Of the many disruptions taking place this year in the construction industry, technological challenges are proving significant – both in cost and how they’re impacting businesses of all sizes. While information technology concerns often are viewed as simply that – IT issues – they’re in fact much more and are affecting small- and midsize businesses as well as larger companies. IT security, as well as IT continuity, are not “an IT thing,” but rather an essential business risk discussion. It’s important to be as technologically prepared as possible for a crisis, to best weather the storm, and so you can remain strong and sustainable well into the future.
The costs are real
First, let’s consider the high costs of network downtime. Last year, downtime cost U.S. businesses nearly $26.5 billion in lost revenue. That’s a scary number, but it’s hard to really apply it to your business, right? Luckily, researchers have dialed in the microscope a little bit more. The average small- to medium-sized business loses an average $42,000 each hour of downtime. Another study found the cost to be closer to $5,600 a minute. You may wonder, how much downtime do you really see in a year? Chances are, if you are reading this, you’re seeing above-average downtime and looking for the solution. But even average downtime hovers around 87 hours a year, with average instances lasting in the range of 200 minutes each time.
Small businesses are prime targets Aging equipment and unpatched devices, little IT support (unless something breaks), and not making IT a priority – all are among the reasons small businesses are prime targets for cybersecurity attacks. Many small businesses also just don’t believe cyberattacks will happen to them – their data isn’t that valuable, after all, they may reason. Hackers, however, are more concerned with getting access, and seeing if there may be something of value, than necessarily targeting specific organizations. Educating employees on cybersecurity and their role in helping ensure a safe and secure IT environment also may not be as high of a priority as it should be. This in turn can lead to unintentional breaches and cybersecurity attacks.
Recovery and planning ahead
During these turbulent times, many organizations are focused on disaster recovery, which is the process of rebuilding an operation or infrastructure after a disaster passes. The ideal situation, given we know disasters can happen at any time, is to focus on business continuity planning, which is the process of ensuring your critical business functions are prepared to react and recover from a business disruption with minimal impact to your business.
One sobering statistic to consider: 40% – 60% of businesses disrupted
by a disaster, that don’t have a plan, never re-open.
What you can do
At a minimum, these steps should be followed:
- Create an acceptable use policy for your organization and team members.
- Follow password best practices.
- Establish user awareness training.
- Keep up with IT best practices, especially the practices of backing up your IT and having backup off-site as well (in case a disaster strikes on-site).
Strategies for mitigating risk
Some strategies that can be used to mitigate risk include:
- Avoidance. Avoiding risk is a common mitigation strategy. An example: removing email sync from BYOD mobile devices.
- Reduction or Control. Use mitigating controls to reduce the probability of occurrence or the severity of the consequences of an unwanted risk. An example: installation of a UPS system to maintain connectivity during a power outage or requiring DNS security for all devices, including laptops.
- Transference. This strategy is to shift the burden of the risk consequence to another party, i.e. liability or cybersecurity insurance.
- Acceptance. An example of this is choosing not to impose Internet access restrictions. Most common scenarios for this are when cost is a factor, or the client doesn’t believe or understand the risk and impact to their business.
Have the risk conversation – and own it
Ultimately, the responsibility for effective risk management lies with organizational management. Accordingly, the challenge for risk management is to handle and summarize the numerous individual incidents of risk associated with running an IT system (referred to as operational risk) in such a way that the organization’s management team can make effective decisions regarding risk control.
Brian Young, a Rehmann principal, has been working in technology for over 23 years, helping clients make strategic and effective IT decisions. He has developed extensive knowledge in sales, cloud solutions, cybersecurity, managed IT services, system design and architecture, and professional IT services. Brian helps organizations leverage technology to protect their business – in many instances he has played a significant role in creating disaster recovery and business continuity plans.
This article was originally featured in The Source.