How to Reduce Risks You Don’t Even Know You Have, Starting with a Network Assessment
TRANSCRIPTION:
Introduction
Today we’re going to be talking about network assessments, why we do them and some of the things that we have uncovered during our assessments that business leaders are often unaware of. It’s kind of opening up pandora’s box.
One of the things that we uncover, business leaders are just clueless and oftentimes are shocked to see the results.
So when we first started talking about I.T. management, we have to back up a little bit and define what it means to be a complete I.T. environment.
Most people that are not in the I.T. business think about their computers. They think about their software, but don’t have a real frame of reference as to what goes on behind the scenes to run those computers and that software.
And the reason we point this out at the beginning of a conversation about network assessments is because it’s important to have some insight into the backend of what I.T. is.
Because if something on the back side of the network isn’t proper, isn’t working the way it ought to, then that’s going to trickle down and present issues for your users. It’s going to cause delays, it’s going to cause a morale issue. It’s going to cause security issues, productivity issues. The other point of bringing all these things up is to show that one person can’t do it all.
When I started in the I.T. industry 25 years ago, I was kind of a jack of all trades, master of none. I could do everything. I could manage a server, I could manage a computer, I could help the end user. I could connect it to the Internet and make sure that you could get where you needed to go on the Internet when it was still pretty young and relatively safe.
Now you can’t do everything.
One person cannot be a master of all those things. So it takes a team of professionals to run a network. Even a small network, which is one reason JMARK is here. We were able to help smaller businesses who can’t afford to hire people of all those different specialties. We can provide those as services rather than a small company having to have a whole bunch of headcount.
What is a network assessment?
So as we dive in and really talk about network assessments, it’s important to define really what a network assessment is.
There are a lot of components to a network assessment but the parts that we are going to focus on today are going to be sources of risk and sources of potential improvements through productivity gains and things like that.
Specifically when we talk about risks, we’re talking about patch compliance, backups, security and lifecycle management. Those are the biggest points. Obviously in an assessment we get a lot deeper than that. But we want to respect your time and just kind of hit the high points today.
So when we break this down, we’re really talking about a math problem.
There are three items that we’re going to hit and that’s how I.T. can help you increase your revenues, how they can help you reduce your risks, and how it can help reduce your costs.
And at the end that means more profit for your business. And really at the end of the day, for most people, that’s why you’re here.
That’s why people are in business. A CEO of a company is typically interested in doing these three things for the purpose of increasing their profits. Whenever we go through and as we go through this presentation know that the format is going to be talking about each of these three items and then we’re going to give you a case study of where we’ve had success in the past with a particular client.
We’re going to keep the client anonymous for their privacy, but we will give you the overview of how we’ve helped people increase their revenues, reduce their risk, and reduce their cost through the findings of a network assessment. So with that to start out on how a network assessment can help increase revenues.
How a network assessment can help increase revenues
So when it comes to doing the network assessment to network evals there are three key areas that we really focus on that have a massive impact on driving revenue throughout the organization.
Equipment
One is the equipment that is used throughout the organization.
Is the equipment standardized, is it a mixed match, a hodgepodge of different brands of equipment, whether it’s server switches, firewalls even computers and all the way down to the design of that network, how things are set up and laid out.
Is it efficient and effective and accessible? Even all the way down to computers and people’s efficiencies. When I look at an employee, do they need a laptop? Do they travel with their business? Do they need a tablet? Would that be more efficient for that user or does a desktop computer work for them because they’re in the office most of the time?
Software
So next thing we look at would be software. How does data flow through the organization from beginning to end?
Are you using multiple programs to do the same job that you don’t realize one program could do everything? In fact, the statistics show that you use 20% of a software package that you purchase.
There’s a lot of overspend with software packages and how many times is data being touched by individuals throughout the organization. So that becomes inefficient and also introduces potential issues when multiple people are having to touch data or enter it manually, there’s room for errors there.
