A high-profile dental health benefits provider had concerns about its overall IT spend – more than $13 million annually – and the lack of transparency and control over its IT-related operating and capital expenditures. Outside of providing more clarity to its current IT expense position, the firm was particularly interested in understanding how to put a robust business case process in place to ensure that all future IT investments that are made are appropriate and will provide the expected return (i.e. revenue generation, cost reduction, staff productivity increase, etc.)
IVIONICS performed a zero-based budget engagement, whereby all IT operating and capital expenditures, including in-house and external staffing resources, were discovered and centrally documented and analyzed. Ultimately, each expense line item was classified based upon expense type, amount and need (Must Have, Nice to Have, Not Needed). By working closely with the relevant IT and business stakeholders, each expense was either eliminated, renegotiated or reclassified as necessary to ensure that the company was only incurring the expenses that it truly needed.
In addition to the zero-based budget exercise, the IVIONICS team worked with the customer's relevant IT and business stakeholders to review, document and remediate the following functional areas:
- The yearly IT budget development process and ongoing budget management/reconciliation process, including standard and ad-hoc accounting system reports
- Are all IT expenses included in the company's central IT budget process, or are some/all IT expenses carried by other business cost centers
- IT capital expenditure approval standards and process
- IT chargebacks to other business cost centers/entities (if applicable)
- IT project business case (return on investment) and prioritization process, including the management and justification of investments over time to ensure the investment is providing the expected return
- The company's IT-related fixed asset and depreciation schedule
- The company's IT-related accounts payable process to ensure that IT bills are classified properly, updated in the firm's accounting system to the proper accounts, and that they are paid per the relevant predetermined commitments (i.e. net 30)
The positive results for this dental benefits provider were numerous and tangible. For the first time in its existence, the customer had a full and clear understanding of every IT operational and capital expense. Because of the zero-based budget exercise, the customer was able to realize a 16% reduction (or ~$2 million) in overall annual budgetary expenses without having to reduce the number of IT necessary services or adversely affect the service levels it committed to the company and its end-user base. For example, unnecessary functions, services and outdated / unused technology components were eliminated, inflated and one-sided license and maintenance contracts were renegotiated, and capital expenses reduced to only those that were critical or advantageous to the business.
In addition to developing a detailed and transparent budget based upon actual need, the following results were realized:
- The company's budget process for developing its yearly IT budget and managing it on a monthly basis was clearly defined and documented, and the relevant IT and business stakeholders are now on the same page with respect to what expenses are being made, and how they are classified and managed. The number of adjustment entries into the accounting system have been virtually eliminated, and both IT and Finance have a consistent and accurate view of all IT expenses.
- The company's fixed assets were properly classified and outdated assets were written off to ensure that the fixed asset repository was up to date and reflective of the new fixed asset classifications and overall process. Both IT and Finance have a much-improved fixed asset process (i.e. what assets are considered capital expenditures and depreciated over a clearly defined and fixed period) to ensure that all relevant parties have a consistent and accurate view of the company's IT-related assets.
- The accounts payable process was modified and documented to ensure that all IT-related invoices were evaluated and provided the necessary approval and coding to ensure timely payment. The result was a more accurate representation of the company's IT-related payables position, and an improved relationship with suppliers and providers that manifests itself in such areas as better service and favorable pricing.
- The customer implemented a robust business case process, whereby all discretionary IT expenses were subject to scrutiny from a business perspective: what kind of benefit(s) will the company see and by when? A new IT Steering Committee was established that requires the participation of IT and business decision-makers alike to ensure that the business was driving the IT investment process, and that all investments were transparent and managed closely to ensure the expected return.
A billion dollar, not-for-profit purchasing cooperative was struggling with many IT-related concerns. These included outdated and unstable infrastructure, an application development team that was unable to provide short-term solutions to maintaining existing applications or even implementing new functionality. Their portfolio of IT services was not properly aligned with the business. As a result, "Shadow IT" (the unsanctioned IT initiatives implemented by the business) was rampant.
IVIONICS performed an initial assessment of the firm's systems, applications and IT organization. Using our proven I3 methodology for measuring the maturity of a firm's IT operations and its overall effectiveness, the IVIONICS team analyzed all aspects of the customer's IT function and assigned real-world, business-impacting risk to each functional area.
