COVID-19Your Business News
Upgrading your IT security doesn’t have to break the bank
July 21, 2020
Authored by RSM Canada LLP
Joel A. Humphrey, CPA, CA, shared this article
The COVID-19 crisis has highlighted the cracks in business systems in dire need of updates and upgrades. And while these updates require some investment of money and management time, the truth is that they could actually protect your business from even further catastrophe.
Implementing a company-wide security upgrade may seem like a hefty financial undertaking, but a lot of these solutions are actually available as an ‘a la carte’ service. This means the maintenance of business systems is surprisingly affordable and accessible, even amidst an economic downturn, and the long-term benefits are clear.
Stop-gap solutions can lead to gaps in security
Remote workforces are now the norm, and from what we are seeing, it may stay that way for a while. There is a lot of understandable concern around the technology that is needed to support these new remote workforces. In the beginning, we saw a lot of consumer and non-corporate solutions being brought in and implemented very quickly, without much thought. In the mad rush to implement virtual meetings and teleconferencing, some glaring security concerns slipped through the cracks. A lot of this shadow IT, using systems in which people are allowed to access corporate networks using whatever systems are immediately available, does not create the ideal conditions for peak security.
Obviously supply chains are being disrupted, which can also interrupt security activities. Many businesses in the middle market outsource their IT to managed security service providers, and that is also causing some operational issues. Most of those security firms utilize a number of automated tools that can alert them to anomalies, and these tools can automatically shut down processes to minimize damage. However, they still require manual interaction from an IT person who must physically make the adjustments. No easy task in a full societal lockdown.
Another issue is that IT providers are highly prone to cyberattacks in non-COVID times, even more so now that the cyber criminals are aware of potential security vulnerabilities. As a managed IT provider, you have the keys to a thousand castles. And because of that, these organizations are prime targets for hackers. Therefore, it is important to ensure that the IT provider you are considering has appropriate security. One way to assess this is to verify whether the provider has been certified by an independent third party as being in compliance with an established security standard, such as ISO 27001, SOC 2, or GDPR (General Data Protection Regulation).
Neglecting technology is a common theme in the business world. Collectively, not enough time is spent thinking about secure code design, or hardening technology environments, whether it is software or hardware. And now, given the lockdown, organizations are being forced to refocus on technology and cutting corners in the pursuit of maintaining a remote workforce. As one can imagine, cutting corners and depleting or limiting personnel in IT is not only bad for business resilience, but puts entire organizations at risk.
Under-investing leaves gaps in the safety net
Security has taken a backseat to establishing remote workforces and maintaining business continuity in the short term. In an ideal world, digital transformation and cybersecurity should work together, hand in hand. But COVID-19 has pushed these boundaries, forcing organizations to temporarily ignore their own IT security protocols.
Here at RSM Canada, we recently had a call from a client whose IT guy is still in the office. He tells us that they are still running legacy systems – 2008 Windows server, 2013 Exchange. Both of these products are beyond end of life. Microsoft is no longer patching or supporting them anymore, which means the security gaps have been sitting wide open for years.
This type of issue reflects under-investment. An IT specialist can talk to boards and committees until they are blue in the face, but the ones holding the purse strings do not always see the importance or urgency of IT. Typically, the tune changes when something goes wrong on their watch. Once the decision-makers realize the business is open to threat because they have not invested in technology at a sufficient or commensurate level, they pay attention.
What kind of IT investment is right for your business?
Lack of investment in digital transformation and IT security is starting to come back to haunt many businesses, particularly due to the increase of cyberattacks during the lockdown. We are seeing clients who are spending hundreds of thousands of dollars to try and make up for ten years of neglect in a three-month window. When COVID-19 hit, they realized they were unable to set up their teams remotely, as their legacy systems weren’t designed to allow 200 employees to hit their network connection remotely at the same time every day. Now they also have internet carriers telling them that extra bandwidth will cost them X amount of dollars and take six weeks to implement. This would have been so much easier if they had simply maintained their technology over the years.
Investment in IT varies significantly by sector, but there are some benchmarks that can be used to help organizations land on the right amount. Variables such as percentage of revenue, percentage of profit, number of IT staff, and total headcount can be factors which influence decision making. In most businesses, a reasonable IT budget would be around five to eight per cent of revenue. In some sectors, where technology plays a more critical role, it will be much higher.
When we do our rapid diagnostic, we use industry benchmarks to figure out whether or not an organization has been under-investing, but it is simply not feasible for every 80-person organization to hire 20 IT staff. The trick is to find a solution that is pragmatic for that particular business.
When it comes to technology, there is no time like the present
Like many other departments, IT often finds itself lobbying for more investment. Sadly, this is not the exception, but the rule. However, a business need not spend a fortune to implement sound IT and security philosophies. It simply requires a steady, regular investment in the maintenance, upkeep, and evolution of systems and security. “The evolution of software as a service, or ‘SAAS’, gives businesses the option of leasing applications or whole platforms,” says Paul Herring, Global Chief Innovation Officer, RSM International. “This provides an opportunity for progressive management teams to leapfrog their competition by securing access to leading edge digital capabilities that would previously have been unaffordable.”
Call us at 1 855 363 3526 or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Ryan Duquette, Rhys Morgan and originally appeared on 2020-07-21 RSM Canada, and is available online at https://rsmcanada.com/what-we-do/services/consulting/technology-management-consulting/upgrading-your-it-security-doesnt-have-to-break-the-bank.html.
RSM Canada Alliance provides its members with access to resources of RSM Canada Operations ULC, RSM Canada LLP and certain of their affiliates (“RSM Canada”). RSM Canada Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM Canada. RSM Canada LLP is the Canadian member firm of RSM International, a global network of independent audit, tax and consulting firms. Members of RSM Canada Alliance have access to RSM International resources through RSM Canada but are not member firms of RSM International. Visit rsmcanada.com/aboutus for more information regarding RSM Canada and RSM International. The RSM trademark is used under license by RSM Canada. RSM Canada Alliance products and services are proprietary to RSM Canada.
FCR a proud member of RSM Canada Alliance, a premier affiliation of independent accounting and consulting firms across North America. RSM Canada Alliance provides our firm with access to resources of RSM, the leading provider of audit, tax and consulting services focused on the middle market. RSM Canada LLP is a licensed CPA firm and the Canadian member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM Canada Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how FCR can assist you, please call us at 1 855 363 3526