reminded manufacturers and businesses in the United States about the consequences of their reliance on long supply chains and just-in-time inventory.
Another new threat that has alerted even the smallest firms to their vulnerability is technology. For a small firm, a major man-made or natural disaster may seem too distant to distract management from day-to-day operations, but the emergence of cyber threats, ransomware, hacking, and data theft has really hit home for every organization out there. Even smaller firms totally focused on making it day-to-day are taking notice of this threat.
So why are we addressing Risk Management?
Because every firm needs to make plans if something bad happens. It could be a fire, flood, hurricane, extensive power or broadband outage, even an act of terror, but any of these events could affect your IT infrastructure or capacity to connect to it. And many smaller firms fail
to recognize how reliant they are on their IT infrastructure.
Here are a few possible areas you might want to look at:
Data storage and cloud backups – If your data is stored and backed up on-site, you may be exposing your business and customer data to an entirely unnecessary vulnerability. On-site data storage and backups expose your business to serious risk.
- First, if you are storing data on-site, this means you maintain full responsibility for securing that data against theft, cyber-attacks, and ransomware. That is quite a responsibility and requires diligence and skill on the part of your IT staff. Data breaches represent a serious liability.
You lose the trust of your customers if their data is compromised and you may be liable to penalties for a data breach (think HIPAA and the
new GDPR, both of which carry extensive fines.) Data breaches also represent a bad mark on your brand that cannot be easily polished away. Victims of data theft have long memories.
- Second, on-site storage and backups mean that if some disaster happens on-site, your data may be permanently lost, or at least temporarily inaccessible. Neither of these is a good option.
- Third, onsite backups represent a responsibility for handling backups on a routine basis. Outsourcing that responsibility to a cloud provider eliminates the risk of a failed in-house backup. Moving data storage and backups to the cloud means that no matter what happens to your physical location, your data is safe and immediately accessible from anywhere.
SAAS – Software as a Service How does this help manage risk in case something happens?
SaaS is a great innovation. You may be used to buying a software program and downloading it to a PC. You may even buy a package deal that gives access to everyone in your organization. However, there is a hitch in this software purchasing model. Those software programs are living in a particular piece of hardware. If that hardware is lost, stolen, inaccessible due to geographical events, or just plain wears out, accessibility to the data container may be compromised. You buy a new laptop and you have to buy new software access to Word, etc. Short story, your software access is tied to a piece of machinery. SaaS ends that. You buy online access, so it doesn’t matter where you are or what happens to your laptop, desktop, building, or office, you can still log in and get back to work.
VoIP – This is an interesting option. You may have the standard PBX system that handles switching calls that are directed within your physical organization and it may even allow call forwarding, but that is all it usually permits. VoIP systems allow dramatically aggressive approaches to call forwarding, including time windows. This makes it easier to maintain voice connections even if access to a physical site has been blocked. VoIP also offers many innovative features such as voice-to-text and voice-to-email that can increase productivity.
Uninterruptible power supplies (UPS) and surge protection – Don’t forget the obvious.
Risk management means looking at one of the key risks any business faces: power interruption. What would you do if a long-term power event occurred? Could you just tell your customer “oops-sorry?” That won’t likely work out very well. There are uninterruptible power supply systems using battery support, natural gas, and other fuels which can provide support for as long as is needed. Contact a managed services provider to discuss in-house UPS management.
Antivirus software and network protection – One of the risks you face these days is one that is most likely to damage your brand.
It is the one most likely to deeply undermine customer confidence and trust. That risk is a data breach. If you experience some form of a data breach where your clients perceive their data has been compromised, your brand is damaged permanently. More importantly, you are likely liable for the financial consequences of a data breach. Make sure that your systems are protected by the latest antivirus software and that you are consistently updating it. New viruses appear every day, so outdated antivirus software is less likely to protect you.
Employee training – Lastly, one of the tools of risk managers is risk avoidance. Avoid getting into trouble in the first place. Training employees about their responsibility for data security is critical. One of the primary ways that hackers and thieves gain access to corporate data is through employee error. Every employee should be trained on proper password behavior. Simple guidelines about changing passwords frequently and never sharing passwords are basic but important first steps. Additionally, employees need to be trained to identify fake websites and phishing scams. Opening emails with bad attachments and links is a principal source for entry into company accounts and databases. A managed service provider can provide tips and guidance on training your employees about data security.
In summary, small businesses need to be aware of the risks the exist out there and make plans so they are not caught flat-footed when disaster strikes. Smaller firms need to be aware of this because they are the least likely to have the deeper pockets to be able to rebound after a catastrophic event hits their business. A managed service provider is an excellent resource for developing a risk management plan for your IT infrastructure.