We were able to work collaboratively with this customer to make actionable recommendations that were prioritized to address the most critical and impactful areas first. All aspects surrounding the technology needs, budget constraints, company culture and change management were considered throughout the entire assessment and recommendations process.
A number of transparent and measurable solutions were derived from the assessment process that the customer and IVIONICS partnership shared equal responsibility for delivering:
- A comprehensive infrastructure remediation program to address the aging and unstable technologies: hardware refresh, best practice configuration standards, virtualization and consolidation. The customer's IT team took the lead with IVIONICS engineers providing guidance and quality assurance services.
- A detailed IT support and operations standard that relied on consistent, efficient, best-practice processes and procedures based upon the ITIL service framework that saw IVIONICS take the lead to provide Help Desk, Desktop Support, System Monitoring and Preventative Maintenance services.
- A Development as a Service (DaaS) program that allowed IVIONICS to perform all production support and bug-fix duties; freeing up the customer 's in-house developers to focus on new projects to grow the business
- An Advisory Services program that partnered an IVIONICS management consultant with the customer's IT executive to develop a comprehensive 3-year IT plan that aligned with the firm's detailed business development goals, a zero-based IT budget to understand how each IT dollar was being spent, and a marketing/collaboration strategy to socialize the IT function with the rest of the business
The customer is the beneficiary of a more stable and secure infrastructure that has experienced no unplanned downtime in more than a calendar year. The end-user community, while increasing staff by 10%, has actually realized an 18% reduction in reported support incidents to the Ivionic's Help Desk.
The IVIONICS application development team has cleaned up more than eight months' worth of backlogged production support and bug-fix requests, allowing that team to supplement the customer's internal development team to move other strategic initiatives forward, such as a new company website and the firm's business intelligence platform.
The customer's shadow IT problem has been virtually eliminated, whereby the IT group is consulted as a trusted business collaborator to address strategic business initiatives, and not viewed only as a support or utility service.
The customer has the requisite IT-related policies, procedures and practices in place to ensure control over the IT operating environment, and is now passing their IT-related audits with the relevant documented evidence in place to support those claims.
A Long Island-based digital media firm was drowning in the vast amounts of data it had been retaining indefinitely. It's 15TB data footprint was comprised of several years' worth of email data, creative materials (customer renderings and production-ready art files), productivity data (word processing, spreadsheet and presentation files) and font libraries. In addition to the age of the data, it was also found that there were several copies of the same data stored on local workstations and on server file shares.
The general lack of data organization, data inventory and overall data retention policy was costing the firm in excessive storage, backup, management and productivity costs. This lack of control over the company and customer data began to manifest itself in other adverse ways, such as sending incorrect versions of production files to customers, impinging on font licensing agreements due to lack of control over font purchasing and inventory, and the risk of data loss due to backups not being adequately configured and managed to account for the lack of control over the data population.
The digital media firm had asked IVIONICS to help them get a stronger handle on the company and customer data footprint, and to help them develop a longer-term strategy for data management and governance.
While this digital media firm had very ambitious goals to immediately develop a comprehensive Master Data Management (MDM) program, IVIONICS advised the company to take a more pragmatic and incremental approach to getting control over its data: implement a data governance strategy. Data governance is an enabling framework of decision rights and accountabilities for data-related processes. It is based on agreed-upon models that describe who can take what actions with what data, when, and using what methods. Implementing an initial data governance program will result in true business-and-IT collaboration that will lead to increased consistency and confidence in decision making, which in turn increases productivity and growth.
IVIONICS outlined four specific steps for the company to take as it embarked on its data governance program:
- Through this use of a detailed questionnaire, determine the company's readiness to implement a data governance model. If the company is not ready, and the business does not buy into the overall concept, the data governance program will be a time-consuming, costly and annoying inhibitor to progress, and will never yield the type of results that most companies are seeking.
- Develop a comprehensive Data Glossary – or detailed inventory – of the company's data. This includes what the data is, where it resides, what is it used for, who owns it, what system(s) it comes from or is used by, should it be backed up or not, how long should it be retained, etc.
- Identify "data stewards" for each data type across all business functions. These data stewards will have ownership and accountability for how data is created, used, and curated throughout the enterprise to gain a keener perspective of the company's overall data-related requirements.
