Is it time for the regulation of IT consultants?

When Henry Ford built the Model T, safety wasn’t his number one concern. Despite the automobile existing in some form since 1807, the enforced use of seat-belts in motor vehicles didn’t occur till the 1970s in Australia, and similar periods for other developed countries.

You wouldn’t get into a vehicle today and not put on a seat belt. It’s almost an automatic thing. Yet this simple safety feature took over 150 years to become standardised and required, despite thousands of accidents and deaths caused by motor vehicles every year.

Most trades must have at least insurance, if not a specific license that confirms they know what they’re doing, they know the laws, and they are licensed to perform that service in the state or country they operate.

Most professional services are governed by regulatory bodies and associations, who’s goals are to set a minimum standard for those industries, both for the betterment of the profession, as well as the protection of it’s customers.

But the IT industry remains unregulated. You neither need a degree, certification, qualification, accreditation, license or any other formal acknowledgement that you know what you’re doing, have a code of ethics to uphold, or a regulatory body to report to. In fact, all you need to do to be an IT Consultant, is a name, email address and maybe a business card and website.

With the cyber threat landscape exploding in the last few years, the risk to businesses and their customers has increased exponentially. There is now even more risk of serious physical, mental, and financial harm to businesses and the customers they serve, as a by-product of hackers, ransomware and other cyber-criminal activities.

That’s not to say that the risk from an insider threat, whether it be a malicious staff member, or accidental deletion or corruption of data is still not a threat – just that the statistics show that the cyber threat landscape is growing increasingly ever year, and unless we take proactive steps to safeguard against it, serious damage is going to occur.

As an IT Consultant, I’m tasked with providing my customers with the best possible advice for their business. My goal is to meet their budgetary requirements, to increase efficiency and productivity in their business, so they can reach their maximum profit potential, provide valuable services to their clients, and get a return on the investment they have in their business.

That also means I am tasked with helping to protect their investment from risks that may affect it. Backups and preventative maintenance have been our go-to for years. A solid, tested backup and disaster recovery strategy is the safety net of every business and up until recently, this has ensured no incident (cyber or otherwise) has resulted in the demise of a business.

But all that has changed. Hackers are now targeting the SMB market both to steal personally identifiable information (PII) for the purposes of fraud, but also to make use of the computing power in small to mid-size businesses as part of their army of “bots”, which end up being used, rented out, and eventually destroyed, by multiple parties, all with nefarious intentions.

The risk of one of these parties ex-filtrating sensitive information, whether it be medical records, financial records, information on children, or other sensitive information, is very real. And no backup solution can truly repair the damage caused by a data breach incident. Once the information is out, there is no global undo.

And yet, we perform independent IT Audits on small to medium sized businesses here on the Gold Coast, so that business owners can do their due diligence and ensure their IT professional is doing the best by them, and I have to present more red on my reports than green – because the IT professional looking after them is often not even doing the basics right.

Don’t get me wrong – sometimes it’s not the Computer Consultants fault. Sometimes it’s because the customer doesn’t see value in what we are recommending, whilst other times it can be because they don’t believe the risk to their business is as important as investing the money in other areas of the business.

Yet no one is being held responsible for this, whether it’s the IT Consultant or the business. Some don’t even care about the security side of the report that we present, and are more interested in the efficiency enhancements we recommend – leaving their business, and the livelihood of their customers, potentially wide open for hackers and cyber-criminals to do what they want.

I firmly believe that it is time that the IT profession, particularly IT Consultants, gets regulated. There needs to be a minimum standard required of IT professionals, particularly when they are tasked with safeguarding the sort of data that could cause damage if it were damaged, destroyed, or was accessed by unauthorised individuals.

And if not regulated itself, then it’s time that industry bodies for professional institutions that handle this sort of data introduce stricter minimum guidelines to their members, and the vendors with which they use.

Sadly, the human race tends to only act when something terrible has gone wrong. We struggle with being “proactive”, irrespective of the long term risks or impacts something may have. I fear that we are going to see many businesses and individual suffer as a by-product of this complacency by IT professionals and business owners and managers who don’t see a need, before we will see improvements.

But it’s not all doom and gloom, and the purpose of this post is not to depress you – as there are many people out there trying to do the right thing. Our customers acknowledge the risks and provide us the opportunity to better protect them and their customers, even if it pushes their budgets beyond what they are used to spending. And there are many great IT professionals out there trying to make a difference.

I would urge everyone, to put yourself in the shoes of someone who has been adversely affected by a data breach. Say all your personal information got accessed by a hacker, and they were signing up for credit cards and loans in your name, using your identity to cause harm to others, or using the information they knew on you to blackmail you and your family.

If you were in that position, what would you have wanted your accountant, lawyer, Doctor, financial planner, real estate agent or any other profession you provide personal information to, to have done?

Now go do that in your business. Yup, your current budget isn’t enough and you’re going to have to change the way you think about “IT Spend”. What you’ve been doing to date will not save you today, let alone tomorrow. Just like the automobile industry, being forced to add seat belts and other safety features to cars came as an expensive they didn’t really want to have to make, but they had to do it – otherwise people would die.

If you want help in doing the right thing, we can help you. Whether it be an independent IT data and security audit for your small to mid-size business, or to take over from your current Managed IT Service provider, give us a yell. We love dealing with forward thinking, conscious and ethical business leaders.

Latest Posts

Whether you have a question about our services, our
company or anything else, our team is ready to answer.