Technology: Business Asset or Business Risk?

Risky Business

Everything we do, every day, has an element of risk. This is equally true in business as in other aspects of life. Whilst we may be aware of the risks inherent in driving to work, we are often unaware of risks involved in our work – not the regular health & safety risks – but more subtle risks to the business itself. Decisions we make in our use of technology assets generate risks, risks that might go unnoticed but could have a devastating impact on our business, should things go wrong. [And thus on the businesses of the clients that rely on us too; always remember that.]

This is a fairly long article, but I make no apology for this: business risk is a very serious matter. It could be worse: given the subject matter and my years in IT/network management, this could have been a very long article.

Seek, and Ye Shall Find

The process of identifying risks and their potential impacts is known as risk assessment. Risk assessments can be carried out by expensive consultants – or by anyone able to apply a little logical thinking and common sense. (When issues are complex or large amounts of money are at stake, it may be well to consider the expensive consultant route.)

For the purposes of this discussion, I am suggesting that we should list all the technologies that we use in our business and do a risk assessment on them. For each item we need to start by asking two questions:

The Yes/No Question

If this technology were to suddenly become unavailable, for whatever reason, would it affect my ability to do business?

The Quantity Question

Should the previous question yield an answer of ‘yes,’ for how long would I be able to work without this technology before its absence became a serious problem?

Write It Down!

Forewarned is forearmed. When undertaking a risk assessment, findings, plans of action, whom to call, etcetera, should all be documented. There is little point going through the exercise, having a risk become an incident and then finding that nobody can remember what is supposed to happen next.

In the following sections, I will run through a list of what I consider to be critical technologies, although not all will apply to all businesses. This list is not intended to be exhaustive but exists to give readers a starting point in performing risk assessments of the technology in their specific businesses.

The Telephone

Whilst there may be businesses out there that still do not have a computer (I have visions of people sitting at high desks, wearing fingerless gloves and half-moon glasses, writing with quill-pens in heavy ledgers,) very few will not have a telephone.

The Telephone Yes/No Question

As regards telephones, I cannot see the Yes/No question ever returning a ‘no.’ I make very little use of the telephone myself but it is an essential tool for When Things Go Wrong. Anyone who thinks that their business would not be affected by the loss of a telephone service should be asking exactly how they intend to call the fire service when their premises are burning down.

The Telephone Quantity Question

How long a business can operate effectively without a telephone depends on the nature of that business. I would not be comfortable knowing that I had no telephone service for over, say, one hour; the next thing to go might be my Internet connection – how would I call my ISP?

For any business where the telephone is a major means of communication with clients, any downtime is bad.

The Telephone – Discussion

Landlines

As we are starting off by looking at one of the most mature of technologies in use, let’s consider first the most mature of telephone technologies: the landline. As there may be businesses that do not have computers, there may be businesses that do not have mobile telephones. Strive not to be one of these because you need some means to call for service when the landline stops working. (Anyone thinking “oh, but we’ve got 10 lines” should be made aware that a backhoe can take out a 40-pair cable just as easily as a 4-pair cable.)

PABXs

If the business in question has a PABX, it should have a service contract for it. (Please tell me it has a service contract!) The answer to our Quantity Question should be used when negotiating the guaranteed response time for the service contract. If the answer is zero time, the minimum response time should be chosen.

–> Important Bit <–

Or should it? If the contract cost with the minimum response time sounds a bit steep, a little more thought is required. The cost of the outage (loss of business, etcetera,) should be weighed against the cost of the contract. Customer expectations should also be borne in mind as a part of this process. This is an important decision for the business owner and should not be undertaken lightly. This decision-making process applies not just to PABX service contracts but all business technology service contracts and Service Level Agreements (SLAs) for online services such as web hosting, too.

Final Word on PABXs

Things may be different nowadays, especially if the telephone service is provided over fibre; however, traditional PABXs used to have ports for ordinary, analogue, handsets to be plugged in to provide a service in the even of power failure. If you have a PABX, find out if it has such a port(s) and get a handset connected for emergencies if one is not already fitted.

