There is no room for euphemism or putting things delicately here. The result of Connected’s survey of Irish businesses, conducted in partnership with Compu b and Red C, are nothing short of damning. Ireland’s businesses are largely blind to the impact of the general data protection regulation (GDPR), under-invest in skills and training, and show hubris in the face of cyber threats.
These top-line items read as simple scare stories, but the data points to a great need for industry to take a look at itself. While the responses to developments in banking, particularly contactless payments, were largely positive, the other areas studied over this summer show a business sector ill prepared for the most important piece of regulation in a generation and unaware of the increased sophistication of those actors who would do them harm.
Looking broadly at the research, Red C associate director Ciara Clarke saw reasons to be wary of the confidence expressed by businesses regarding the security results in particular.
“Perceptions around cyber security and data protection were heartening in some ways. With 61 per cent claiming to be equipped to some degree, which was a good sign. But the flip side is only one in four saying it is very well equipped,” Clarke told Connected.
“There’s a gap there. It’s about educating companies and making sure they know the risks. It’s about the consumers as well, about where their data is stored. The potential risk is a little bit frightening.”
That gap in knowledge was, according to Clarke, reflected in the lack of awareness surrounding the GDPR.
“The GDPR, particularly in our environment, is going to be huge next year. There is still a huge proportion of companies that are completely under-prepared. It really needs to be dialled up if people are going to be ready, it’s a worldwide issue not just an Irish one,” she said.
“Of those who are aware, it was half and half in terms of being prepared. It comes back to whether we are talking about it enough or not. Are we allowing people to be prepared if we aren’t talking to them enough? Are people fully prepared if they are not aware of all that is involved with it?
“A lot of companies are going to face an uphill battle from January onwards.”
Clarke said the research’s findings with regards to the new Taoiseach came as little surprise to her as it was in line with what Red C would expect with a new leader of the government.
“There’s a good portion in the middle who feel he won’t have an impact either way. There’s a bit of a grá for him and very few are saying he will have a negative impact, but I wouldn’t be surprised to see these results for any Taoiseach,” said Clarke.
“There’s been a lot of talk about post-Brexit borders, even more since we completed the research, but the attitude is about what can he really do. People are moving more to that middle ground than thinking he can have a negative impact.”
Clarke added that the results with regards to the views on banking were of particular promise.
“There’s no negative impact, with one in three saying a positive impact. It’s not just a couple of companies, it’s impacting across the board,” she said.
Likewise, Clarke said the benefits of increased use of video conferencing were becoming increasingly clear to Irish firms.
“Rather than having to take a taxi or a flight, it’s becoming really convenient for people to use and is seen as completely acceptable. It’s a high number that has used and is currently using. At the same time, given the number that haven’t, there’s potential there to grow it further.”
The results with regards to IT skills, however, were a concern for her, with Clarke saying it shows signs of the needs for businesses to think about how they prioritise investment.
“A huge proportion feel it’s a challenge to get people in. Some are saying it’s easy to retain, but there’s an equal number that find it difficult. It’s interesting to see retention isn’t overly skewed either way,” she said.
“When you look at the investment in professional development, a lot of firms aren’t working on that. Only 5 per cent are saying they invest a lot in it. Over half aren’t investing at all. If you get people in and find it difficult to maintain them, then you have to wonder are you putting in the time and money required to keep them?”
Ciaran McCormack, chief executive of Compu b, said the results showed the practical viewpoints of Irish SMEs and how they saw the field before them. McCormack said the views on the new Taoiseach, in particular, pointed to the need for businesses to have more information on what is to come before acting.
“On the corporate side of the business we are seeing a positive sentiment on a daily basis. As employee needs rise, so too is the demand for hardware and software. One of the things around Brexit, as a company that trades in Ireland and Britain, is we are looking at what will happen and right now it’s such an unknown, it’s a wait and see,” said McCormack.
“The result for those questions didn’t surprise me. We don’t know if we are having a hard or soft Brexit, or if we are having a hard or soft border. Until all of that becomes clear, it’s difficult to see what is coming,” he said.
