This probably seems like a stupid question to ask – obviously, IT is computers, and everything to do with them. Well sure, it’s that. But it’s also data, it’s where you store that data, it’s how you access that data, it’s what you do with that data. It’s what that data’s worth to you. It’s what losing that data, or having that data stolen, is worth to you.
For a long time, Information Technology has been considered an operational cost to businesses, a necessary cost that improves efficiency, increases productivity, and helps process all the paperwork; but it’s a cost, and costs present us with an opportunity to minimise, in order to improve the bottom line.
About a decade ago, that equation broke. IT wasn’t just an efficiency improvement, it was now your core means of communicating your message. It also became an uncontrollable feedback mechanism – if you were doing a poor job with that communication, you could face a customer backlash that might wipe your company’s value away overnight. As the platform you ran your entire business on, it was also your single most vulnerable point of failure – if you lost access to your IT systems, your business couldn’t operate. If you lost access to your data, if your data was stolen, that could be the end of your business. For numerous reasons, IT wasn’t just a boring cost centre to be minimised, it was now your greatest risk.
But it was also your greatest opportunity – suddenly you could reach markets and customers in a more targeted, cost efficient manner, you could generate new leads that were simply impossible previously, you could continue an ongoing dialogue with all of your customers, turning single sales into lifetime customer relationships that were more lucrative and cost substantially less to generate.
In agile businesses taking advantage of new technologies and new platforms both for communication and operating their business, IT has, in many ways, supplanted what they would have traditionally considered their core business. For example, Dominos is the world’s fastest growing pizza business, its share price growing sixty times greater between 2008 and 2016 because they evolved into a technology company that happens to sell pizzas. It’s strategic decisions around technological innovation, adoption and utilisation that will make or break a business, often in a much shorter timeframe than traditional manufacturing cycles.
However, as well as innovations and opportunities, a little over a decade ago something else changed – ‘hacking’ went from the university lab, occasional technological anarchist and ‘script kiddies’ to well orchestrated, researched and designed ‘weaponised’ cyber crime that criminal syndicates had identified as having vast potential to generate them income. We also started seeing cyber warfare agents deployed by nation states. Suddenly the Internet (and technology generally) was a vastly more dangerous place. As billions were syphoned out of national economies, criminals were doubling down on their investments, improving in ability, sophistication and manpower. The Internet is now a live battlefield, dominated by the juggernauts of nation states, multinational corporations and professional cyber criminals, with SMBs and consumers bumbling about in this hostile terrain blindfolded and earplugged, blissfully unaware of the threats surrounding, and constantly trying to attack, them.
What would the impact be to your business if your customer data was stolen and sold on the Internet? How well would you recover if you lost every bit of data on your servers? How well protected are you from these possibilities?
Large enterprises and governments have numerous security experts managing their systems around the clock, with intrusion prevention and detection systems constantly monitoring their networks for signs of compromise. Even with all that, the average detection time for an intrusion is five months – some intrusions go undetected for years, with the attackers having access to the corporate network and the data flowing over it the whole time. 81% of reported intrusions weren’t even discovered by internal teams, but in fact were alerted to the intrusion by external sources such as law enforcement. What strategies does your business have in place to mitigate and respond to cyber attacks and intrusion?
Unfortunately individuals and SMBs don’t, for the most part, have hundreds of thousands of dollars a year to throw at security professionals to secure their systems and keep them protected. Without that, businesses must make highly efficient, well targeted strategic decisions about where and how best to spend their limited resources to minimise risk and maximise protection. There are lots of potential avenues to explore here, and the correct strategy very much depends on the situation of each business.
But possibly the most effective protection you can apply to your business (well, beyond ensuring your IT systems are never deployed in a default configuration, perhaps) is actually fairly cheap – staff training. Other than unconfigured or poorly configured devices, the next most vulnerable attack surface of any business is its staff. Well trained staff are far less likely to accidentally allow an intrusion, either via technical means or just social engineering. Things like phishing scams are now far more targeted and sophisticated than ever before – some attacks even target specific individuals such as the CFO or senior accounting staff in order to trick them into sending multiple millions of dollars to a fake account in a single transaction. The majority of RansomWare attacks wouldn’t have occurred if staff had been better trained and more vigilant.
So what is IT? It’s your biggest risk, but also your greatest opportunity. For both of those reasons businesses need to be far more proactive and prepared for these new costs of doing business, but pretending we’re still living in the ‘90’s and attempting to simply minimise these costs could cost you your whole business in fairly short order.