Author: David Nelms
Technology is a double-edged sword. It makes businesses more efficient and can also make them vulnerable. The technology used by businesses can unknowingly expose them to issues that could result in lost revenues, productivity, or financial penalties (to name a few). This is why it is critical to understand the potential risks your business might face and create a plan to protect yourself. While it is impossible to avoid all threats, precautionary measures can be taken to mitigate potential harm. No organization should feel like they are constantly reacting to the most recent issue or breach.
Unfortunately, there is no exact formula for determining risks, however, there are tools to identify where one is most vulnerable. Based on Warren Whitney’s experience working with our clients, below are (8) common areas where businesses may not be managing their exposure to potential technology threats.
There are frequent reports of issues related to computer viruses, ransomware, and data breaches. Nowadays, because of highly sophisticated hacking tools and potential threats, protection requires significant technical expertise from vendors and internal technical staff. For ultimate protection, hardware and software need to be regularly maintained and updated.
- Are your systems and people prepared to respond to threats and proactively manage risks?
TECHNOLOGY BECOMES OBSOLETE
Computer programming languages and systems often have a defined life cycle. At the end of the life cycle, the system will no longer receive critical updates or security patches. While the end of support dates are often known, many organizations do not adequately plan for the obsolescence which can expose them to security-related issues.
- Are your hardware and software systems fully supported and receiving appropriate updates and patches? Do you have plans in place that proactively address future issues?
Many organizations rely on vendor partners for their technologies and/or customer support. Unfortunately, in many cases, businesses do not fully manage these partnerships and businesses in turn, do not have a proper protocol in place to address technology threats. Equally important is to have contracts that cover potential liabilities, expectations, and deliverables. This is especially necessary for regulated industries.
- Do you have appropriate vendor agreements in place? Are you actively managing your partnerships with your technology providers to maximize your investment?
COMPLIANCE AND CONTROLS
For companies who have service providers or organizations maintaining confidential data, they need to be HIPAA, PCI etc. compliant and prepared for an audit. For this, you need records of: 1) Vendor agreements, 2) Policies and procedures, 3) Technical controls, and 4) User awareness. These controls are necessary to maintain the integrity of the system’s security, data, and financials.
- Do you have the appropriate policies, procedures, and technical controls to protect personal information and the integrity of the company’s financials?
DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY
Disaster Recovery Plan (DRP) is a set of procedures to enable the recovery of technology systems following a natural or human-induced disaster. This plan supports functionality and/or the recovery of vital systems. Business continuity is the protocol to follow while the outage is being addressed or systems are being recovered. These plans need to be evaluated regularly to address changes, threats, evolving workflows, etc.
- Do your contingency plans protect your business in an emergency so you can continue operations to meet customer needs?
PROJECT AND CHANGE MANAGEMENT
Protecting against potential impacts and risks related to project and change management requires technical knowledge, organizational skills, and structured processes. Without this, projects will likely take too long, cost more than expected, and/or miss key requirements. Organizations without a structure to manage the changes often play catch up and fight “technical fires.” All of which can be avoided. The negative impact of not having processes to manage both projects and scheduled changes can be significant.
- Do you have both the experience and processes to effectively manage risks associated with technology projects and changes?
We often find that small to mid-sized organizations have difficulty planning and budgeting for technology projects or capital expenditures. Typically, this is because they don’t have the internal expertise needed to understand the benefits of the investment or potential risks if they do not make the investment. Not making proactive investments to maintain an organization’s technology can result in functional limitations and/or greater costs over the course of time.
- Does your team have processes in place to stay ahead of the curve and effectively manage technology-related expenses?
STORING DATA IN THE CLOUD
Methods of storing and accessing data in the cloud are becoming easier and cost-effective. Software applications are providing more capabilities and easier ways to access and share data. While these systems are readily available and often economical, it is critical to understand how they protect your data and work with other systems. Not fully understanding how the systems interoperate can result in losing control of data and/or being unable to match data between multiple systems.
- Do you have the skills and processes in place to make sure you are appropriately evaluating new systems? Are you effectively using and analyzing your critical data? Does your backup plan allow for a full restore?
These are just some potential areas where your business might be exposed to technology threats. There are many more areas and details to be considered. Warren Whitney works with a wide range of organizations and vendors/partners to help identify and address a companies needs. To learn how our Fractional CIO services can help you effectively define and manage strategies, please contact David Nelms firstname.lastname@example.org or 804-282-9566.