Mobiles

Landline hansets tend to be rather hard to lose and are reasonably robust (decent business handsets, at any rate.) Mobile handsets, on the other hand, are horribly easy both to lose and to break. I have two pieces of advice for the mobile ‘phone user to help mitigate risk:

  • Buy a USB SIM card adapter and software. These are very cheap and allow the contents of the SIM card to be backed up to a computer. Make backups regularly, especially if you add new numbers to your phone book on a regular basis. (Make sure that numbers are always saved to SIM, not to phone.)
  • Have a cheap, spare, handset that you can put your SIM card into in the event of the phone taking a tumble, a ride in the washing machine, or whatever. My SIM has survived the death of several handsets, including Death by Washing. My spare handset has a pay-as-you-go SIM card in it; should the main handset be lost or stolen, I can still make calls.

I know very little about smartphones and do not aspire to own one. However, a smartphone is a just a portable computing platform. Computers should be backed up. Check with your vendor to find out how.

Computer Hardware

Computer Hardware Yes/No Question

After some consideration, I an unable to think of a scenario where a business has a computer or computers but can work quite happily without them. On the strength that anyone reading this article is doing so using a computer (rather than have a secretary print off a hard copy to avoid touching that Devil Machine,) I will, as with the telephone, assume that we will be looking at a ‘yes’ response here.

Computer Hardware Quantity Question

This question is where I would expect to see a bit more variance in answers. A business that only uses a computer to run accounts once a week would probably be somewhat more comfortable with an outage than, say, myself. (I am a developer; no computer = no work. It takes a genius like the late but amazing Ada Lovelace to write software before the computer has even been built.)

As the computer is such a fundamental and critical component of my business, I will detail what I do to keep myself in operation.

Computer Hardware – Discussion

If the computer is a key tool in a business, the simple fact is that a spare should be available or some guaranteed means of laying hands on another one quickly. Not only does the spare machine need to be available quickly, it also needs to be ready to do what the regular one does (or did in the event of a failure) – any software used should be installed, it should be set up to work with the office network, etcetera.

Desktop Machines

Thinking about desktop machines, if someone in the organisation is any good with hardware, a set of spares can be carried for emergency repairs. (If several computers are involved, it helps if they are the same make/model or at least that spares are interchangeable.) A spare power supply and hard disc should be carried at the very least. The simplest approach, however, is to have an entire machine into which we can swap the hard disc (assuming this hasn’t died) from a defunct machine, or cannibalise for parts. (Also consider having a spare keyboard, mouse, monitor to hand – although most businesses seem to accumulate these in the course of upgrades.)

Where is the data used by the desktop machine stored? If it is on a server and the user has been disciplined to not save files to the local disc, swapping the machine out with another pre-loaded with the required software should be quick and simple. If, however, files are stored on the local machine a second, mirrored, hard disc (RAID 1) should always be employed if the machine is mission-critical.

Note that repairs/replacement could be effected by someone outside the business if they were known to be able to attend quickly. However, consideration should always be given to the fact that the critical person may not be available due to whatever reason. Contingency plans should always be made to cover this eventuality.

Laptops

Laptops are far less easy to repair than desktops. Keeping just-in-case spare parts is far more expensive than for their desktop brethren. Furthermore, laptops are easy to drop, steal, spill coffee in (far worse than spilling coffee on a desktop keyboard,) and generally give a hard time.

If, like me, the primary machine is a laptop, a spare is needed. This is probably the point where some readers will be saying “argh, expensive! I can’t afford that!” I would ask those readers to put a cost on the work that they will not be able to do without the spare.

The spare laptop need not be the same as the main one; it just needs to have the same software installed and be configured in a compatible manner. It can be clunky and slow so long as it is up to the task. I run a large, desktop-replacement ThinkPad as my primary. It does a great job, but is only portable in a fairly loose sense of the word. My secondary/backup is a little Vaio; it has a somewhat smaller screen but is very portable. It was also quite cheap.