We have to consolidate and recommend different software packages to help streamline the process and mitigate those potential issues.
I.T. Support Structure
The third would be I.T. support structure.
What kind of in house I.T. staff do you have, do you outsource, are you utilizing a hybrid environment where you have some outsource, some in house staff and how best are they set up for success?
The first case study we’re going to go over is an organization that we went into and we discovered through our assessment that they had a dozen or more software packages running throughout multiple departments within this organization. What it required was one person would manually enter it in the data. Once they got it done, they would put the paper in a box, it would get shifted to another department. They would go in and enter the data and do what they had to do to manipulate and report and verify. And this went on four or five different steps within the organization.
So very inefficient. We were able to recommend a software package that allowed the first person to enter the data and that populated throughout the entire organization and helped them to become more efficient and actually reduce error. They were actually able to grow by 20% without adding headcount. So that was a big find there.
And then from a hardware standpoint we uncovered some devices that were failing or had failed, which were creating lots of downtime and slowness throughout the network. And the result of all of this was because they had one I.T. person running the whole shebang there.
He was not only set up for failure but had no time to troubleshoot properly, no time to strategize and put together a true technology plan that would help solve these problems. Every time they had an issue, all they were doing was throwing more hardware, more software at the problem that he was trying to fix. So there’s just a lot of duct tape and mandating instead of putting a tree strategy together, which we helped them to develop and helped them to increase revenues throughout their organization.
A recurring theme that you’ll see throughout this presentation is about a single I.T. person or a single I.T. group not being able to get the job done. And I don’t want it to sound like we’re against the I.T. people because I mean we are I.T. people.
We understand the unique situation that folks were put in where they are asked to support end users and keep them up and running. And oftentimes it’s going to feel like they’re successful because they’re keeping the user’s computers running, they’re keeping people at work.
But oftentimes what suffers on the back end is a lot of that stuff that we talked about on that one of those first slides, all these things in the backend that have to get done.
And eventually if they don’t get done, the piper has to be paid because if updates don’t get loaded, if backups don’t get tested, if a disaster recovery plan doesn’t get executed, if lifecycle management doesn’t get implemented and the equipment gets too old, then you’re introducing a lot of risks into the environment, which brings us into our next subject, which is reducing risk.
How a network assessment can help reduce risks
We’ve already talked about one of the big risk factors, but the one that most people think of, and the one I’m going to talk about now is the more kind of in your face one, the one you see on the nightly news. Whenever there’s a data breach or some sort of a hack that’s not against the company.
A really scary statistic that comes from the US Bureau of Labor Statistics is that a company that is breached in a cyber-attack when that happens, there’s an 80% chance that that company is going to go out of business within the first year after the attack. It is a terrifying statistic, but unfortunately, it’s true.
And there are some things that we can recommend that we can uncover in a network assessment that will reduce your risk profile when it comes to cyber-attack. A lot of them are kind of common sense sort of things that most people know about, but oftentimes they don’t get to implement because they don’t have time to think about the stuff that hasn’t actually affected them yet.
Those things all cost money, unfortunately, and the smaller of a company that you operate, unfortunately, the higher cost as a proportional number of amount of your revenue is.
The smallest quartile of companies that are sampled in this information came from Gartner I believe. The smallest quartile companies spent over $1,700 per employee on I.T. security, whereas the largest multi fortune 500, fortune 100 type companies they only have to spend about $400 annually per employee. And that’s just economy of scale. Unfortunately, there’s not a good way around that because you’re still connected to the same internet and you still are the same type of target to a criminal. So we just have to accept the fact that smaller businesses have a larger cost of I.T. compliance. Another thing to consider is the fact that I mentioned the nightly news.
We all know whenever a large company gets hacked because we see it on the news at night.
The stat I don’t have in the presentation here, but it’s worth sharing is that the majority of cyber-attacks are performed on small companies. They are typically a softer target because let’s face it, a small business doesn’t have the I.T. security budget of a multinational, a publicly traded fortune 100 company. So the criminals who are out there trying to make money by breaching your network, which let’s face it, that’s what they’re doing, they’re trying to make money. They’re going to go after rich targets that are small and less hardened.
