Obscured by Clouds: Common IT Decision Missteps to Avoid
For many business owners and IT managers, the promises touted by major cloud services (i.e. SaaS, or Software-as-a-Service) are very attractive: shifting IT costs from CAPEX to OPEX, freeing employees from the perils of outdated desktops and software, increasing mobility and productivity, and saving money. All of these advantages can be had, of course, but not without careful planning and execution. Contrary to the marketing hype, SaaS and cloud services are not a panacea. Many businesses fall prey to the one-size-fits-all beliefs touted by some cloud vendors without casting a critical eye on their own specific needs. In fact, this seems to be one area where ordinarily free-thinking business leaders forget about the unique qualities of the company they work so hard to grow and settle for “stock” solutions. The great strengths of cloud services – tools that are both powerful and easy to use – are also their greatest potential dangers.
Here are the most common mistakes I have seen in my experience as a strategic IT consultant for my clients in New Jersey. They most likely apply to businesses just about anywhere:
Misstep 1: “I will use SaaS (Office 365, Dropbox etc) for all my needs, but I will ignore device management and security.”
This is the most prevalent (and possibly the most dangerous) misconception I’ve heard in my interaction with IT decision-makers, especially those who don’t have a technical or traditional systems administration background. At just a few dollars per user per month, offerings like Office 365, Dropbox for Business and Google for Work offer an incredible amount of power and productivity. What they don’t offer is comprehensive security for the devices that employees use to access those services, nor do any of them have a truly powerful device management solution. To be fair, these SaaS providers don’t claim to provide these items (Google does have mobile device management, but obviously it’s preferential to devices running Android or Chrome OS). But, as unsexy as security and endpoint management can be, it’s absolutely critical to have for any business that doesn’t want to let their employees dictate terms on how company devices or data get exposed to threats. One critical fact that many businesses continue to miss is that every person and every device in the company is a potential attack vector. Your data may be safe at rest in your cloud provider of choice, but as soon as any device or person access it, that device or person may open the door to threats and hackers if there are no security measures in place. On the device management side, it’s simply a matter of having oversight of the company’s data and devices. Every business leader I’ve known wants their workforce to be productive and their customer and proprietary data to remain out of the hands of anyone but them. Ignore device management and endpoint security at your own peril. The services I mentioned are absolutely great products, but they don’t cover all the bases for a business that wants to stay productive and grow.
Misstep 2: “I will ignore my compliance requirements in my move to the cloud.”
Financial advisors, healthcare professionals, and businesses dealing with personal customer or patient information, this one is for you. There is no doubt that the cloud can be quite safe with data. But, not all cloud services are created equal when it comes to compliance concerns like HIPAA, Sarbanes-Oxley and PCI. In many instances, your customer data or patient information needs to be encrypted both in transit and at rest. Some cloud services do not provide those solutions out of the box, and may require additional services or systems to satisfy compliance.
Misstep 3: “If I set up my policies for my SaaS solution, I don’t need written policies to govern my employees.”
This misstep is closely related to the previous one, though it also applies to companies without official compliance concerns. Managing cloud services and user accounts, while requiring skill and common sense, is relatively straightforward in most cases. However, governing the use of those services and the data contained therein has more to do with understanding human nature than any complex software or user account system. Just because your employees can do everything from a browser window, on any device they have in hand, doesn’t mean they should be doing it. Software and account controls only go so far. Every company needs an Acceptable Use policy, as well as an Information Security Policy. Setting expectations and requirements relating to your IT infrastructure is just as important in the age of SaaS and cloud as it always was, perhaps even more so. I should also mention the importance of training your employees in the use of any software, cloud-hosted or on-premise as well. Employees need to be aware of the risk of data breach, and what policies are in place to protect the company’s assets and their productivity. They should be informed in writing what your company’s expectations are for their conduct in using both the cloud services themselves and your proprietary data.
Misstep 4: “Now that I use cloud services, I no longer need IT management or oversight.”
One could argue that this last point is self-serving for an IT consultant and managed service provider to present in this article. Allow me to offer the experience of several of my smaller clients having great success with just a handful of cloud services in a small office environment. These are mostly small legal firms and marketing groups. However, none of the successful ones have more than five employees, nor do their needs reach beyond basic emailing and writing a few documents or spreadsheets. If your business fits that description, you probably don’t need IT management or oversight. You are most likely within shouting distance of every employee in the office and they all know the expectations you’ve set for their computer system use. But, if you’re a larger company than five employees, you have a mobile workforce, and/or your IT systems are mission critical for just about everything you do, a cloud service alone will not provide the ability to manage, oversee and plan your strategic technology moves.
Using cloud services can be the hallmark of a forward-thinking business, but don’t forget that IT decisions have a direct and profound effect on the finances of any business that relies on technology. Just as it makes sense to be accurate and strategic in your financial forecasting and planning, so is it crucial to look ahead in planning your IT “flight path”.
Step into the Cloud with a Purpose
Information Technology is quite possibly the most rapidly evolving industry in existence, and the least understood by those who rely on it. Though cloud services can solve a lot of the tactical issues that existed in the past, there still needs to be a high-level grand strategy to the IT decision-making process. The choices made today can have a big impact on future profits and expenses. Business leaders need to know where their IT flight path leads them, or else they may end up flying blindly into the cloud.