Why Every Business Needs Backup

When we talk with technology professionals, almost universally they point to backups being possibly the most important thing that any business will prioritize when considering their computers and business systems.  But in the real world, backups and data protection often receives almost not attention. Why is this?

Backups are boring, they are invisible, they are easily forgotten.  You don’t see them, you don’t deal with them, and you hope that you never need them.  If you ignore your backups you might go years, possibly many years, without ever seeing a reason to have needed it.  Like airbags in your car, you can drive possibly for decades without seeing any value to them; in fact you might forget that they are there.  But when you need them, you have no time to decide to add them: you need them right that moment; and they can save your life.

Backups are the core protection for your business.  How much would it cost you if you lost a record of your customers, lost track of billing, couldn’t produce financial records, and possibly stopped being able to make your own products! Every business is unique in how data loss will impact them, and often it is far more dramatic than we imagine.  In a majority of cases, data loss without working backups isn’t just financially damaging – it actually causes businesses to close their doors for good.

The rule we live by is this: “If something is important enough to store, then it is important enough to back up.”  This means if you don’t see the value in protecting a piece of data, you shouldn’t be paying for someone to create, collect, or store it in the first place.

If you have never tried it, do some role playing in your office.  Sit down and run through what data loss would look like.  Try to imagine how bad it will be.  Then add in the feeling of panic; the pending sense of disaster not just for yourself but for staff.  Some people feeling like maybe they are to blame, some worried that there won’t be money to pay them, many worried about the future of the company.

Backups protect against far more than just traditional disasters like hardware failure, fires, and floods.  Backups protect against accidents, which everyone makes sometimes; select the wrong file, or the wrong button, and critical data might simply vanish.  Backups protect against upset employees looking to lash out.  Backups protect against malicious competitors who may hope to shut you down, or at least slow you down.  And, more relevant than every today, backups are the last line of defense against the new and massive threat of ransomware.

While backups have always been possibly the most important thing any business can be concerned about when it comes to technology, the modern landscape where nearly all businesses end up facing regular ransom attacks on their data has taken the already incredibly high need for backups to a level never previously imagined. Without solid, tested backups today, a business has effectively guaranteed itself a disaster from which it will struggle to recover.

 

Outsourcing and Offshoring

Outsourcing and offshoring are two terms we hear a lot, and both are important to businesses of all types, but the terms are often misused and misunderstood.

Outsourcing refers to the practice of using external companies to provide functions to our own company. This is so common that it is often ignored as a special practice and we see this commonly in the use of bookkeeping, accounting, financial, human resources, information technology, legal, electricians, plumbers, and many other roles & departments.  Bringing in outside companies that specialize in these functions, rather than staffing up and training departments of our own, is often the only sensible way to get the expertise that is needed at a price that can be afforded.  Outsourcing is generally done to leverage either scale or expertise, or often both.

For example, a typical business would not get good financial returns from hiring a full accounting department with a full range of skills and training, they would be idle most of the time, wasting money.  But an outsourced accounting firm can work just as needed, while providing a range of skills from many different internal people.  Through outsourcing, your company may get more and better skills, all while saving money.

Offshoring is different and refers to having staff work from locations outside of the country (presumably across the ocean, hence the term, but simply outside of the country is all that is really meant.)  The term arose from the common practice of using south Asian resources across the Pacific from the US as low cost workers, but it is important to understand that many European countries use American staff in exactly the same way – low cost, overseas labor compared to what they can hire at home.  Offshore workers may be normal employees, or may be provided through an external vendor.  The concept of offshoring does not imply outsourcing as well.

Essentially all companies outsource, whether a little or a lot.  Outsourcing is most often another business right down the street, or at least in the same country. Rarely is outsourcing also going to be offshored.  But no reason that it cannot be.

Offshoring is very rare, for an average company.  It is complicated and poses many legal and logistical hurtles, and it requires much understanding of the offshore location and culture.  Most people who express concerns over outsourcing actually mean offshoring – extremely low cost, extra-national workers with little training, and probably no oversight.  Offshoring tends to engender apprehension either because people associate it with low quality work because end users typically only interact with it through low cost call centers that give it a bad reputation, or staff react to the idea with fear that their jobs will be sent out of the country.  But offshoring can be effective if done well, and can be important to keeping your business competitive.

Combining these two is common and can be beneficial; it is not surprising to find that many outsourcing firms also offshore.  But the two components are distinct and serve different purposes.  When seeking an outsourcing partner,  consider that offshoring may be an optional benefit that they can offer.

What Is Your IT Department

Every business talks about their IT department, or person, but how often do we really take a moment to consider what that department’s (or person’s) job really is.

