This article is a two part article – firstly looking at SME’s with in-house IT expertise and then those businesses with little or no in-house IT expertise.
A. For businesses with in-house IT expertise
Do you sleep well at night knowing that your data and systems are safe and the mechanisms in place to protect them are effective? What if:
- You were told that the data backups your IT staff have been doing every day for the last 6 months have never been verified that you can actually perform a successful data restoration from them?
- That the failure rate for tape backup restorations is in the vicinity of 77% (see this White Paper http://www.intronis.com/resources/whitepapers/online-backup-vs-tape.php)
- You were told that the anti-virus software that is installed on your network has not had its virus definitions updated in over a year? and
- What if you were told that key components of your technology are now out of warranty?
I’ll stop there. The point I am trying to make is that you may think you have appropriate controls in place to protect your IT environment, but if no-one is actively monitoring the controls (and this may include monitoring outside business hours when suspicious activity is more prevalent), do you really have any controls worth mentioning? Indeed, are you even monitoring the key activities that should have effective controls in place?
What to Do?
There are many elaborate steps you can take to get your IT function under control, but a simple first step is to ensure there is the right level of accountability is in place and that people and processes for validating your most important controls are actually In Place and WORKING.
Here is a suggested process:
- Decide what are your key concerns about your IT operations. These may include:
- Data protection
- Physical security of your data
- Network security
- Capacity – Running out of disk space
- Performance – can your systems handle the expected growth?
- Data corruption
- Network bandwidth congestion
- Virus / malware / spam attacks, and
- Whether you are being told of all significant events in IT that may impact on its successful operation.
Another way to do this is to identify which controls, if not working correctly, would cause the most harm to your organisation.
- After you have identified your key concerns, next identify the controls you have in place to cover these concerns and then identify who on your IT team is responsible for ensuring these controls are in place.
- Develop a form that lists the controls, it can be called the Monthly Compliance Sign Off. Then have each staff member who is responsible for the controls complete the Sign Off form monthly, certifying that the controls they are responsible for are in place, are working and have been recently validated.
You may be surprised what comes out of the woodwork when you introduce this level of accountability. After all, all you want is a good night’s sleep and to wake up with no IT surprises!
B. For businesses with little or no in-house IT expertise
If you do not have IT expertise in your business, there are many businesses that provide services to monitor and protect your IT environment.
What to Do
Move to a fully managed cloud-based service offered by many 3rd parties today. For a few hundred dollars per month you can get an online service that a few years ago could only be afforded by bigger businesses. These services offer you more functionality that you currently have, they provide protection for your data (which is essentially your business), and access to your data no matter where you are, and are carried out by qualified professionals monitoring your data 24/7.
This involves moving your data onto a server at the service provider’s data centre where through a service level agreement, they would as an example:
- Manage the availability and performance of your systems
- Backup of all data from both the server , local PCs and even remote PCs and laptops including the backup of all versions as changes occur to editable content including to email, documents, accounting records, databases, system states)
- Protect the integrity of your data through antivirus protection and network security
- Facilitate a mobile workforce to work from anywhere without losing control, and
Taking this approach relieves the small business owner from remembering these tasks, but more importantly, puts the responsibility in the hands of IT professionals who do this for a living.
Some of the other advantages include:
- A more cost-effective solution than doing backup manually. The SME no longer has costs associated with backup equipment
- Your investment is in a service rather than hardware. This means the responsibility of ownership, repair and maintenance of hardware such as servers is removed from the owner and the service delivery is “rented” and delivered under SLA lowering risk and costs
- Your data is secure – storingconfidential or sensitive information in the cloud is often more secure than storing it locally. With online storage services, data is encrypted both during transmission and whileat rest, ensuring no unauthorised users can access the files.
- Data backups are automated
- The hardware sits in a data centre provides very fast upstream bandwidth instead of being limited to the office behind the low bandwidth ADSL modem
- A service continuity plan where backups are stored offsite.
- Much of your IT spend moves to opex not capex which means simple tax deductions instead of tedious depreciation schedules
- Since your data is in the ‘cloud’ it is available to you anywhere at any time, you just need an Internet connection
- In the event of data loss, recovery is methodical and timely
- You can focus more on growing your business instead of spending some time on IT
The key disadvantage is that you, the small business owner is the one most affected if the service provider fails you in some way, such as not doing the backups etc. This is really no different if you failed to carry out any of these activities yourself.
Selecting a service provider
So what should you do? Spend a bit of time selecting your outsourced provider. Don’t go with the first provider you meet or the cheapest.
How to go about the selection:
- First have a clear understanding of what you want to get out of making this move to outsource.
- Then ask your peers whether they outsource. If they do, see if their outsourcer is meeting their needs. If so, add them to your list of possible outsourcers
- When you have 2 or 3 recommendations from your peers, you are ready to make a few phone calls. Of course, if you have the time you could also search out more potential outsourcers.
- Contact the 2 or 3 candidate outsourcers and explain that you are looking to outsource your IT environment and would like to meet with them.
- At each meeting, explain to them how you currently operate and how you would like to get more value out of your IT spend. Then ask them to give a brief overview of what they could do for you. Let them ask as many questions as they want, then ask them to prepare a written proposal
- After receiving the proposal, apply the same business acumen that you would apply to any long-term business decision you make. Remember to check their references.
You can also contact the Inform Group to discuss your options.
A key point about the agreement with your selected service provider. Ensure there is a Service Level Agreement (SLA) that covers to your satisfaction what the service provider will do for your business. Include in the SLA a requirement that they email you every 3 months a Compliance Summary that certifies that they have performed all duties in accordance with the SLA.
The upside to this process is that if you do your homework, you are well positioned to have a satisfying and mutually beneficial relationship with your service provider.