Whether you have been in business for 5 or 50 years, if you are a small business or a large enterprise or somewhere in between, you have technical debt.
No, this isn’t your monthly cloud storage fees or Microsoft licensing bill, this is something that is pervasive and insidious in all I.T. environments. These are the “Good enough” computers that haven’t been replaced, the Servers no one has time to patch, or the firewall rules left forgotten for months or years. Technical debt is the work and technology that has been neglected.
Sometimes the neglect are constraints related to process, high expectations of uptime or gaps in staffing. You may say, “that’s not neglect, we will get to it”, “its not that bad, we are only 2 versions behind”, or “what if the patch breaks the server”? I get it, I understand your concerns and the real business decisions that must be made when it comes to budget for new computers, and the possible outcomes of upgrades gone wrong. I have to ask though, do you know what the consequences are for not patching, updating or replacing devices?
Downtime, downtime is the consequence. To what extent is the question, will you have software that stops functioning properly due to being out of date? Will you have a computer, server or switch that fails completely due to age? Or will the worst happen, a security vulnerability that could have been patched or prevented due to configurations be exploited and allow malicious software or ransomware to infect or encrypt your entire environment.
You can say that is a scare tactic, or that I am fear mongering, and maybe you are right.
I have good reason to be concerned though, and maybe you should be afraid. What does your daily revenue look like, could you go without revenue for 3 weeks (avg downtime for a ransomware attack is 21 days)? What if it took you 9 months to recover completely from an attack (avg recovery effort is 287 days)? Will you be fined for losing customer data, or employee PII?
Costs add up quick when you bring in consultants, cybersecurity experts, incident responders, lawyers, insurance agents, compliance experts, and PR teams. With the ultimate price being a negative impact on your relationships with customers and vendors. Goodwill, trust, and revenue disappear much faster than the time it took to build up technical debt.
Questions after a breach are difficult and expensive to answer. What questions can you ask before a breach to prevent one?
- What is our patch schedule?
- When is our maintenance window (planned network outage for network device maintenance)?
- Do we have support contracts for our supported software and hardware?
- Do we have any devices that are end of life?
- Who addresses Security vulnerabilities, and how?
- How often do we update our software?
- What security products do we use, how are they evaluated?
These questions seem simple, but the answers can be complicated. Your IT infrastructure should not be viewed as a “cost”, it is a profit engine when functioning correctly. When your IT infrastructure carries debt (old, un-patched, not secure) you risk the life of the company.
My advice, analyze your technical debt, you will find that addressing it can improve the efficiency of your employees, your systems, and protect you from downtime that can affect your future.