“The British government hasn’t given enough clarity for anyone to make an informed decision yet. Even if you put plans together based on either a soft or hard Brexit, it’s hard to say what either will look like. The timeline is moving quickly.”
McCormack added that the results around spending models and how companies prioritise budgets surprised him somewhat, with his business seeing a different trend in terms of investment.
“The overall technology budgets themselves are an issue. There’s been a huge move from Capex to Opex models,” said the Compu b chief executive.
“The in-house services are a macro piece for us. It’s integral to how we work. The ability to do group video calling across 17 locations is huge. For us, it’s critical to being able to develop our business.”
It was, however, the results from the GDPR side that stood out most to McCormack in terms of the needs of Irish businesses to act.
“With the GDPR, it often depends on whether a company has a data protection officer in the first place. Even with those who said they were aware, what does that mean? It’s one thing to know what it is, but are they aware of the fines that will happen if there is a breach?
“There’s a huge question of how ready businesses are. GDPR is going to have a significant impact on business. A lot of the methods of marketing may not be valid any more based on where you got data in the first place.”
These results around the GDPR paint a worrying picture with regards to what is to come, and McCormack’s views were shared by Emerald de Leeuw, chief executive of EuroComply.
De Leeuw is essentially the expert in Ireland when it comes to the impact the forthcoming regulation will have on Irish businesses. Connected spoke with the EuroComply founder to get her thoughts on the results, in particular when it came to the lack of awareness around the regulation.
“I’m not surprised at all. It fits the general situation in industry. This is happening on a global scale, people really have zero clue. A lot of companies are finding out the hard way about it because a lot of larger companies, who have their ducks in a row, are basically saying ‘hello vendor, are you GDPR compliant?’ because they are looking at their data processing agreements as they are responsible for their data supply chain,” said De Leeuw.
“A lot of companies that weren’t aware the GDPR was a thing are now hearing from their customers that it is. Not everybody has received those communications yet, but they are slowly trickling in, with many amendments to contracts.”
The EuroComply founder has been working in the field for five years now and sees significant risks for Irish companies beyond being caught out in terms of breaches. The work required to be compliant could prove onerous for a lot of firms, particularly those which supply larger businesses with products and services.
“I’m mostly concerned for the companies in Ireland that are relying on global corporations with good practices because they will lose business, that’s my main fear. If you are a smaller company servicing a larger one, that larger one is going to impose certain terms. That data supply chain issue means there is more responsibility on the smaller company for imposing the terms on to other parts in the chain,” said De Leeuw.
“There are various links in the data supply chain. The large corporate, the company selling to it, and the companies providing services to that smaller company. With some situations that’s a problem because if that smaller company uses something like Google Drive to store the data of larger clients, Google won’t negotiate with the small firm and the small business is now liable for everything,”
“The most time-consuming thing is what companies are not doing. Many aren’t looking at the data they have, where it goes, and where it gets transferred. A lot of companies use massive suppliers for payroll and other services, but those suppliers are sending that data to a sub-processor company in the United States or somewhere else.”
When the regulation comes into force next year, De Leeuw expects the reaction from data protection regulators in the European Union to be swift and brutal.
“There will be a scapegoat. Somebody will be fined a disgustingly large amount of money and their reputation will be in the bin. I foresee a lot of panic and an awful lot of new experts coming on to the scene who aren’t really experts. It’s important that companies who are doing their best to become compliant, and many are trying to do the right thing, look to people who know what they are doing and what the authorities are doing,” she said.
While the prospects look intimidating, De Leeuw said Irish firms can be confident of getting on track. With further regulation on the way around privacy, she said the work on getting businesses fit for the GDPR will still be ongoing upon its implementation.
“I expect to still be helping companies with the GDPR and be out educating the world on what’s coming next with e-privacy legislation, which is going to affect what can be done around marketing practices. A lot of people are in GDPR land, but I’m consciously aware of e-privacy.
“Don’t panic. Educate yourself. Don’t be caught by all the fear-mongering. It’s not productive and it won’t make you more compliant. Equip yourself with an appropriate amount of expertise and leverage a team in your company that can handle this. Once you know what needs to get done, you have to get it done.”