- Develop Data Governance and Data Retention policies that the entire organization can understand and acknowledge, and that can be used as the guiding principal for all data-related matters for the firm.
In addition to the above, IVIONICS performed a detailed analysis of how the company works and uses data throughout its day-to-day operations, and performed a comprehensive review of the company's backup configuration and overall effectiveness.
After several weeks of working closely with the digital media firm and understanding how the company works and how it needs to leverage data and information to run the business, IVIONICS was able to recommend and implement the following solutions to establish a solid and sustainable data governance model, and to help the firm begin to realize the results it was expecting:
- In order to get a firm handle on data access and location, IVIONICS implemented Varonis DatAnywhere and DataPrivilege. These products eliminated the need for local copies of creative and productivity files, centralized the data repository and allowed for data sharing and version control, and allowed for the explicit permission of access files through a simple access request process. The result was a significant decrease in the firm's data footprint, and a much larger and more effective control over the access to and flow of the company and customer data.
- Replaced the firm's outdated and unreliable tape backup system, and implemented a cloud backup solution with onsite and cloud vaults that backup the firm's data on a nightly basis. IVIONICS worked with the company to determine exactly what needs to be backed up and when, and what the new backup retention policy should be.
- Performed a data governance readiness assessment with the entire organization, and determined that the company was ready to embark on a data governance program. The company was clearly ready to dedicate the time and resources to getting a handle on its runaway data situation.
- Performed a comprehensive data inventory process with the company, and established its formal Data Glossary. This process identified all data types and attributes, and assigned ownership to newly identified data stewards. During this process, the team discovered several terabytes of outdated, unnecessary data that was being stored and managed. This data was subsequently purged from all company systems.
- Developed and implemented formal Data Governance and Data Retention policies that all employees read and acknowledged. The Data Retention policy sparked a data clean-up effort and initiated other new standard company processes, such as a new email retention approach. In addition to the outdated and unnecessary data outlined above, the company was able to further reduce its data footprint by only keeping the production data it needed to effectively run the business. The overall result was as a reduction from 15TB of original data to ~8TB of active production data; saving the firm tens of thousands of dollars in storage, backup and overall productivity costs.
- The firm was able to turn its data nightmare into a revenue opportunity by allowing its customers to retain creative data/files on the company's file servers for 5 years, and pay a fee for any required retention beyond that. If the customer was not interested, the company would transfer the creative files to the customer and purge it from its systems. This allows the company to keep tighter control over customer data, and ensure that the old ways of indefinite data retention were truly a thing of the past.
- A font library and font handling process was established to ensure that the company was using the properly licensed fonts within its creative process. This new approach eliminated the guesswork regarding whether the stored fonts were legal or not, and increased creative productivity by clearly defining the font procurement, storage and usage process for all creative personnel.
The positive results of the above engagement were numerous; from cost savings, to productivity gains, to revenue generation. While the data governance approach is not the most complicated one to undertake, it can be the most challenging if the requisite business buy-in does not exist. Data governance is not an IT initiative, it is a business one. This digital media firm made the necessary commitments, and ultimately yielded the expected positive results, by making sure all aspects of the business were represented and dedicated to lasting change. The company is now planning to take its data management approach to the next step by exploring Master Data Management in the latter part of 2017.
A large, NYC-based commercial construction firm that was being serviced by a competing technology managed services provider contacted IVIONICS to help them with a recent ransomware incident that had severely impacted the company's day-to-day operations. The company was frustrated by the incumbent managed services provider's lack of initial response and empathy, and had some serious concerns about the fact that this was the second ransomware attack within the last year; it did not feel confident that the incumbent provider was willing or able to help them implement a strong cybersecurity plan to protect them.
The construction company had asked IVIONICS to help them remediate the current situation, quickly perform the necessary evaluation of their existing environment, and make the necessary recommendations to reduce the company's cybersecurity risks, and mitigate or eliminate any potential threats going forward.
IVIONICS immediately began evaluating the construction company's backup data to see if the data could be easily restored without having to pay the hackers' Bitcoin ransom. Luckily, the cloud-stored data was available, and the IVIONICS team began the restore process immediately to bring the company back to normal operations as soon as possible.
