By Ryan Duquette, Partner, RSM Canada and Rhys Morgan, Partner, RSM Canada
The Covid-19 crisis has highlighted the cracks in business systems in dire need of updates and upgrades. And while these updates require some investment of money and management time, the truth is that they could actually protect your business from even further catastrophe.
Implementing a company-wide security upgrade may seem like a hefty financial undertaking, but a lot of these solutions are actually available as an ‘a la carte’ service. This means the maintenance of business systems is surprisingly affordable and accessible, even amidst an economic downturn, and the long-term benefits are clear.
Stop-gap solutions can lead to gaps in security
Remote workforces are now the norm, and from what we are seeing, it may stay that way for a while. There is a lot of understandable concern around the technology that is needed to support these new remote workforces. In the beginning, we saw a lot of consumer and non-corporate solutions being brought in and implemented very quickly, without much thought. In the mad rush to implement virtual meetings and teleconferencing, some glaring security concerns slipped through the cracks. A lot of this shadow IT, using systems in which people are allowed to access corporate networks using whatever systems are immediately available, does not create the ideal conditions for peak security.
Obviously supply chains are being disrupted, which can also interrupt security activities. Many businesses in the middle-market outsource their IT to managed security service providers, and that is also causing some operational issues. Most of those security firms utilise a number of automated tools that can alert them to anomalies, and these tools can automatically shut down processes to minimise damage. However, they still require manual interaction from an IT person who must physically make the adjustments. No easy task in a full societal lockdown.
Another issue is that IT providers are highly prone to cyberattacks in non-Covid times, even more so now that the cyber criminals are aware of potential security vulnerabilities. As a managed IT provider, you have the keys to a thousand castles. And because of that, these organisations are prime targets for hackers. Therefore, it is important to ensure that the IT provider you are considering has appropriate security. One way to assess this is to verify whether the provider has been certified by an independent third party as being in compliance with an established security standard, such as ISO 27001, SOC 2, or GDPR, (General Data Protection Regulation).
Neglecting technology is a common theme in the business world. Collectively, not enough time is spent thinking about secure code design, or hardening technology environments, whether it is software or hardware. And now, given the lockdown, organisations are being forced to refocus on technology and cutting corners in the pursuit of maintaining a remote workforce. As one can imagine, cutting corners and depleting or limiting personnel in IT is not only bad for business resilience, but puts entire organisations at risk.
Under-investing leaves gaps in the safety net
Security has taken a backseat to establishing remote workforces and maintaining business continuity in the short term. In an ideal world, digital transformation and cybersecurity should work together, hand in hand. But Covid-19 has pushed these boundaries, forcing organisations to temporarily ignore their own IT security protocols.
Here at RSM Canada, we recently had a call from a client whose IT guy is still in the office. He tells us that they are still running legacy systems – 2008 Windows server, 2013 Exchange. Both of these products are beyond end of life. Microsoft is no longer patching or supporting them anymore, which means the security gaps have been sitting wide open for years.
This type of issue reflects under-investment. An IT specialist can talk to boards and committees until they are blue in the face, but the ones holding the purse strings do not always see the importance or urgency of IT. Typically, the tune changes when something goes wrong on their watch. Once the decision-makers realise the business is open to threat because they have not invested in technology at a sufficient or commensurate level, they pay attention.
What kind of IT investment is right for your business?
Lack of investment in digital transformation and IT security is starting to come back to haunt many businesses, particularly due to the increase of cyberattacks during the lockdown. We are seeing clients who are spending hundreds of thousands of dollars to try and make up for ten years of neglect in a three-month window. When Covid-19 hit, they realised they were unable to set up their teams remotely, as their legacy systems weren’t designed to allow 200 employees to hit their network connection remotely at the same time every day. Now they also have internet carriers telling them that extra bandwidth will cost them X amount of dollars and take six weeks to implement. This would have been so much easier if they had simply maintained their technology over the years.
Investment in IT varies significantly by sector, but there are some benchmarks that can be used to help organisations land on the right amount. Variables such as percentage of revenue, percentage of profit, number of IT staff, and total headcount can be factors which influence decision making. In most businesses, a reasonable IT budget would be around 5-8% of revenue. In some sectors, where technology plays a more critical role, it will be much higher.
When we do our rapid diagnostic, we use industry benchmarks to figure out whether or not an organisation has been under-investing, but it is simply not feasible for every 80-person organisation to hire 20 IT staff. The trick is to find a solution that is pragmatic for that particular business.
When it comes to technology, there is no time like the present
Like many other departments, IT often finds itself lobbying for more investment. Sadly, this is not the exception, but the rule. However, a business need not spend a fortune to implement sound IT and security philosophies. It simply requires a steady, regular investment in the maintenance, upkeep, and evolution of systems and security. ‘The evolution of software as a service, or ‘SAAS’, gives businesses the option of leasing applications or whole platforms’, says Paul Herring, Global Chief Innovation Officer, RSM International. ‘This provides an opportunity for progressive management teams to leapfrog their competition by securing access to leading edge digital capabilities that would previously have been unaffordable’.