The EuroComply founder’s call for businesses not to panic on the potential impact of the GDPR was shared by Brian Honan, chief executive of BH Consulting.
“We have two issues with it. A lot of vendors are scaremongering and woe betide you if you are not ready, but it’s not a techie problem, it’s a business problem. On the other side there are people out there saying the GDPR is just data protection and businesses think they are already all right on that front. We need to get the balance right between those viewpoints.
“GDPR is data protection updated for the 21st century, but there are significant changes you need to be aware of for your business.”
Honan was particularly surprised by the results surrounding IT security in the survey as most of the research he has seen points to far less preparation among Irish businesses.
“What we’re seeing, from our own interactions with businesses, is that many companies underestimate the risk posed to their business by cyber threats and have fallen into a false sense of security, thinking that they are able to cope,” he said.
“Many only think about computer viruses or traditional attacks, but criminals are becoming more sophisticated and moving away from targeting larger enterprises to targeting medium sized and smaller businesses.”
This move away from bigger businesses is raw economics. It costs more time and money for cyber criminals to go after companies with good protection than those which are exposed.
“They see the larger firms as tougher nuts to crack because those enterprises have invested a lot of money and time into enhancing their defences so they have moved onto softer targets, which are the medium and smaller businesses. Those businesses haven’t yet invested the same amount of time, money, or expertise, in shoring up their defences,” said Honan.
“Coming out of the recession, for a lot of businesses the focus was on keeping the lights on. There wasn’t much investment. As they are coming out of that, their priorities might be on sales and marketing or essential refurbishment with IT still being far behind. We know many companies still running Windows XP and Windows 7.
“These smaller companies acknowledge that they are more exposed in that area because they know they haven’t invested.”
Even the results around the levels of awareness concerned Honan as he felt companies, even those who acknowledge they aren’t sufficiently protected, underestimate the risks they face.
“What does being aware mean? There have been many high-profile media stories in the last six months, such as WannaCry, so cyber security issues are becoming more mainstream. People are probably more aware of the issues, but I’d wonder how aware they are of how they should be prepared for the threats,” he said.
“When we do security assessments, one of the quickest ways for us to get into their systems is via their staff, be it phone or email.”
McCormack shared Honan’s concerns around awareness and said he was disappointed to see a lack of progress from the 2016 edition of this survey.
“When you look at the findings from last year’s poll, there’s a lot in common. We’re going to be tackling that issue at the upcoming iOS and Business summit on September 14. One of the pieces we are working on is mobile security, which is the biggest challenge for a lot of businesses at the moment. Most of their employees are mobile and they are carrying data on mobile phones and other devices,” he said.
“It’s even impacting the trends of what customers buy. We’re seeing clients buy cellular iPads instead of wifi ones for business use. That may sound like a small thing, but the reason they are buying a cellular one is because they want the machine to be always connected to the internet so it can be immediately wiped remotely.
“Cyber security is becoming a daily conversation with companies coming up with new problems and it’s primarily around mobility. It’s one thing to have your server locked in, but they are potentially more exposed by an employee that leaves a phone on a coffee desk. It’s disappointing to see there hasn’t been much progress in 12 months. The impact of attacks is more prevalent and more routine for the news to report it. Consumers are more aware of it.”
McCormack said the issues around cyber security were reflected in the lack of investment in training shown in the survey. With most businesses not spending on upskilling staff in IT, the Compu b chief executive said companies weren’t aware of the need to help their people get better.
“We’ve gone from 50 to 190 employees in five years and the key to that is retaining good people. Our method of doing that built on internal professional development. One of the biggest challenges in the technology space is that you are competing against the likes Google and all the other large multinationals who have offices here,” he said.
“We’ve got a programme built around offering professional development, to help companies upskill internally. From our perspective, we’re looking at ways for companies to improve their internal development.
“The really sad thing we saw here was that companies are willing to invest in software. Without investing in the people, that becomes the real issue for the business going forward. Unfortunately, this isn’t surprising as we saw similar results last year.”