During that same timeframe, the team began an immediate and comprehensive cybersecurity assessment to evaluate the construction company's overall vulnerability level. While the assessment was intended to encompass the most common cybersecurity threats in existence, the immediate focus was on the functional areas that would provide the greatest protection against ransomware and other similar malware threats:
- Access control: ensure that all users are employing best practices regarding strong passwords (minimum 8 characters, upper, lower, special and numeric passwords), password change cycles (no fewer than 90-day password changes), password history (cannot use the same password for at least 5 cycles) and screen-saver password protection (invokes no longer than 15 minutes). In addition, ensure that no user has administrative access to his/her own desktop to ensure that hijacked credentials would not have the ability install or propagate malware or its “payload”.
- Endpoint protection: ensure that all relevant server, network and desktop devices had adequate and up-to-date anti-virus and anti-malware protection.
- Spam filter: ensure a strong spam filter solution is in place that will detect unsolicited and unwanted email and prevent it from getting to users' inboxes. Outside of being annoying and unproductive, spam is a common way for viruses and malware to be introduced into a company's technology environment
- Firewalls: ensure that all entry/exit points of the company's external facing (i.e. internet) network was protected by commercial-grade, state-of-the-art firewalls, and that each relevant device was configured based upon the company's business/application needs, and based upon industry best practices: is the firewall current and have the latest firmware level applied? Are the relevant ports open/blocked based upon business need and security reasons? Is there content filtering capability that is enabled and configured with minimal/no exceptions?
- Training & Awareness: ensure that all company employees are trained to recognize the cybersecurity threats that exist, and to take the appropriate action to mitigate the risk and report the incident to the relevant company and external resources.
- Social Engineering: ensure that all employees go through rigorous mock cybersecurity incident exercises before and after their comprehensive cybersecurity training measure the employee's overall awareness levels and effectiveness in recognizing and reporting such threats as phishing and spoofing schemes
In addition to the above, IVIONICS completed additional reviews of the company's environment related to such topics as Security Policies, Data Protection, Network Configuration, Mobile Technologies, Messaging, IT Operations, Asset Management, Change Management, Disaster Recovery/Business Continuity, and more.
The company's data was restored and back to normal business operations in a matter of hours, and no ransom was paid. The cybersecurity assessment yielded several High, Medium and Low Risk findings, including the fact that most company passwords were still set to their original, easy-to-guess/hack default values: “password”, “temp”, “123456”. Also, several devices had outdated or non-existent anti-virus/malware tools installed. IVIONICS helped the construction company develop an immediate and longer-term cybersecurity strategy based upon the highly probable threats and vulnerabilities that existed, the risk tolerance of the company and its overall budget considerations.
IVIONICS helped the company implement some immediate solutions that significantly reduced their risk of falling prey to cybersecurity-related incidents:
- Implemented group policies that hardened user access by implementing strong passwords, 90-day password change cycle, screen-saver passwords after 15 minutes of inactivity, and removed local administrative rights to all end-user workstations (desktops and laptops).
- Upgraded the company's two end-of-life firewalls with new SonicWall NSA firewalls with content filtering subscriptions and configured them based upon the company's internal and external business traffic needs.
- Implemented a mobile device management platform to ensure that the company's data on mobile devices is centrally managed and protected, given the staff members that come and go for various commercial construction projects that are in production. This included restricting access to only company-approved users, devices and applications, device remote-wipe capability, device monitoring and other features.
- Brought in a training partner to perform comprehensive, cybersecurity-related classroom training for all company employees.
- Brought in a partner to perform social engineering exercises to ensure that the comprehensive training was effective, and that the company was ready to recognize the various cybersecurity threats that exist at the workplace.
- Wrote and implemented a detailed Acceptable Use Policy for the company, outlining the company's position and expectation for employee use of the company's information technology assets. Ensured that all employees read and acknowledged their obligation to this new policy.
There are many other remediation items that needed to be addressed over a longer period of time, such as implementing additional cybersecurity-related policies, performing an external penetration test, implementing multi-factor authentication, exploring data encryption and other cybersecurity solutions to increase the company's defense against the real-world threats that exist. However, the company made huge strides in increasing its overall awareness and strengthening its overall cybersecurity protection, and has had not had any material cybersecurity incidents in the several months since the last ransomware attack.