Only one laptop ever leaves the house – the Vaio. As this puts it into Getting Stolen risk category, the hard disc is completely encrypted. (My machines hold sensitive client data; I have a duty of care to my clients to ensure that their data never ends up where it shouldn’t.) When at home, I keep the two machines synchronised after every file save. (I do this using version management software – a topic which exceeds the scope of this article but which I mention for the sake of those who might be curious and wish to investigate further.) So, when coffee hits keyboard, ignoring the repair bill, things are not so disastrous.

Oh, and a spare for a laptop can always be a desktop; it might prove a bit tricky to go walkabout with it though. If portability is not an issue, it could save a few $$$.

Networking Gear

I have experienced about as many failures of networking equipment – modems, routers, hubs/switches – as I have actual computers. As with computers, carry spares. If your business has a $5,000 managed hub, have a little $70 to tide over essential services when it goes “pfft!” I have a spare Ethernet switch to hand (an old one that I upgraded) and a ready-configured ADSL router/wireless access point. Total cost: $150.

Note that network cables tend to suffer all sorts of abuse – having a couple of spare in the drawer could just help save the day.

Contracts

My approach in the Computer Hardware section has assumed small to medium businesses which look after their own hardware requirements. An alternative, especially when dealing with expensive servers, is to have a maintenance contract. Maintenance contracts are just as much for sole traders as they are for large corporates. My points made in the PABX section regarding response times/SLAs apply in this context too.

With computer hardware services, there are a large number of fly-by-night operators (they exist in the telecomms sector, too.) Anyone considering a contract should look carefully at who will be delivering the service. My inclination would be to buy only from the Big Names such as Dell, IBM, HP/Compaq, Sun if any form of maintenance contract is required.

For those who particularly want to deal with a smaller operator, go ahead – but ensure that second and third smaller operators are also identified for when the first choice cannot/does not deliver.

What About Apple?

I am not an Apple user (apart from my iPod;) this section was written with PCs in mind but all concepts still apply. Vendors should be consulted regarding maintenance contracts and the like.

Network Services

In this section I will be discussing that all important tool, the Internet connection, along with e-mail, web hosting and this thing they call The Cloud. Now, I’ve already given two examples about the Yes/No question and the Quantity Question; for this section I will leave these as an exercise for the reader
and launch straight into some critical network services, the risks and how
they might be mitigated.

Internet Connection

Readers may have noticed a theme through the discussion so far – critical technologies require some form of backup. (Readers who have not noticed this are invited to have another coffee before re-reading this article 😉) Internet connections – if mission-critical – should have some form of backup just like all the other technologies mentioned so far. Assuming that the main Internet connection is coming in over a telephone line – either ADSL or a private pair (older technology) – mobile broadband makes a logical backup solution. However, there are limitations:

  • Mobile broadband is not available everywhere
  • Mobile broadband can be slow (it hardly deserves the epiphet ‘broadband’)
  • It might not be possible to plug it straight into an existing network (some routers can accommodate this though)

My advice with regards to backing up Internet connections for those of a non-technical nature is simple: talk to the ISP providing the main service. If this ISP cannot assist with a backup service, it may be worthwhile shopping around for another ISP that can.

E-mail

There are many different types of e-mail service (Amanda Gonzalez has written this simple guide at Flying Solo,) each with its own risks. The three main risks that an e-mail system presents are:

  1. Not being able to send/receive e-mails
  2. Losing sent/received e-mails
  3. Losing address books

A few tips/points regarding e-mail:

  • The safest e-mail service is probably a hosted one where availability of backups and an SLA are guaranteed by contract.
  • Personally, I like IMAP; I run (and back up) my own mail servers. My entire IMAP folder structure is copied to a second server in my office and also a server in the USA on a daily basis. IMAP also makes it convenient in that I can access my mail from either laptop at any time.
  • The risk of data loss with POP may be mitigated by backing up the appropriate folder(s) on the computer used to access mail on a regular (daily or greater) basis.
  • Unless using an enterprise mail system (GroupWise, Exchange, etcetera) where address books are a server function, address books for IMAP/POP mail clients need to be backed up.
  • Free e-mail services can provide a handy secondary/backup for regular e-mail services. Address books from primary services should be synchronised to secondary services on a regular basis.
  • I would discourage the use of any free e-mail services for mission-critical applications. When paying for a service, the provider has a contractual obligation to make sure that things work; with free services, it is a gamble. (I have seen enough instances of outages, compromised (hacked) systems and user data loss in free e-mail services to recommend them only as secondary/backup systems.)

