After personnel and health insurance, most companies find their next largest expense is technology. And with the rapid increase of hacking attacks from around the globe, cybersecurity efforts have only ramped up those costs. The important consideration, then, becomes getting the size of your technology expense right for your company.
How Much is Enough?
Deciding how much technology is “enough” is more of an art than a science. Factors that should weigh into those decisions include:
- Current profitability – If your company is currently unprofitable or barely profitable, resources are constrained. It may not make sense to invest heavily in IT resources when things are tight. Conversely, the more profitable a company becomes, the more sense it makes to protect the company’s intellectual property and its data by building a fortress around those assets.
- Target size – Certain industries are just naturally bigger targets for hackers. Defense contractors, financial companies, retailers, and medical offices are assumed to have electronic records with sensitive information. Protecting these kinds of networks is simply a cost of doing business.
- Sensitive data– The more confidential data you maintain on your systems, the more likely you are to be attacked. Consider the following examples of sensitive data:
- Non-public consumer data, such as dates of birth, income, or social security numbers
- Proprietary data, including customized processes, formulas, or designs
- Credit card or debit card transaction data
- Account activity
The more of these items you have and the more confidential they are, the greater the need for protection.
- Connectivity – Some businesses still work largely off paper records, while others have heavily adopted technology to help them compete. Smart phones, laptops, and tablets allow many small business owners and their staffs to connect at nearly any time. The greater connectivity you offer your staff, the greater your risk. Similarly, the more connected you are to outside vendors, the more potential there is for a data breach. The Target data breach of 2014, for instance, was tracked to an HVAC contractor that had connected to Target’s network with a corrupted PC. WiFi and mobile access come with their own sets of risks as well.
- Competition – The number and aggressiveness of competitors can increase risk as well. Your company may be forced to adopt technology that it otherwise might have declined, simply to keep up with competition or to meet industry standards. Many industries have representative associations that can tell you how your technology costs compares to industry standards, as a measure of whether you are being placed at a competitive disadvantage due to excessive resources being devoted to IT.
- Retained risk – Many companies carry insurance to protect against risks of technology issues, but the insurance may not cover all types of losses or attacks. Some questions to ask your insurance agent include:
- Am I protected against lost income?
- Are data restoration costs covered?
- What about the costs of notifying customers that their data was compromised or stolen?
In the end, the amount of risk you insure versus the risk you take is a business decision, but that decision should be a conscious one based on all the data and company resources to withstand a technology problem.
Where Do I Start?
The critical first step is to determine the risk the company is willing to accept, then build a framework of technology that takes your inherent risk and adds controls to get to an acceptable level of mitigated risk.
An important second step is to determine how to mitigate the risk. The number, type, and extent of each control will vary widely based on each company’s inherent and desired level of mitigated risks. Additional technology may be in order – firewalls, password complexity rules, mobile device PIN requirements, etc. Technology alone, though, is unlikely to solve the problem without expertise to properly implement it.
Larger companies may be able to hire sufficient IT staff to have every necessary skill on staff, but most will find they cannot afford that luxury or cannot locate the right types of people with all the required skills. No company is likely to find one person that has that skillset – technology simply changes too fast and is too broad a category for anyone to have mastered it all.
As a supplement to or replacement for internal staff, an increasing number of companies are turning to outsourced solutions. A number of companies throughout the country have formed as “managed service providers” (MSP) that service multiple clients. Due to scale, they can afford to hire the specialized skills needed that any one client may not be able to afford. For instance, a technician with a particular certification may be needed to work on one specific class of IT equipment. While their eye-popping salary may sink a smaller company, the MSP can spread the cost of that specialization over their entire client base, allowing the smaller companies to have access as needed without carrying the entire cost.
If the decision to contract with an MSP is made, consider asking (at a minimum) the following questions as you vet a potential partner:
- How many staff do you employ?
- How many of them carry certifications in the equipment I use?
- How long have you been in business?
- How strong are you financially?
- Where are you located?
- Can you service my needs remotely?
- How quickly can you be on-site if needed?
- Do you recommend or require any support from our staff?
- How are problems communicated to you?
- What alternative contact methods do you have available if, for instance, the primary method is web-based and our Internet connection is down?
- Do you support our phone systems? Printers? PCs? Or only the servers, routers, and firewall?
- Do you outsource any of your duties to others? Or do you have scale sufficient to handle everything within your own company?
- What is the process for onboarding? That is, if you are selected as a partner, what does the process look like? How long would it take for you to assume control? Are there upfront costs, or just monthly costs?
- What optional services do you offer that are not included in the proposal? (This question may identify several costs you assumed were included in the proposal based on interpretation.)
- Do you service any companies like mine? May we be provided references?
Depending on the scope, length, and cost of the proposed contract, legal review is likely warranted. This may seem lengthy, but keep in mind, the whole reason you went through this process is to balance costs and risk.
In the end, there is no one solution that fits all companies. But one truism exists: the more data you have, the more technology you are likely to need, and the more expertise you are likely to require to maintain that equipment. Controlling IT costs is a delicate balancing act, and like all balancing acts it requires vigilance and oversight. Today’s solution may be different than yesterday’s, and it may not suffice for tomorrow. The key is to keep your mind open to innovative solutions that may be better than your current setup.