The mentality of “it won’t happen to me because I’m too small” is a faulty assumption because most of most companies are smaller.
Most of the companies that are hacked are smaller, they just don’t make the news because it doesn’t affect as many people. But don’t feel like you’re necessarily safer because of your size. We talked about the cybercriminals and what they are after.
These are some of the things that are being sold on the black market right now. The dark side of the web as it’s been called or as it is called, experience to these news of 2018 numbers. And the value of some of this personally identifiable information such as credit cards for example, can be sold on the dark web for anywhere between five and $100 per credit card number.
That doesn’t sound like much, but when you think about the fact that a cybercriminal will engage in phishing activities and other illicit activities to try to get tens of thousands if not hundreds of thousands at a time, they batch these up and sell them an online auction sites on the dark web, much like Ebay for criminals.
I bring this up just to point out that there’s a huge market for this sort of data and as long as people are willing to pay for it and there’s a criminal economy out there to support it, there’s always going to be a market for it. There are always going to be people who are willing to pay for it.
That being said, most of the hacks that happen that you see that a business faces actually aren’t out there trying to steal data directly from a company. The majority of attacks that we see are actually trying to take over a computer to perform a task on other people. I know that seems kind of convoluted, but if you think about where a task comes from, most of the criminals are wanting to stay hidden on the Internet.
So what they do is they hack into your computer or say your business has 20, 30, 50 computers. They’ll hack into your business. They’ll try to take over your 20, 30, 50 computers and steal 10% of their processing power and use your computers to go out and attack the unsuspecting users.
One, it’s power in numbers, it’s strength of scale or power of scale. They’re getting more computers to do the hacking, and two it shields them from investigation and from being blacklisted.
If you’re running a reputable, let’s say accounting firm, people don’t have you blacklisted as a hacking side, much like they might have like black market sites in Russia where it’s easy to block them based on geography. So they’ll hack the company’s computers here and have them do the attacks across the web.
So the attacks are coming from multiple different points, whether that is a phishing attack or spam email, most of the times those are coming from legitimate computers that have been compromised.
One of the things that we look for in a network assessment is traffic coming in and out of the network that is not identifiable with that type of business.
If we see a lot of traffic, maybe going out multicast traffic that’s going out of a computer to tens of thousands of other computers, that’s not typical in a small business. So we’ll analyze that traffic and figure out that that computer may have been compromised.
So our case study for the reduced risk portion of this is about a client that we walked into who is in a regulated industry and they called us because they were concerned that their I.T. person maybe getting behind.
The users were still happy and they were still getting their computer issues taken care of, but they had gotten a couple of dings on exams that are required by their industry and they hired us to come in and take a look around and make sure that everything was as good as it seems.
Because you miss a couple of little things. Maybe that’s a tip of the iceberg. Unfortunately, they were right.
We went in and we found that patches and updates hadn’t been done in months, years in some cases on some pieces of equipment. There were backup issues that were pervasive for years. They thought they had good backups, they were going to bed every night thinking that if a fire or a flood or tornado happened, they could recover.
What we found out was that their data hadn’t been backed up in over six months. The reports were good, but nobody had actually tested it to find out that they weren’t working.
And one of the things that a lot of people don’t think about it as a true risk is there was no forward thinking technology plan, all of the computers on their network were coming of age and they had no plan to get them cycled out before the version of windows that was on was going to expire.
This bank was going to be hit with a huge amount of cost over the next six to eight months because they were going to have to replace every computer on their network and they hadn’t planned for it and it was going to be a fire drill.
It wasn’t because of the guy that they had on staff was doing a bad job per se as mentioned earlier.
This guy was set up for failure because he didn’t have the resources or the tools or the experience to do all the things that needed to be done. He was simply keeping the wheels on the bus.