Those trends in investment surprised Jamie Young, corporate sales manager at Compu b. Young was expecting companies to lean more towards an Opex model, but the survey showed the vast majority of companies still primarily operated on a Capex basis when it came to IT investment.
“We would see a lot of companies leasing their hardware so I was surprised to see the survey showed the opposite. When I was thinking about it, we deal in Apple hardware which is a premium product. Typically, the life cycle of a lease matches the life cycle of the machine, it also means you are getting better rates so leasing companies would look more favourably on premium products.
“We’ve also worked on a mixed lease, where we can deploy and manage services across one lease.
“The confidence out there has grown hugely over the last 18 months so people are willing to spend that money on hardware. We are seeing uses for leasing at both ends of the scale.
“With a new company that may not have the capital, they tend to like to use the leasing model when onboarding initial staff.
“At the other end of the scale, companies with over 100 employees, those businesses are moving away from traditional models and looking at ways to spread the cost of their hardware. With that kind of expenditure, it makes sense to move to a monthly or quarterly payment as opposed to a lump sum up front,” said Young.
“If our figures over the last few years are anything to go by, the move to Opex is going to increase.
“We’ve seen with our inventory the proportion being leased is going up over the last 24 months. Again, a lot of the companies we work with are in that start-up or growth phase so they are a little bit more savvy around the management of their cashflow.”
This trend towards increased investment should lead to improved attitudes when it comes to security, according to Young. The Compu b corporate sales manager said he was surprised this didn’t play out in the findings.
“Everywhere we go into either has existing server back-ups or is looking to upgrade. It’s something everyone is very much aware of because so much work is stored on digital files. It’s at the front of people’s minds to protect their data, to protect their livelihoods,” he said.
“It’s a real shame that it drops so drastically when it comes to the security layer within that. You have to protect from the outside as well. Those figures should be a lot closer.”
Young, however, was pleased with the results around increased use of video calls and he expects that number to grow significantly in the years to comes.
“With video calls I thought it would have been a little bit higher. With the prevalence of Skype, I reckoned it would have been higher. We’re seeing more freedom around work location. A lot of companies are adopting the philosophy that they don’t need people in the office all the time. They are happy for them to work from home and in different counties. Video calling is an assurance for those companies, it gives them that face to face with people based outside the office.”
In a similar vein, the boost in attitudes towards IT improvements around banking were also a positive sign for Young. He said it showed Irish businesses recognised the expectations customers have now when it comes to purchasing.
“It’s great to see. People are going into branches a lot less now, they are using the apps, and going more away from cash. People can go around without wallets and use their phone for payments – that’s really convenient,” he said.
“With all technology and how it spreads, a lot of it comes from personal use. With companies dealing with expenses, when nobody is paying cash you’ll always have a paper trail to track the payment. That has a knock-on effect and makes people’s lives easier in the accounts department.”
Wait-and-see response to the Taoiseach
While the survey showed little in the way of negative feeling towards recently elected Taoiseach Leo Varadkar, the results pointed heavily to a wait-and-see view among Irish businesses.
There was, however, strong support for Varadkar in terms of his impact on foreign direct investment, with 63 per cent of businesses thinking he would have some kind of positive impact on the whole. A smaller majority backed him to support SMEs, while the majority felt his impact on the post-Brexit border situation with the North would not be significant on the whole.
Outside of the new Taoiseach, the views on Brexit were even more cautious, with 45 per cent feeling the impact of Brexit will make no difference when it comes to attracting skilled IT staff. In a similar vein, 43 per cent felt the crackdown by Donald Trump on visas into the United States would have no impact on the ability to attract skilled staff to Ireland.
The GDPR knowledge gap
The standout figures from the survey reflected the knowledge, or rather widespread lack thereof, of Irish businesses towards the GDPR, which is being implemented in May 2018. With significant fines for those in breach of the regulation, the lack of awareness paints a concerning picture for the year ahead.
The survey found that 61 per cent of businesses had no awareness at all about the GDPR, with that figure increasing for smaller businesses. As it stands, only 12 per cent of all businesses consider themselves to be very well equipped for the impending regulation, compared with 37 per cent that felt they were either not very well equipped or not at all equipped.
