The olden days​
Back in the dark ages of computing (1990s to earlier 2000s), choosing what software to use was an even bigger decision than it can be these days.  Firstly, there was choosing the solution for your problem, a lot of reading and promises from vendors, reviews from users and the press were crucial.  Gartner’s quadrants helped.  Sometimes you would run a formal selection process with vendors.   Maybe there was a demo disc you could trial the software with.

Once you had selected the solution there was the upfront costs (often a hefty figure):

• Software licence
• One year subscription for updates and perhaps also software support
• Maybe a suitably power server to host the main system
• Making sure your PC’s were powerful enough to run the new software

Then there was the ongoing cost of the software subscription, regular upgrades and patches that need to be put on servers and PCs.  All with their own invoice cost, let alone the cost of having your IT teams or office staff stop work to do patching or learn new features.  Depending on the subscription model, you may end up paying again for the latest version of the software!

Nowadays 
These days getting started with a new piece of software is often as easy as entering an email address and sometimes a credit card number.  You’re away, no installation, it works on all your computers via the web browser, no one is installing server software, upgrading computers or having to manage the software versions.  All of it is taken care of!  

All costs with the software can be made opex so you don't need a business case and you only pay for what you use.  

Google and many other online providers pioneered this approach of subscription software delivery, Microsoft has done the same and continues to invest heavily in this direction, going as far as subscription for a gaming approach with Game Pass (essentially creating the Netflix of games).  

So, with all these advantages what on earth could the draw backs be? And why should I be worried?  Here are our top five risks when using online software (or software as a service):

Risk #1 - Data governance and privacy
The risk:
When you enter data into a website it is saved somewhere real, on a computer that is physically in a building/structure, in a country.  The laws of that country now govern that data, along with any rules and agreements in place with the organisation providing the computer that the data is being saved on.  It is pretty rare for a software provider to clearly outline where the data you enter is saved. 

In New Zealand we have privacy rules and codes of conduct about the data collected and where it can be stored, what's more consideration of Maori data governance interests might be relevant.  These rules have implications for collection, storage, use and access so you will need to consider both how the software treats the data collected but also how you use it.

What you can do about it?
Start with what data you are storing, there may not be any expectations for the product descriptions and costs information you store on your e-commerce solution, however there might be about customer information you do collect.

Check the website for any direction on where they are storing information, what security they put around it and the reliability of the security checks they have on their system.  If they do not publish information regarding this, try contacting them to find out.  If you don't get a timely response, or no response at all, think twice if your information is sensitive in nature.

Risk #2 - Confusion - too many applications for the one type of work
The risk:
There are usually many, many, many software solutions to solve the same problem.  Just looking at the project tracking space you have solutions like :

• Trello 
• Microsoft Project / Project Online 
• EasyRedmine
• Asana
• Zoho

To name a drop in the bucket! All of them are good in some way or another and offer advantages the other may not, such as feature, cost, etc

We met with a client recently who used three pieces of project/task tracking software across their clients and internally and were about to add another one.  None of the software talked to the other, one set of clients used one tool and another set of clients used another tool.  They know they need to consolidate but in order to do so they would have to retrain one set or all of their clients in the new solution. Furthermore, all the information stored in one application would have to be moved across (more on that below).

In larger organisations this can be a real problem where different groups or departments grab the software they like the best and get going.  They aren't constrained by the capital expense rules that meant the decision would require greater scrutiny before being signed off.  This has its pluses and minuses.

What you can do about it?
Keep a central software register and put someone in charge of overseeing such decisions.  Do your best to configure this so that they aren't holding up decision making but are creating awareness around solutions already in use.  Encourage requirements gathering and checking before signing up - perhaps there is already a solution being used that would suit their needs, perhaps the cost and benefits don't stack up.

Risk #3 - Integration 
The risk:
You've got your e-commerce solution to sell your wares and its slick and does a great job of helping customers to purchase your amazing products, however, the inventory solution isn't connected.  We met with one company where one of their staff had to spend the first part of every morning manually updating quantities in the e-commerce solution with stock levels to avoid customer disappointment when they ordered.

Stitching together different software products to create a coordinated solution for your business has always been a problem.  This is where ERP products generally came from (like NetSuite, Microsoft Dynamics), a single integrated solution to run the whole business, however as smaller niche solutions have exploded onto the scene that solve one part of a business problem the problem of integration has gotten bigger again.