How a network assessment can help reduce costs
Reducing costs in an I.T. mentality is kinda tricky because most people see I.T. and technology as a cost or an expense as opposed to an investment. So that’s a big challenge to get over.
It’s that necessary evil. And when it comes to reducing costs, I’m not necessarily talking about reducing cost in hardware or software or in I.T. support, but also human capital.
Everybody knows that technology experience when you come into work every day and utilize technology, which everybody does.
If it doesn’t work, it’s slow, it’s clunky, you get frustrated. They need to talk to your employees about it. And that spreads like wildfire.
Just morale throughout the whole organization goes down. And when you have technology like that, it could lead to turnover. The human capital part of this. And when employees are dissatisfied with their technology, it’s not uncommon to see them leave.
What we see a lot of organizations do to mitigate that is throwing money at problems as opposed to what we’ve mentioned before, a strategy behind the problems. They’ll throw hardware, throw more software into the organization to help fix a problem and kind of pacify people. This results in overspend in I.T. infrastructure and I.T. support.
Again, looking at hard costs for soft cost again, hard costs being your equipment, your software, your employee. Soft cost being the cost associated with losing an employee, the cost to recruit, afford and retain those employees are the big ones that we like to talk about.
Instead, through these network assessments, when we uncover these inefficiencies throughout the network, we help to build a plan, build a true I.T. strategy, and educate our business leaders on how to invest in the right technology, the right strategy, and the right way.
What it’ll do is drive efficiencies and make your employees a lot more productive, a lot more efficient. They’re not staying late after work, trying to get their job done. We see a lot of people miss sporting events for their kids or whatever it may be around their kids and that will impact morale.
The biggest thing here is going through the network. In this next case study, we were able to go through a network for an organization that had called this and they had this perfect example of why were frustrated.
They felt like they were overspending in I.T. and they needed a professional organization to evaluate them. So we came in, we did that.
They were undersized in their I.T. staff for what they had. They had deployed multiple brands of technologies that not any one person was an expert on, which became hard to support, hard to troubleshoot. They operated on a shoestring budget, which is always a problem.
We were able to put that technology plan together, help them to deploy it over a couple of years. The ROI was less than 24 months on everything we deployed. And again they saw that their turnover was reduced and they were actually able to attract new employees because of the technology they had within the organization. In another way that people reduce costs that may seem counterintuitive, is to spend a little bit more money on their equipment and infrastructure.
I know that sounds backward, but one of the most counterproductive ways than an I.T. person can “save” an organization money (and I use “save” in air quotes) is to build their own computers, is to source at least expensive hardware. Oftentimes we find that I.T. person will go out and get the best deal they can and they’ll piece together parts to make something work in order to save 10% or 15% or 20% on some equipment. It makes them feel good and it helps justify their salary.
But ultimately that ends up costing the organization more money because your instance of downtime and your instance of uncomfortability and non-interoperability go up dramatically when you use non-standardized equipment and whenever you start mixed matching technologies. Even though it’s cheaper, it costs you a lot more money in the long run because your employees end up paying the price.
At the best case, you’re going to have inefficient employees who are losing time, and at the worst, it’s going to cause a security hole where something doesn’t overlap properly and you’re going to be a target for a breach.
Even more, going back to that what we were talking about is dealing with folks who are trying to save a buck for the organization and make themselves look good. There are a lot of times that I.T. folks will bring us into a meeting with leaders of the organization because they actually want to spend more just the opposite kind of what Jeremy said.
They want to spend more on a solution that they know is best for the company, but the leadership doesn’t understand it and doesn’t get it. So they bring us into the picture. We’re an outside company. We help from our expert opinions and experience to justify exactly why they need to invest in a certain technology. So it kind of goes both ways.
There’s definitely a goldilocks zone where not too much, not too little. And unfortunately, the guy that’s on site, the I.T. person, doesn’t have insight into what proper I.T. spend and investment looks like.