This contrasted significantly with the findings around cyber security in the survey. The experts interviewed by Connected for this piece expressed concern about the confidence shown by Irish businesses in their approach to data protection. Twenty-six per cent of businesses considered themselves very well equipped to deal with cyber terrorism, rising to 35 per cent for medium businesses, with 61 per cent being happy with their preparations to some degree.
The awareness of threats and the need to prepare more appeared to be greater among the smaller businesses surveyed with 53 per cent saying they were either not very well equipped or not at all equipped for a cyber terrorist attack, compared with just 17 per cent of medium sized firms.
IT skills issues
The challenges in attracting skilled IT staff tended to vary significantly among the businesses surveyed. While 49 per cent found it quite difficult or very difficult to attract staff, the standout number from the poll was the 27 per cent of businesses that said they didn’t know how difficult they find it.
Similarly, firms showed a breadth of opinions when it came to retaining staff. There was a narrow split between businesses who found it easy and difficult to retain skilled staff, with 35 per cent finding it difficult compared with 37 per cent finding it easy, but once again the don’t know figure was notably high at 28 per cent.
These results can, in part, be explained by the results for training and development with majorities across the board indicating there were little to no plans to upskill staff. For hardware, this accounted for 64 per cent of businesses, 58 per cent in software, and 66 per cent in apps.
Of those that did invest in training, 71 per cent found it easy to access professional development services for employees. That contrasts significantly with the 54 per cent of businesses that said they invest little to no money in professional development.
Capex still dominant
Leasing remains surprisingly unpopular among Irish SMEs, with the numbers reflecting the findings of our 2016 survey in large part.
Of those businesses surveyed, 61 per cent of businesses engage exclusively in a Capex model when it comes to IT, with that number rising to 76 per cent for those that spend less than 40 per cent of their IT budget on leasing plans.
Only 7 per cent of companies surveyed spend more than 60 per cent of their IT expenditure on an Opex model, essentially mirroring the findings of a year ago.
Overall, spending appears to be consistent year on year in terms of priorities. The most prioritised area of spending on IT in 2017 was, unsurprisingly, software at 35 per cent followed by hardware at 23 per cent. There was a big drop to security and cloud services, both at 10 per cent, and compliance, 9 per cent, with training trailing in on 8 per cent.
The year ahead points to slight changes, with hardware narrowing the gap with software, while security is prioritised by 14 per cent of businesses for 2018. Compliance comes in at just 7 per cent, despite the impending arrival of the GDPR, while training holds steady at 8 per cent, with cloud dropping to 6 per cent.
Business banking benefits
The most encouraging results, by a broad margin, in our research came around the area of business banking, where the bulk of companies surveyed showed positive sentiments towards the IT developments on this front.
The advancements in payments systems, such as Apple pay, were welcomed as major boosts by the majority of companies surveyed, with 59 per cent seeing a positive impact for transaction, 57 per cent seeing likewise for account management, and 62 per cent praising the upsides when it comes to the ease of use. The impact on customer engagement was viewed positively by 55 per cent with 47 per cent of businesses seeing an upside in terms of managing employee expenses compared to just 9 per cent seeing a negative impact on this front.
The impact of contactless payment has been the most significant factor across the board, with 64 per cent seeing it making an impact in terms of point of sale transactions and 46 per cent seeing some impact in terms of margins.
Video calls show promise
The results for in-house services showed more Irish firms were looking at getting smarter with the tools they use at all levels of business.
The stand-out result was the prevalence of video-calling technology usage, with 41 per cent of businesses using the likes of Skype and Google hangouts to connect with staff or customers.
Infrastructure usage, such as storage and networks, was expectedly strong, with 77 per cent of firms having made some investment in this area. The surprising figure, however, came in security services, like Kerio or Cisco, with only 27 per cent having availed of them. This downward trend continued when it came to mobile security with only 17 per cent of businesses having availed of mobile device management options.
The use of internal communications tools, like Slack and Samepage was particularly low, with only 9 per cent of firms having made any use of such services.