Techaisle Blog

A recent report into the technology purchasing habits of SMBs in the Asia Pacific has revealed that a significant number of businesses are operating with dated PCs and operating systems – which has the potential to damage both productivity and profits.

The Asia SMB Tech Insights Report, conducted in September 2019 by Microsoft and Techaisle, was produced following a survey of 2,000 IT and business decision makers across the Asia Pacific region. The study specifically covered small and mid-size businesses only (up to 499 PCs).

Get the key insights by downloading the summary report for your region:

• Asia region
• Australia
• India
• Japan
• New Zealand
• South Korea
• Thailand

 Key findings from the report include:

• Over 1/3 of SMBs are using old PCs (4+ years old) and old Windows operating systems
• Over half of SMBs have no PC refresh policy (or aren’t following it)
• Using old PCs can cost a business up to US$2,657 per year
• 82% of SMBs agree that new PCs can make employees more productive, and 87% agree that new PCs reduce maintenance costs
• More than 50% of all SMBs in the region experienced security breaches in the past 12 months, and operating with older versions of Windows increases vulnerability

Managing governance, risk and compliance is an IT challenge for over 1/4th of midmarket firms and slightly more than 1/10th of small businesses in each geo – US, Europe, Asia/Pacific, Latin America. See chart below. In an SMB context, “governance” is at least somewhat analogous to “taste” in home décor, or “sustainability” in supply chain practices: easy to acknowledge as important, but difficult to define. What is easy to delineate is the notion that governance has important linkages to issues that are of vital importance to SMB management:

• risk mitigation,
• regulatory compliance, and
• protection of the corporate reputation.

Governance is a way of describing the objectives of senior executives, or of the company as a whole; it is the approach that determines how the SMB interacts with its customers, its suppliers, and its community. Oftentimes, the term ‘governance’ is coopted by IT professionals, who talk about issues like “IT governance,” “cloud governance,” or “data governance.” These are important concepts, but they really refer to policies and controls.

Policy is the ‘glue’ that connects governance and security: SMBs benefit from thinking about management issues first, and then developing positions that guide security decisions. This works as a starting point for an SMB security strategy. However, there are challenges that arise from specific IT usage patterns or events that impact an SMB’s risk profile.

Consider the issues cited in the chart below - examples of usage patterns that affect an organization’s security stance: use of cloud, and ‘shadow IT,’ or user-managed applications and/or storage that may not align with corporate security policies. It’s possible to simply state that any use of cloud or user-managed IT services needs to adhere to these policies, but the reality is that they may not: for example, a cloud supplier’s SLAs may not include corporately-approved escalation processes, and users may lack understanding of (or concern for) corporate IT guidance. This doesn’t mean that use of cloud and shadow IT should be banned – cloud is an important IT service delivery option, and to some extent, shadow IT reflects innovation within the business.

In the list of top 10 worldwide SMB business issues derived from Techaisle’s global survey of SMBs (1-999 employees), “managing uncertainty” ranks tenth, and the word “risk” doesn’t appear at all. This is likely more a reflection of how SMB executives would like the world to be, rather than a representation of everyday reality. The acronym FUD (fear, uncertainty and doubt) is familiar to most business managers, and not simply as a catch-phrase: SMBs walk a fine line between managing risk resulting from the actions that they take (for example, security or privacy exposure relating to new systems) and risk arising from actions that they have not yet taken (which has its own acronym – “FOMO, or “fear of missing out”).

Clearly, security technologies are a core component of corporate risk management strategies. Techaisle’s global research, however, has identified several other solutions, including VDI/DaaS, managed services and IoT, which help executives to understand and manage risk in their operations. By capitalizing on the attributes of the technologies that best fit an SMB organization, obe can define an approach that allows the business to address ‘downside’ issues and move ahead with ‘upside’ opportunities.

IT security

Risk management is best achieved by developing a portfolio that incorporates IT security. It’s also true that IT security relies on a portfolio approach: there are at least 10 major technology solutions that are in common use by SMBs today.

For example, Techaisle’s US research shows that the top two solutions, anti-spam/email security and anti-virus/anti-malware/anti-spyware, are ubiquitous, with effectively universal deployment. Two other technologies, firewalls and web/content filtering, are in widespread use, at 73% and 55% respectively. No other security technology is used by more than 50% of SMBs: 49% of US SMBs use breach detection, 45% use data loss prevention (DLP) technologies, and usage levels drop for the other solutions on the list, to 25% for vulnerability scanning.

Security is a feature that needs to be present within each layer of the stack. Security, needs to permeate all layers of an IT solution stack. IT security isn’t a discrete category – it is a ubiquitous factor in all aspects of IT/business infrastructure. 

The most important IT-related development in 2018 and beyond will be a focus on connectedness – connected cloud, edge, applications, security, collaboration, workspaces and insights. Internet and the web are the navigation routes that we have been developing since the 1970s; the always-on, everywhere-connected Interwork© platform is the destination that we will be creating in 2018 and for years to come. Please read Future of Work - Interwork: the next step in connected businesses

If there is an evident downside to ubiquitous and constant connectivity, it’s security. In conventional IT environments, security followed a ‘castle keep’-type approach: IT security staff gathered all critical information assets at the core of the environment, and focused their resources on hardening the perimeter, in much the same way that ancient castles used a moat and wall to safeguard people and assets within a central tower.

Today, of course, nations do not use castles as fortifications – and in truth, the traditional approach to security is scarcely better attuned to contemporary IT security needs. With the rise of mobility, cloud and connected supply chains reaching from component suppliers to OEMs to distribution and consumers, there is no perimeter to harden; any sizeable enterprise will have literally thousands of shifting entry points capable of accessing one or more corporate systems. And the rise in the value of information has spawned a sophisticated cyber theft industry: ‘bad actors’ use many different types of tactics and advanced technology to infiltrate corporate IT environments, with an eye towards stealing customer credit card data or internal financial or engineering information, hijacking corporate IT resources or obtaining some other form of benefit.

Security is the most amorphous of IT market categories. Virtually all other technologies occupy a defined position within the solution stack. Today’s security strategies no longer resemble a ‘wrapper’ around assets – they are built into each element of the corporate IT stack and rely on connectedness to (as the NIST framework recommends ) identify threats, protect against attacks, detect intruders if/when they breach perimeter defenses, respond to security events, and recover information lost to theft, loss and/or malware.