There are tools that can help with integration but you are looking at configuration, running costs and making sure something doesn't change between the two integrated systems that breaks it all.

What you can do about it?
Choose wisely. Ask yourself some questions when making your decisions:

• Do I (or will I) want the information I put in this solution to be available elsewhere?
• Does this solution connect to other systems I use? If so, does this cost extra? How reliable is the connection?
• Can I use something I already have in my existing solutions to do the same thing?

Risk #4 - Lock-in 
The risk:
You've picked a solution, it becomes crucial to your businesses operation.  Everything is running fine, then something changes; the prices go up, the system starts misbehaving, there aren't new features being added to help you keep up with your competition,  so you are now looking at other options to move to.  But wait…all your historical and current information is kept in this system and there isn't a way to get it out or transfer it over.  Or worse you look closer and the contractual agreement to use the system was that they own all data you entered into it or they expressly exclude any support for taking data out.  

Your stuck, it’s going to hurt to move to the new solution, not just getting the new solution to work right for your business, training your staff in the new solution but all that lost information and history, or labour time and cost to manually add this history into the new solution.

A software solution limiting you like this seems unlikely?  Unfortunately, this is the business model for many, big and small companies.  We see it across all sorts of offerings.  Creating software using the Microsoft toolset for example, means you have to stay on that or recreate everything on a competitor’s toolset.  

What you can do about it?

• Choose carefully up-front
• Understand this is a risk you might be taking
• Be sure that the company you are getting the software services from has a good track record of investing in its products
• Check your contracts / user agreements when signing up
• Look to see if the software has a suitable export function

Risk #5 - Data access
The risk:
You have invested time and effort in curating quality data in your online system, now you want to leverage it, but how do you get suitable access to it with your cool reporting tool?  Or worse, what if your data is being used by the vendor for their own data analysis!

All too often the data you put in can be hard to extract.  A few years ago, a health organisation invested in a shiny new software solution to be then provided as a software as service solution.   Lots of great data being captured, cleaned and ready to us.  However, limitations in the interface made it difficult to ask certain questions of the data.  Luckily (or so we thought) the solution came with an export function.  Problem solved! Not quite, the export only allowed 8000 records to be exported at a time, if you tried more it failed and produced nothing.  In the end they needed to work with the vendor to create a new extract that would send each night, but they then needed to collate and prepare the data further - all adding cost and extra expertise they didn't have.  

In another situation we worked with a client that was looking to use an online solution to run their business, it functionally matched their needs, however tucked away in the contact was a clause that boiled down to "the vendor can use the data put into the system to create meta-analysis reports on the population entered and sell that report if they wish".  

What you can do about it?

• Check your contract/licence agreements first
• Check the exit clauses for the solution - how is that provided to you should you choose to stop using the software
• Check the functionality of the solution - does it have a suitable means for extracting the data both in a one-off way but perhaps also ongoing
• When reviewing the contract look closely for ownership of the data
• Look at integration connectivity options, tools like PowerBI and Tableau often have connectors for various software solution.  There are other ways
• You will have obligations around sharing and reflecting the agreements you have set with people whose data you are entering into your systems; be sure those are being upheld by the new solution.  If not, consider how you are going to change your policy, notify people and give them the option to opt out.

​
Conclusion
Online software is a fantastic evolution of computing and enables businesses to reduce overhead, costs and to pivot to meet or beat market expectations. However, whilst they often present as an operational cost the decision needs to be treated as an investment decision and everything that goes with that sort of decision:

• Understand what you and your staff need - making sure it aligns with your strategic goals
• Careful review of contracts/user agreements - does it align with your customers data collection agreements
• Consideration of the lifetime cost - moving existing information into the new solution, retraining, migration off

 
Treat the decision that way, consider the risks we've outlined and you'll have the best chance of getting the value and benefit from your software selections.

​Well, maybe not the whole business but you're definitely going to take a hit, which could be critical if you aren’t prepared for it.  All around New Zealand businesses are being affected in different ways by different threats to their IT which in turn has a direct flow on to their business.

We’ve been talking to people around the Waikato, vendors and insurance brokers and have heard some horror stories.  Like the engineering firm being hit by a Cryptolocker virus demanding a ransom, locking them out of their own IT files – in the end costing close to $20,000 to get it sorted and in lost income. 