Web Hosting

Here are a few points to consider when assessing the risks of web hosting:

  • SLA – 99.99% guaranteed uptime sounds great. But is that per year or per month? Lose a 9 there and that’s just under 9 hours in a year. Examine these figures very carefully.
  • Hosting providers (especially the cheaper ones) often perform scheduled maintenance without warning customers. How critical is uptime – is this an issue?
  • Overseas hosting providers often perform scheduled maintenance during the night – which might be in the middle of business hours elsewhere. Could this present an issue?
  • If a hosting provider is also handling DNS and/or registration for a domain, it may be very hard to move to another provider in the even of the first provider going broke (doing a runner, turning ‘funny,’ etcetera; I’ve heard them all.)
  • Always have a hosting contingency plan should it prove necessary to move a site in an emergency.
  • Remember that ftp is not a secure protocol. Personally, I would not use a hosting provider that used ftp with plaintext user name/password logins for any site that handled sensitive (personal, financial) data. ftps (encrypted ftp) should really be the minimum standard.

The Cloud

Readers are likely to have been hearing much buzz of late regarding ‘The Cloud.’ The main thing to understand about Cloud Computing is that, rather than having software installed on my computer, I run software on another computer (or computers) somewhere else.

It is at this at this point that I should disclose that I am a self-confessed Cloud Skeptic. Whilst I can see the many benefits and possibilities of Cloud Computing, I am very much aware of the risks that come with this technology and which need to be addressed before the business world becomes over-reliant on it.

Web Applications – There Rather Than Somewhere

Here I am, a web applications developer, saying that The Cloud is risky. Is this not an odd thing to do? No – and for two reasons:

  1. I constantly analyse the risks of my own business
  2. I make a distinction between the applications I write and host in known physical locations with applications running somewhere (anywhere.) I run Virtual Private Servers (VPS) for myself and my clients; these are located in data centres I have specified. If I were to ask my provider, they could even send me a photo of the physical machines the VPSs are running on. With a Cloud-hosted application, I just have to be content with it running ‘somewhere.’

My concern over Cloud-hosted applications is that there the systems required to produce server instances ‘somewhere’ are by far more complex (and immature – and I’ll cop some flack for saying this) than those required to deliver a Virtual Machine on that computer over there. –> *points*

Internet Connection

No, this is not an inadvertent copy and paste from earlier on in this article. If I run software – say a word-processing package – on my computer and my Internet connection fails, I can carry on using it. However, if my word-processing package is actually running as a service somewhere in Cloud-Land, whoops – it’s gone. The Internet connection thus becomes the weakest link in the business for which provision needs to be made accordingly – such as a means of being able to work offline.

Use The Cloud, by all means – just be prepared.

Conclusion

If all that technical detail has readers reeling, not to worry! I will now summarise the entire article in three bullet-points:

  • Technologies on which a business relies present risks.
  • For each technology used by a business, an assessment should be made as to whether it presents a business risk and, if so, to what degree.
  • Action should be taken for each identified risk which may include:
    1. Acquiring backup equipment
    2. Taking out support contracts
    3. Identifying alternative vendors
    4. Documenting plans on how to respond to a risk becoming an incident

Other Stuff

Likely as not, if looking at business risks for the first time, readers might be starting to think that they extend far beyond the technology risks I have discussed. I will, therefore, leave you with some further avenues of thought:

  • Infrastructure – power, water.
  • Premises – where to relocate?
  • Key staff – should more than one person understand their role?
  • Work vehicles – alternatives when off the road?
  • Zombie attack; seriously. Zombies only exist in the movies (and my office, before my first espresso,) but analysing the risks of a hypothetical, if fictional, scenario may identify gaps elsewhere.

Phew, finished! It’s a lot easier to do risk assessments than to tell other people how to do them. Hey, wait, is this thing still recording?