Many SME’s rely heavily on their ‘e-commerce’ web-sites to drive their business models. Indeed many traditional forms of sales and marketing are possibly ‘semi-redundant’ in today’s fast on-line search functions and retrieval methods.
However SME’s appear to be somewhat behind the game in considering the ‘risks’ associated with such activities. Often, I have encountered owner-managers with limited IT experience, relying heavily on outsourced contractors. But, at LayerTec we have direct experience through extensive empiricism that contractors only do the basics – and indeed not even that!
So what should an owner- manager consider doing where greater volumes of business are now conducted ‘on-line’.
Firstly, it is wise to consider a strategic ‘risk assessment’ of your operations and the impact upon your business if critical activities or processes cannot operate as required, because of systems failures or systems related ‘black-outs’. It is also worth remembering the commercial impact upon reputation due to poor customer service and delivery.
At LayerTec we recommend that you prepare your own high level risk assessment based upon denial of service and the consequential impact and associated disruption to your commercial activities. It is worth inviting in your IT representative if you have one. If not your IT contractor, to gauge and ascertain their views.
Secondly an independent review of the defenses that your enterprise has deployed to assure the executive function that systems and associated applications are operational and being maintained.
Thirdly, we recommend a review of any IT / service related contracts that might be in place with external contractors. Check whether the key issues pertaining to ‘cyber security’ are adequately codified within any supplied narrative. Sadly, at LayerTec we find all too often that such arrangements are mostly amorphous.
Fourthly, we suggest that regular formal management meetings covering IT security should be adopted. The senior executive should attend and Chair such conclaves, and relevant interested parties such as your IT contractor should be invited if appropriate. Clear decisions can then be formally minuted, which is very useful from an audit trail perspective.
By adopting the above measures and ensuring that adequate professional advice is ‘inputted’ into regular formal IT Management Review meetings, senior management can start to demonstrate stronger governance arrangements in this hitherto un-codified and potentially dangerous area of cyber security.