Here is a story about an Engineering firm I know well. The firm has about 100 staff, 3 Australian and 1 Philippines office. Because they are involved in big projects, they have a lot of data: 20 Terabytes of it, mostly in the Melbourne Head Office on 4 servers. That’s a lot of data to copy back and forth, but there is little the Firm can do about this: plans and drawings are very big files, they also have large media files for things like 3D walk-throughs.
If you work in this kind of field (architecture, engineering, construction and allied businesses), these headaches will be familiar to you:
- The Firm has an off-shore team doing drafting – very cost effective, but its agony getting all that data back and forth.
- The Internet link is too slow: sometimes okay, other times it takes so long to download files, staff are tearing their hair out. Or the link is always breaking up during the weekly skype call.
- They don’t have a “hot” site which will automatically take over if there is a system failure on a critical server: they are dependent on restore and replace – which takes time, a lot of time.
All these leave the Firm very exposed and vulnerable to disruption that can hit out of the blue. Here are some real life examples that have all happened to this particular Engineering Firm:
- Storm damage that took out the servers – yes its a common issue even in the middle of a CBD building. Time to repair the damage: more than 2 days
- Ransomware that encrypted the entire production projects storage. Time to restore the projects from yesterday’s backup: 2 days because its very big data.
- Internet outage caused by a backhoe taking out the fibre in the street near the building. Time to restore the link: 4 days.
Imagine your business here
Put yourself in this picture, and think through the consequences while your business is waiting to recover:
- What has happened to your invoicing?
- How much damage has your business reputation suffered?
- How many deadlines have you missed?
Minimising Risk
If our example Engineering Firm had enough budget, they could implement multiple redundancies and failover so that they could get almost instant recovery. But like most SMEs, they have a limited IT budget that doesn’t run to that kind of infrastructure.
What about “The Cloud” then? The Firm could move everything to a hosted service and put in a very big Internet connection so they can access it with no problem from the office. The theory is “The Cloud” would take care of the hardware, and guarantee fast backup and recovery (not quite true), and the Firm could get on with their work without ever having to think about what happens if something breaks.
Think again: they still need a very hefty budget – a complete cloud solution is beyond reach for many businesses. For a few servers and even 10 Terabytes of data, the hosting alone would be $10,000+ per month. Then there’s the redundant very fast Internet link needed to access it.
Vulnerabilities
Just by virtue of the fact that this Engineering Firm is small(ish), and the work they do requires big files, they are very exposed and vulnerable to events that some other businesses might manage more easily:
- Internet outage
- Hardware failure
- Office outage
- Cyber attack affecting data
- Backup inadequacies affecting data
Some types of business can be agile and flexible so staff can work from anywhere and adverse events can be managed efficiently. But for a professional services firm in this kind of industry, making money is dependent on people manipulating large quantities of data. So its not easy to be agile and work from somewhere else if something is wrong with the office.
What do do?
Run all the IT in the office (which is cheaper to buy) with all the risks that entails?
Get 2 of everything so there is always a backup?
Run it all in the cloud with all the cost that requires?
Every business has to walk a line that balances risk against cost. The hard part is understanding the risk side of the equation.
Here are some keys to the balancing act:
Everyone knows you need backup, and any backup tool will make a copy of your data. The tricky bit is getting it back in time if you need it, and having enough history to cover off all the scenarios that might turn out to be important:
Get the data back really quickly
How long will it take to restore your data if something goes wrong? If the answer is potentially days, then this is a cost the business probably can’t afford.
How many versions do you need?
Say a disgruntled employee trashes a project, and this isn’t realised for a couple of months. Unless you keep historical backups, the project is gone. On that point: say the disgruntled employee also trashed their own mailbox in Office 365 and a lot of data in your SalesForce database. Are you aware neither of these have any built in backup that includes months old history? You can say goodbye to your data unless you thought of this before it happened, and put in place a third party backup.
Backups are not all equal
The key here is that backups are not all equal. To get it right, you have to think through what your business needs and know the right questions to ask. If you had 10 Terabytes of data to restore from ordinary hard disks on an ordinary network, this would likely take about 20 hours to complete.
If you were the boss of the Engineering Firm, could you afford for your staff to sit around idle for 2 days waiting for their project data to be restored?
Its too late to plan your disaster recovery after the storm has hit. Its also too late to protect your data from accidents, theft, cyber attack or any of the other threats out there after these events have impacted your business and stopped you trading. Whether you are a one person concern or a multi-national, you need to define the essential rules to prevent loss, disclosure and disruption – three prime enemies of business prosperity.
Mostly these risks are managed by the rules you put in place to control your IT. These rules (your policies and procedures) can be complicated and involved, but really they boil down to two key documents:
- Data Management and Security – which encompasses all the important rules about how you manage your IT and data across the whole life-cycle of your business.
- Business Continuity and Disaster Recovery – which identifies exactly what is critical to keep your business operating and how you will recover when something horrible happens.
Forget firewalls, network security and anti-virus software. Well, don’t really forget these, they are actually very important, but they are almost useless unless you focus first on staff awareness training.
Most cyber attacks these days target people, not systems. The exploits mostly work by tricking people into doing something risky such as clicking on a link that leads to a compromised page, or entering their login credentials into a fake site.
Its People you need to protect
If you focus only on the security of your devices (computers, routers), you are missing the largest hole in your defenses: the people. Most people don’t have the time or experience to recognise or research the cyber threats that make them vulnerable. Effective training and an on-going awareness program can give your people the tools they need to protect themselves in the risky, connected world.
Your IT Partner should be sitting at the board room table when you are planning your world domination strategy. If IT is an afterthought, you can just about guarantee its not going to support what your business needs. This is way too important to rely on accident or chance.
IT solutions are not all the same, anymore than businesses are all the same. Every year when you are budgeting, planning, strategising, get the best IT Partner available in the room with you.
Which brings me to to the last – or more properly the first key: the right IT Partner. Any half-baked IT consultant can set up a server, source your laptops, install a network switch and help you setup your email. What your business needs goes much further than this:
- Understanding business – your business
- Real skills and experience with business risk and IT security
- Breadth of skills and experience across all the technologies modern businesses need today.
- Focus on people and real understanding that technology is a business tool, not an end in itself
Frances Russell is an expert on IT and Risk Management with 20 years experience managing technology, security and risk for businesses. Practical, real world experience working with organisations to improve their IT and reduce risk is backed up by solid academic qualifications and relevant industry certifications.
FooForce can work with you to minimise your IT risk. If you would like a chat about any aspect of your IT, feel free to call/email anytime.