-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
The Five Biggest IT Mistakes Committed by Small Business
Written on November 7, 2009
Leave a Comment
|
1. No Administrative Controls.
Administrative Controls are the policies prepared by management that communicate their intent to control the information system. Policies are the voice of management; without a voice, management’s intentions concerning the information system are unclear and ambiguous. Without policies, instead of managing by discipline and principle, a small business manages solely by assumption. Policies, in fact, guide the implementation of Technical and Physical Controls that would eventually be used to protect the system.
2. No Audits or Corrective Action.
Audits should be conducted at least once per year that verify management’s intentions are being executed. There should be a documented and recurring process that evaluates the Technical and Physical Controls extended to secure the system, and evidence of what steps management took to fix discrepancies. Combined with a clear Administrative Control, an audit confirms management’s commitment to managing their system and clearly demonstrates “due care” – a legal benchmark considering negligence. The absence of a clear policy and a routine effort to verify that policy is being rightly executed could lead one to presume incompetence and negligence on behalf of management, which may expose the company to civil and criminal penalty.
3. No Spending Plan.
Information technology is very expensive. Without a plan to control both capital acquisition and service expenses, many small businesses will make needless and unmanaged purchases that render their information system inconsistent and unreliable. Further, management should make every effort to draw a line between spending and desired capability as to rationalize how every dollar spent on IT helps execute their business plan. Over time, unmanaged/uncoordinated IT spend raises TCO (Total Cost of Ownership) and drains cash resources from the firm without achieving strategic goals.
4. No Risk Assessment.
Risks change almost hourly with information technology; literally, we measure certain threats in “zero-day” time frames. Further, the regulatory reporting environment concerning technology evolves just as frequently. It’s impractical though to believe that the small business can devote daily attention to risk management. Instead, looking at the risks and vulnerabilities posed to an information system perhaps quarterly, or, bi-annually, is a reasonable approach to re-calculate the risks and re-evaluate the safeguards that help protect the information system. Again, a documented risk assessment demonstrates management’s intention to take their “due care” obligations seriously.
.
.
5. No Disaster Recovery Plan.
Nearly every small to mid-range business that I’ve ever met has two mission-critical components to their information system: an electronic component and a paper component. Papers stored in file cabinets are under the same kinds of risks as data stored on a hard drive, yet little attention is paid to the redundancy of paper-based data, or how electronic data is centralized, stored, backed-up, and archived. Without a conscious plan, management _assumes_ recovery would be possible and operations could be restored within a “reasonable” time frame. However, it’s precisely that assumption that prevents management from taking more proactive measures to guarantee a successful recovery of their business in the event of an emergency.
Conclusion
Small business owners are usually buffeted with a vast array of opinions concerning the operational management of their microcomputers. “You should install this patch,” says one professional, or a business associate will suggest, “You need this browser and this anti-virus.” However, these issues are a distraction from managing IT in a broader context. These solutions are implemented in pieces without a coordinated strategy.
Instead, if management was to install a proper discipline that routinely evaluates risk, plans for disaster recovery, and implements corrective action based off the intentional voice of policy, then the selection of browsers, patches, and anti-virus software would be a result of those activities. This is how we manage IT in the enterprise, and this is how small business should be managing IT, too.
R
RP Mickler says:
Commented posted on: November 9, 2009
Hey there, Brad – great questions, and thanks for posting.
Not sure if there are any hard and fast rules on what constitutes small business, but I’m thinking less than 50 employees, less than $100k/annual IT spend, and few if any technical staff. More mid-range, perhaps 50-100 employees, less than $500k/annual IT spend, a small IT staff and/or a strategic officer. Those are usually my rules of thumb (grin).
And you’re right on man-power as well as executive commitment. On the one hand, management really needs to be sold on the idea of “managing” IT and adopting a framework of best practices to govern IT effectively. If management is committed to that idea, I usually introduce them to CoBIT (Control Objectives for Information and related Technology).
CoBIT is an open, internationally-recognized IT Governance framework that I often piece-mail with my clients. It has a structure for setting up ATP Controls (Administrative, Technical, and Physical), establishing a framework for accountability and responsibility, and has a process for conducting audits and taking corrective action. In short, CoBIT offers best practices in a box that you can adapt to your firm’s complexity and business requirements.
In my practice, I help my clients create the structure using CoBIT, and once the structure and practices are in-place, then I can help them self-certify to CoBIT expectations. The self-certification process may be useful for demonstrating “due care” to a variety of stakeholders: customers, suppliers, or future legal action.
And in my opinion, Brad, it’s difficult to “find” businesses who want to discuss IT governance. It’s not a money-maker; it’s a cost; it’s insurance; it’s best practices without a return. It’s kind of like talking about taking medicine, getting good exercise, and brushing your teeth (grin).
However, if you look at the risk of doing nothing and the impending explosion of data breach/privacy laws at the federal level (just Tweeted about this today, in fact: http://is.gd/4R2q5, not to mention HIPAA, FERPA, GLB, SOX), therein lies the motivation. It’s the risk of doing nothing.
Needle in haystack? Not really: anyone that holds private consumer information on a server, or, transmits consumer data, is subject to various forms of federal and state laws governing data confidentiality and data breach; 31 states have different laws on these subjects currently!
Thus, when a breach happens or a vulnerability is compromised – and as you’re in information technology, you know we look at this as “when” and not “if” – where does anyone want to be positioned? In a position of confidence with adequate/demonstrative IT governance? Or, in a position of weakness and uncertainty with no demonstrative management?
In your case, what evidence can you present that demonstrates “doing nothing” or ignoring “due care” obligations produces civil or criminal liability? Especially given the changing regulatory landscape. Therein, I think, is your argument and your niche: companies that stand to lose a lot for every incident of loss.
R
Brad Garland says:
Commented posted on: November 9, 2009
Hi there,
Nice post and I come to you as a curious vendor that also works in the compliance space, more specifically, banks where compliance is a legal requirement.
1) When you say small business, how small are you envisioning? I’m struggling to see a small business that has the man power or budget to carry out these tasks.
2) How do you find these business that fit the market you’re looking for? It would feel to me like a needle in a haystack. We obviously can easily tell who our clients could be.
Thanks again, we are developing a web-based product that could potentially help these small businesses (like we are small community banks) but I’m must not being understanding the market right, thanks for the help. Oh, and consider me subscribed!