“It’s to fix the computers!”, I hear you saying in your head.  But that’s a pretty minor function of IT and not really where the value is.  That’s like saying that the attorney’s job is to “organize paperwork”, which of course they do, but that isn’t what you pay them for.

IT does a lot of things, and should be extremely core to your business.  IT has to understand business needs and processes and design information systems that support, and protect, those needs.  IT has to do complicated cost and risk analysis to know when you should be spending, and when to be saving.  IT has to understand your business, and its finances, to know what systems will benefit you best.  IT handles the most important aspects of security for your business.  IT oversees much of the most important business purchasing.  IT has to protect the business from sales people, and marketing.  IT has to apply math and logic to business processes; take that which is conceptual and make it real.  IT must also combine sweeping technical and business knowledge and apply it to current, real world market products and techniques.

Sure, in doing all these things IT tends to touch the computers and fix things when they break, but these tasks are not the ones that gives IT its value.  We must remember to keep perspective that these are not the tasks that create the need for IT.  IT forms a core of our business, it builds our infrastructures, it keeps us safe, it is involved in every aspect of the business.

How we view and treat our IT people or department have a big impact on the ability for IT to make us efficient, empowered, and competitive.  It’s time to move from viewing IT as “the computer guy” to “the key business oversight department that oversees infrastructure, security, and business enablement.”

Ransomware and You

In the last couple of years, ransomware has appeared as the next big threat not just on the horizon, but affecting people today.  Never before have we directly known more companies impacted by a single type of threat as often, or has heavily, as with ransomware.

The basics of ransomware are that a malicious outside organization manages to gain control of all or a large portion of your data and hold it in such a way that you must either pay a ransom or else the data is permanently destroyed.  Typically you are forced to decide quickly whether or not you will pay, making the entire situation more tense and giving you very little time to plan or react – no time to test your backups, or see if there is a way to recreate the data.

Many companies choose to pay heavy ransoms, often thousands or tens of thousands of dollars, without any guarantee that their data will be restored once they pay! This makes the situation so much more dire; a complete lack of assurance that anything will restore your data.  Law enforcement is all but powerless to help.

These days, it seems nearly certain that almost every business will experience a ransomware threat at some point, and many have been hit more than once, already.

Strategies exist for protecting your business from ransomware, but it can be difficult.  Traditional strategies of user training, email filtering, anti-virus, good desktop security controls, and so forth do help, but are not enough.  Additional protection from technologies like version control, long retention backups, and even rethinking the fundamental design of your network all play major parts in reducing or eliminating the ability for ransomware to impact the network.

Ransomware has caught not just companies unprepared, but many MSPs and IT firms lack the necessarily security and infrastructure experience to tackle the kinds of changes needed to effectively deal with a future that involves threats of this nature.  Protecting against ransomware isn’t a quick fix, or a checkbox, it requires significant planning, and possibly some major changes to how your business works.

There are benefits, too, though.  Ransomware might be an unfortunate reason to have to modernize your network, but in doing so there are many other potential benefits to reap which may make the entire process beneficial.

Part Time CIO, the Virtual CIO

CIOs are, of course, costly and many businesses attempt to function without them.  This, however, is very dangerous, as a degree of knowledge and oversight is needed for even a very small business.  A CIO need not be full time, but does need a level of expertise that is rather extreme.  In some cases, a CIO might only be needed a few days, or possibly just a few hours, a year.  Having a CIO, even a very good one, need not be highly expensive.

Without a CIO, a business is left vulnerable.  Vulnerable to maintaining status quo due to a lack of planning, vulnerable to de facto decision making without proper evaluation, vulnerable to vendor sales people, vulnerable to unneeded products and services, vulnerable to missing big opportunities that were never identified.

But with a small business, a planning roadmap might be laid out for a year or two in advance with almost no need to review it during that time.  Purchasing decisions, business changes, new opportunities are rare and don’t need to be watched for every day.  For very small businesses, a long lunchtime conversation with your CIO might be enough for your entire year – lay out the latest changes, ask about the newest things to be looking for.  It can really be that casual.

For bigger businesses, a part time CIO, often called a Virtual CIO or vCIO (because, you know, “Virtual is cool these days”) can mean a few days, or a few weeks a year.  As you get larger, maybe it’s a few months on, a few months off.  Eventually a full time resource might be warranted, or perhaps a junior CIO role that is full time with a very senior CIO adviser as even moving through the CIO ranks can be very challenging.

No business is too small for a CIO, and every business can benefit from one.  Finding one that understands your needs, and can work within a framework that makes sense for you, is all that is needed.

Every Business Needs a CIO

What exactly is a CIO? The name is a Chief Information Officer, but the role of the CIO is to take business needs, requirements, and opportunities, at the highest level and guide IT decision making so as to consider the specific needs of your business, while considering the full range of IT possibilities.