Or the trading website being hit by a targeted DDOS attack, crippling their site, meaning their customers could not trade.  After significant effort, they were able to address it and put in measures to negate/mitigate that and future attacks.  Of course only after $500,000 in lost profits and remedial costs.

Going further abroad, what about the company whose failed back up that ended up costing them $5.8 million.  Their core system and switched to the failover system, that’s great, however, the backup had failed too, losing them 72 hours of orders, mailings and collections. 

The risks around IT and the impacts continue to grow day-to-day as business become more and more reliant on technology.  Every process we put into a computer system, those spreadsheets, those IT programmes become a part of our business and its ability to run. 

How do avoid this risk? Do we stop putting things into computer systems, stop connecting our machinery to software that makes it run more efficiently?  Go back to pen and paper? Well no, the old pen and paper had its own risks (WINZ documents littering central Auckland anyone?) and definitely some problems with scale and accuracy.
No, we need to look at how we are using technology, understand each use and its risk profile.  What do we mean by risk profile? 

Well, each time you make use of a new piece of technology, that technology and the way you use it defines the risk you now have in its continued use.  Let’s take an example of a smartphone.  Pretty common, pretty useful too!  Some would say the most significant invention of the last 18-20 years (let's not start BlackBerry vs Apple…who created the smartphone first).

You give these to your staff, great, now you can talk to them when you need to.  Out on the job? No problem, ring-ring!  Now you think, wouldn’t it be great if I could email them? Super! Let’s turn that feature on.  Oh wait, your team lead left their phone on a site or in a meeting room.  Was the phone locked?  Can anyone see those emails? Now, someone you don’t know, your competitor say, can now see that spreadsheet you sent to good-old-bob with the costs and margins your running!  Or your employee starts using the phone for things they maybe shouldn’t. Uh-oh! A virus gets back to your email server.  Your handy phone just took out your communications for the next 48 hours while the IT staff frantically clear out the trojan horse virus running around your network.

Sound unlikely, not so much, Waikato DHB’s IT systems were attacked by a similar process (a USB drive with the virus on it plugged into a computer on their network), weeks later they finally evicted the virus.

Or, what if it's not about a person doing something wrong or accidentally, there's just plain old wear and tear that can take out a whole hospitals system.  Just recently another DHB (sounds like I’m picking on hospitals, honest I’m not, you might say it reflects the underinvestment in technology – don’t get me started on that!) had a fire in their server room.  They ended up running on paper for weeks.
​
Every time an IT risk is realised it has a financial impact on your business, sometimes small, sometimes significant!
So how do you establish your IT risk profile?  Here are a few questions you can ask yourself to do a self-assessment: 

• If that <insert name of technology> was unavailable for 1 hour, 2 hours, 24 hours or a week; Would my business still carry on? Would my clients be affected? Would it shake their confidence in me/the business?
• If that piece of hardware failed would it damage other equipment? Could I replace it? Could my supplier replace it? have you tested them on this? (we just observed a recent situation where a reputable technology supplier couldn’t get replacement parts for a core computer that was under warranty, three different attempts sourcing parts from as many countries, to get them going again)
• If the information in <insert name> computer system became public, would it impact your reputation? Would it expose your internal intellectual property and processes?
• If a fire happened, driving you from your current place of business, and you had to run your business from somewhere else, could you? Would your IT systems still be available? (we all remember those stories of people having to break the law by going back into collapsing buildings to get their computers out during the Christchurch quakes)

If you answered “yes” to any of these then you might need to look a bit closer at your risk profile and get help.  In the meantime here are some general tips to get you going:

• Test your backups regularly
• Trial your failover at least once a year
• We like to trust our suppliers but get them to demonstrate they have the replacement parts you need
• Have a conversation with your current technology vendor, make sure they understand how important certain parts of your technology systems are.  Review your support agreements to ensure your priorities are reflected in their response times
• Keep your warrantees up-to-date

Our team at IITC have been around the technology industry for a long time and understand the risk and benefits of technology.  We also understand the market and what each ICT vendor is offering.  We aren’t interested in selling you our backup technology or cloud software (we don’t sell stuff), but we are interested in understanding your business, your current and future technology needs and helping you find the right people and solutions to these problems.  We will help mitigate your risk and create the benefits you can get from taking full advantage of technology.
Call us for a free initial consultation about your business and technology or just to talk.