From hardware failures to network outages and even cyber attacks, businesses today are vulnerable to a host of IT problems that can rapidly become business problems.
When critical IT systems go down, business grinds to a halt. That is obvious enough, and it is a real problem, but with more and more businesses dependent on connectivity, the risks are greater than ever – including potential damage to an organisation's reputation. “The reputational side is huge,” says Ciaran Garvey, Director of Technology at Triangle, who specialise in IT infrastructure management.
Published figures on losses tend to emanate from the United States, so it can be difficult to make a like-for-like comparison, but we do know they are not trivial. And they are even higher when the cause of the outage is cyber crime such as ransomware attacks.
“Ransomware is even more. Reports show that the average ransomware cost is $4.6 million. People should not pay in any case, but there is another problem: you're paying people to sit there, in head office or regional offices not able to do the function they're meant to be able to do,” Garvey says.
All of this points to a need to ensure that key business systems are protected. However, which business and IT functions are designated as mission critical will depend on the industry, or even differ from business to business.
“The standard IT answer is: it depends. It depends on the business, as different businesses rely on different systems.”
“Warehouse management around order picking, all those things are really critical. If they go down, things stop. Then in manufacturing, it’s very much ERP [enterprise resource planning] systems and, in all businesses, payroll, as businesses can't function without that,” he said.
Of course, there are also key IT systems and connectivity methods underlying applications. In other words, even if your applications are running, you need the network to be robust.
“You also need to think about the services you need to keep those running: DNS, email and so on. Those ancillary services are actually fundamental.”
Though the need to designate core business systems as mission critical became obvious to everyone during the pandemic and its attendant lockdowns, some sectors have long taken a belt and braces approach, whether due to regulation or something intrinsic to their activities.
“I think the general public would think finance is ahead of things, and DORA [the EU’s Digital Operations Relevance Act] came in last year and will come into full effect in 2025, so they are. However, during Covid, the government put supply chain and retail on the critical list, so there was a recognition that resilience was required,” he explains. “Healthcare and energy, too, are leading the way.”
Despite the ongoing debate about whether pure cloud or managed data centre is better, Garvey says either can be resilient. “I don’t see a major tension between them. ‘Cloud Smart’ is the term at the moment, meaning companies consume services in different ways. “Managing your own data or applications may be advantageous, and I don't think even Microsoft has everything in Azure,” he points out.
“The firewall is the start of your security. Even when you use SaaS you have to protect it and give access. The point, though, is to ensure there is no single point of failure.”
It is also crucial to consider why a failure may occur. A server dying or someone digging a hole in the road and severing connectivity is a problem, Garvey says, but the damage caused by hacking is much worse.
“The everyday stuff is up there, but the threat from hackers is greater. It's a business, a well-organised business, and they're out there trying to get you. It's very emotive. It's like being pickpocketed or burgled: somebody did this to you. There's a weight on you.”
Beyond getting back up and running, businesses also need to consider the impact of a breach or attack on their insurance costs, whether it will require new hardware purchases and even if their infrastructure could be a crime scene. “You hear a lot of people say ‘It’s not if we get attacked, it's when’. There is elevated awareness not just among IT managers and [company] directors, it's everywhere. People are asking: how do we deal with it.”
Nonetheless, Garvey explains, despite the awareness of the threat, some businesses are still not taking action to protect themselves. “There are parts of business IT that haven't recovered from the cuts after the 2008 recession.”
This article first appeared in the Business Post - you can read the original here.
