"Penny wise and pound foolish" is a common saying that describes the act of concentrating on economizing small matters so that one either misses opportunities for larger gains or exposes oneself to larger risks. I recently used this saying in a conversation with a client who was having a setback in his business earlier this year. In an effort to save money, he was seeking to cut expenses in his IT and marketing budgets.
When times are uncertain or business slows, people tend to cut these two budgets first. These are short-term-minded decisions. Cutting your marketing budget decreases your lead generation, ultimately leading to lower sales within three to six months due to an insufficiently stocked sales pipeline. Cutting your IT budget increases the risk to your data, which affects overall productivity and your reputation.
To save money, my client decided that his team would archive all their old projects on a USB drive and leave it attached to their server for access, thus reducing the cost of the data being sent offsite for disaster recovery. I recommended using three drives for this idea: One was always attached to allow shared-drive access to the data, and the other two drives would be rotated offsite for disaster recovery in the event the primary drive failed or the server was compromised. Archiving the data would reduce his offsite storage costs, saving him money. But it would also now be his responsibility to protect the archived data, since it was no longer part of an automatic backup process.
Five months after these changes, his server was attacked by ransomware. Since the company manages its own computers, firewall and other security, the first notification we received was from a staff member stating he couldn't access the data. The data had been encrypted and the server was useless. Fortunately, we were continuing to back up the server and were able to restore the data. Unfortunately, the archive drive he chose to create had been attached to the server during the attack and its contents were also encrypted. This wasn't a problem because he could simply bring in one of the two offsite USB drives he had been rotating to restore the archive data. Unfortunately, since he had never had a server compromised or fail, he never purchased the other two drives and didn't have another copy of the data. His only options now were to forego recovery of the data or pay the ransom to the attackers. The ransom cost was significantly more than the offsite disaster cost he would have spent in an entire year to protect that same data. If this were you, would you pay the ransom or allow your firm's entire project history to be lost forever?
How do you make this decision before you have the incident? How do you make a quantitative risk-based decision on the security and protection of your data? Your data and your processes combine to form the intellectual property of your firm. To calculate the risk, first determine the cost to run your business for one day. A better number is one to two days, but if you prefer to be overly optimistic, then use one day or eight hours. If your staff works 40-hour weeks, then eight hours is 20 percent of your weekly total payroll, including taxes and benefits. If you are open Monday- Friday for 52 weeks a year, then calculate your other fixed costs annually and divide that by 260 to get a daily cost. Based on my experience, a typical ransomware attack has direct costs of $50,000 for ransom payment, IT remediation and documentation of regulatory compliance for a firm of about 20 people. Now, add this number to the cost of your labor and fixed costs to operate for one day to get your total disaster cost for a single day. If this number is higher than your data protection costs, then keep protecting your data. If it is lower, add in the cost for potential lost sales, lost shipping or damage to your reputation -- which are educated guesses -- and then choose the option you can stomach.
There are no right answers -- only risks you are willing to accept. The question isn't whether you will have an incident. The question is whether your business can survive the consequences.
For more information, visit www.omnipotech.com or call (281) 768-4308.