It’s a lot of information we’ve been able to garner over the last 30 years being in the industry to see what other people are doing and what works and what doesn’t work and be able to apply that knowledge to all of our customer base. Which leads into this next graphic, which we call our approach for success.
How does a network assessment work?
The triage stage
No different than going to the hospital or a doctor if you’re sick or not feeling good, you’re hurt. They’re going to triage you before they put together a plan.
So we have to triage the environment, assess the environment, and then work with our clients, collaborate with them, give them the good, bad and the ugly of the environment. Work to get it stabilized to where you’re not in as much pain. There still may be some pain, but you’re set up for more success.
The strategy stage
And then from there, we strategize, put together a plan and we like to put together five-year technology plans for our clients, which five years in I.T. is farfetched. But it does give us a vision that we address at least quarterly or semiannually with our clients. As business changes, technology changes we’ll be going over that and making changes.
Innovate and refine stage
After the strategy stage, then we get to the innovate and refine and a lot of people think it stops right there and it really doesn’t.
When you’re able to innovate and develop new products, that helps you to set yourself apart from your competition, help you to go after not only new clients or better clients, but also again, employees, employees that want to come to your organization.
So it’s all about the triage, network assessment and building your way up to a superior network that is coming along is efficient as possible and allows you to grow and develop new products and strategies for your organization to help you set yourself apart.
Unfortunately, one of the things that we find a lot of times in an organization that has never really looked at this holistically, they stop at the stabilized phase. And it’s kind of a trap to an extent because once things are stable and working, most people think that’s the finish line. And those are the folks that really believe that I.T. is an expense.
If they can keep the wheels on the bus so they can keep your employees working that’s all that matters. But if you don’t take those next steps to strategize, innovate, refine, and develop new products with I.T. at the center of that conversation, you’re missing a huge opportunity.
I.T. proper technology management can really drive business and propel you ahead of your competition a lot more than just being a stable computer for your users.
We drive this conversation home to talk about I.T. maturity. These are all steps that are needed to really be considered a mature I.T. environment. It starts with systems design which kind of relates to that pyramid and the triage, standardization which I talked about a moment ago, proper governance, not only within I.T., but within the entire company.
That relates to your structure, how you handle change management and things like that all play in. And those are all key components to how well you can grow and scale your company. And having proper documentation is phenomenally huge.
We used to call it the hit by the bus book here. If somebody got hit by a bus, we wanted to make sure that we knew how to do their job the next day. We’ve since changed it to the win the lottery book. We want everybody to document how they do everything. That way if they win the lottery we know how to do what they were able to do. But all those things are important for strategic alignment and ultimately for growth.
Closing Remarks
It just starts with the network assessment and we recommend doing them annually or semiannually just making sure that you are aligned with your I.T. department, your I.T. organization. And I think one of the key things in all of this is making sure the I.T. support structure, whatever you want to call it, make sure they’re at the table with you and your organization when it comes to making changes within your business.
If you’re going through growth and looking to acquire, looking to open up another location, whatever it may be, I.T. should be the first person to know about that because if you don’t allow them in on those details of what’s going on with the organization, they can’t set you up for success through the use of technology. So it’s building that foundation properly off the get-go. And again, network assessments are huge in letting you know where you are, and where you need to go to get to your goals and aspirations for your business.
We’ve talked about a lot about risk and a lot of the scary things that can happen in an improperly maintained I.T. environment. I guess the one thing that I would want people to take away from this would be if you think it’s good enough, try to step back from your perspective and think about is it as good as it can be because good enough is really only halfway up that pyramid and you really get the gains of the investment you’re making in I.T. when you make it as good as it can be and not just good enough.
A network assessment is a great way to find out. Maybe you’ll find out that everything is great and that’s super.
We do have those instances where we can tell people, “Hey, you got a great IT environment. I wouldn’t recommend changing a thing.” We’d love to find that because it gives people peace of mind and it lets them know that they’re going the right direction. Or maybe we can plan some things that could be done better, either way.