CIOs do a lot, from overseeing how the IT department is run and treated, to providing the most important interface between technical staff and the business, to creating strategic roadmaps and planning, to creating a structure for engaging vendors, suppliers, partners, and contractors.

Functioning without a CIO can be dangerous and costly.  Without a CIO a company is often vulnerable to vendors trying to sell the next big score, strategies copied from a book rather than catering to the needs of the business, and tech being deployed for the sake of tech rather than specifically in support of the business’ unique challenges and opportunities.  Of course, like with any position, having the right CIO is important, as well.

IT is a key player in any business.  Of course, you can focus on doing as little with your IT department as possible, but this often backfires.  Without proper management, IT often becomes very costly in ways that are not always obvious.  It is common to find IT departments, even in very small companies, with budgets many times larger than they should practically be; literally spending 200-500% the amount that they should be.  Lacking strategic oversight makes it easy to accidentally overspend without even realizing lower cost options are possible, and often even better.

Having spent decades in a CIO role, whether full time or consulting, I can tell you that it is very common to walk into a meeting and in just a few hours take a project budget for a small business from $150K to just $35K while not losing any capabilities, but delivering more, in fact!

CIOs are a difficult role to fill as they must have a deep business understanding and should be a business advisory role alongside the CFO to the CEO.  Your CIO needs to be a part of all strategic decision making and there to help you identify risks, as well as unseen opportunities, at every turn.  The CIO needs also to be deeply technical and experienced, otherwise they are easily misled or confused.  A CIO may not need to be hands on day to day, but needs a long background in technology to understand the underlying themes and currents of the field.  A CIO is a generalist who needs to have worked in the industry, and brought business experience to bear on that experience.

A good CIO is a key strategic planner for your organization.  A business specialist with broad technical scope.  One of the most important players in making your business efficient, agile, capable, safe, and prepared to rise to meet challenges you may have not yet even envisioned.

Beware of IT Protectionism

All people fear change.  This is a natural part of being human, so we can hardly fault anyone for feeling a bit of panic when they find out that big, sweeping changes might be coming to their industry or career. But IT is a career of managing change and it is necessary for IT decision makers to embrace change, rather than reacting negatively to it.  All change brings opportunity, but those that let emotions drive them instead of rational thinking are not in a position to benefit from it.

In IT we often see emotional responses to change in the form of IT Protectionism.  This can wield itself in many ways.

One key example is IT staff who feel that they “own” your network and your computers and try to maintain control rather than working purely on your behalf. Often this results in decisions being kept secret, hoarding of access, and at worst even absconding with the keys to the kingdom and holding you ransom or worse.

Another example is avoiding modern approaches to technology. A common example here is IT staff claiming that they don’t “trust” cloud products because they don’t control them. This tends to be either an example of trying to “grab control” as I mentioned above; or just plain fear that moving to cloud hosted applications or products will cause their job to be eliminated.  In both cases, what is best for your business isn’t taken into consideration, but only what either makes them feel in control, or gives the appearance of protecting their career.

The last example that I will give is selecting technologies based on what the IT staff is familiar with, rather than considering the needs of the business.  IT staff should, in theory, easily be able to adapt as business needs change.  But often this is seen as risky to their careers to “more of the same” is often chosen to ensure that there is no risk of the staff selection being modified.  In larger companies, you will often see additional staff with matching skill sets hired to reinforce the company’s dependency on decisions that are made in the interest of the staff, rather than the needs of the business.

Protectionism is a scary thing for any business as it can creep in and represents a sizable risk either by making the business insecure, costly, or inflexible.  There is no simple answer to avoiding protectionism, it must be watched for from the very top and can be different to identify as often it is masked in technical jargon.  But there are signs, from unexplained fear of change or modern approaches, to a focus on hiring or using specific technologies without solid explanation, to language and behavior withholding access to systems or use of possessive language.

Be vigilant. The network belongs to the business, and IT needs to be a part of the business, not in competition with it.

You Need IT from Day One

Are you starting a new business, or considering doing so? On the first day, the first hours, of your new business there are a few key players that are needed to be in place. Your attorney, of course.  And probably your financier.  Maybe someone who understands your operations, if that isn’t you yourself.  And, of course, your technology adviser.

To many starting a business, it might sound crazy to have someone to oversee your technology before you have incorporated, before you have any staff, or even any computers; but this is exactly when they are needed.

This is called a greenfield and this is the time that your technology partner, who might be a CIO, an ITSP, or other resource, has free reign to consider all possibilities.  This is the one, and literally the only, chance that your company will ever exist with zero technical debt and all options can be evaluated, including those you never knew were options because no one ever evaluates the greenfield scenarios.

