Most people who own or run a small business tend to lump IT management, cyber security, and technology compliance all into the same bucket. They are all taken care of by your IT person (whether that be on duty staff, an outsourced technology firm, or your nephew), right? Well, the answer is maybe, but probably not. The truth is these duties are a combination of highly interrelated and built on top of each other, yet somewhat distinct from each other.
IT management, or what would more accurately be called Business Technology Infrastructure management, is the discipline of making sure that your business technology is productive and reliable thereby making your staff more efficient. It is the art of making sure that your ISP bandwidth, firewall/router, switches, computers, and phones are all aligned with each other and tuned to your business needs. Solid IT management should result in making your business more profitable. However, beyond configuring the appropriate firewall and installing antivirus on your computers, it is not really focused on keeping your business electronically secure.
Cyber Security on the other hand, is laser focused on keeping the bad guys out. As a newer field, and one that is always trying to stay one step ahead of the criminals, it is evolving quickly. But the tools used are things like vulnerability scanners, advanced email threat protection, Unified Threat Management, Security Information and Event Management, Phishing simulators, Dark Web monitoring, Application Locking, etc., etc. When applied properly, these can dramatically reduce (but not eliminate) the chance of a ransomware infection or a data breach. However, solid cyber security needs to be built on top of solid IT Management. Otherwise, shortfalls in IT Management will leave gaps that no cyber security practice will fill. An important thing to remember about cyber security is that it will never increase a business’ profitability. It can only prevent the business from suffering a catastrophic and unexpected loss. In that regard, it should be thought of as an insurance policy, but one which is active by using your premiums to prevent the possible loss.
Compliance is the act of assuring that your technology infrastructure meets the requirements of whatever rules it is being judged against. Some of these are legal requirements such as HIPPA, GDRP and the data protection laws present in all 50 states. Others are contractual, such as PCI, CMMC or your cyber liability policy. Compliance is built on a solid foundation of strong IT management and cyber security, but it has demands beyond those. A core part of compliance is documentation. Conforming to the compliance requirements almost always requires ongoing documentation that you are actively staying compliant. That requirement may be someone filling out the weekly forms that they reviewed the security logs, periodic reports of vulnerability scans, or results of annual online cyber security training. Whatever it is, lacking documentation attesting to what you did, may cause you to be out of compliance even if you are doing everything else right. In the case of laws, that could result in fines; for contractual requirements, it could result in fines, loss of a contract, or, in the case of cyber liability policies, no or partial payout of a claim.
Again, all three of these are both highly interrelated, but also take different skill sets. Having different firms providing these services can cause gaps between the services, unclear lines of responsibility, and be extremely more costly than using a single firm. Typically, the best outcomes occur when you select a firm that has competencies in each of these areas and uses an integrated team to deliver those services.
SpotLink has teams that have been addressing these business needs – IT management, advanced cyber security, and compliance – for years. If you think your business can benefit from using a solid, multi-disciplined firm such as SpotLink, please contact us for a free consultation.
Robert Hood
CEO & Founder
SpotLink