If you, instead like most new businesses, run out and set up email accounts, buy laptops, order your Internet connection and so forth before IT is there to guide you, you have created technical debt.  Money has been spent, decisions made, debt incurred.  Sure, it can all be replaced, but it won’t be. Those decisions, ones that feel ridiculously trivial at this stage, will normally haunt a company for more than a decade.

From the IT perspective, the mistakes made at this crucial time are often astounding. Wrong licensing, bad hardware, key applications chosen. Often in a few minutes without IT guidance, decisions that end up doubling the cost of IT infrastructure over the next decade are made, but because of the frog in the boiling water problem, they are likely never resolved.

This happens because it feel logical to just “buy what gets us up and running right away, we will fix it later.” But this makes no sense, fixing things is very costly and when will you rip and replace everything? There is no sensible time to suddenly decide to do that. You didn’t do it on day one, why would you do it on day two?

With each new day, more time and money is invested into the initial decisions. More hardware, more software, more licenses, more applications that depend on those things are purchased. Day by day the initial decisions go from “technical debt” to heavily entrenched decisions with unknown dependencies throughout the organization. On any given day it is just “doing the simplest thing right now” and “not wasting time on big decision making”, but this de facto planning process ends up guiding the core of the business, and all of IT, without anyone intentionally deciding on what actually would best service the business.

It’s a ripple effect (the butterfly effect), what seems like a completely trivial decision to move quickly without getting “bogged down by IT” can spell long term disaster and is often the underpinnings for many of the struggles that businesses face every day.

The Cloud Is Not Scary

You may have read that “the cloud” is a scary place, that accessing your systems over The Internet cannot be trusted, or that only by having all of your data “in house” can you be safe.  None of this is true.

First, let’s talk frankly about what “the cloud” means. It means, essentially, nothing. It simply means using someone else’s resources, across the Internet, for your systems. That’s all. Whether it is safe or unsafe has nothing to do with it being “the cloud” or anything of the sort, and anyone telling you that it does thinks that you’ll want to buy some ocean front property in Arizona, too.  What makes “the cloud” safe or unsafe is the vendors that you choose – which is why we should always talk about our options in reference to specific vendors, not “the cloud” as a concept, because that means nothing. That’s a fear mongering technique that is commonly used to try to elicit an emotional reaction, rather than a logical one, to using vendor resources.

Next, let’s talk about the security of your own IT team.  We have to be honest here, your internal IT team has very few resources for security and resiliency, they can’t afford the tools, the training, the systems, the insurance.  At best, small business in house IT will “try hard” at security, and some might do well, but “well” is relative and even the best medium sized business cannot even begin to approach the security of the big enterprise cloud providers like Amazon, Google, Microsoft, Oracle, and so forth.

Believing that it is possible for small in house IT teams to compete, let alone exceed, the security of the big vendors is hubris and hubris is a very dangerous thing when it comes to security. In fact, what should be feared most is the small business IT team that feels that they could make such a boast. These are the teams most likely to put your company at risk because they aren’t approaching security rationally, but rather emotionally.

There are many good reasons to consider running your IT systems in house on your own servers, but security is not one of them. Deciding between “the cloud” and in house systems is one of features, cost, performance, or flexibility; but if security was the determining factor you would be hosted on “the cloud” every single time.

Beware of Writing Your Own Software

The idea of writing your own software for your business comes with a lot of appealing features: you control the cost, you define the features, you own it and can do what you want with it.  On the surface, it sounds great.  And it can be.  But the cost of producing your own software for internal use can be far higher than it appears when you begin and it comes with loads of risks that often don’t get realized for a very long time; not until it is too late.

First we have to consider expertise.  Very few companies, even those that write software regularly, have the necessary expertise to do so efficiently.  Good software requires many different skill sets, not just code writing.  You will generally need several people for even a small project.  This can be expensive at best, and nearly impossible to acquire at worst.

Second is support.  This is the biggest problem that businesses face when writing their own software.  The first problem, of being too expensive or lacking resources is easy to discover before money is spent, but support is a costly issue that can affect you potentially years after the initial development has been completed.  Support is needed only after software is made; so often comes as a surprise to companies that have not planned well for it.  Support, unlike initial development, will go on, to some degree, for the life of the software so can easily become the larger expense.  Support does not just mean running the software, deploying it, or training users; support includes keeping the software up to date, fixing bugs, adding features, patching it for security, altering it to adapt to changes over time, and so forth.

Software is a living thing that needs constant attention to remain functional and secure.  Software that is not maintained properly takes on risk and hidden costs.  It is very common for companies to become entrenched in old software that has become so expensive to maintain that fixing or updating it would be more costly than starting over; but starting over is risky and expensive leaving companies between a rock and a hard place of being forced into big spending just to keep operating.