The Tip of the Iceberg: Minor Symptoms, Major Risks
A Hedge Fund was having trouble getting their website updated. For something as simple as changing the management titles and bios, it was taking months for their IT consultants to get the task done. Frustrated, the Hedge Fund reached out to Bridge Technology Partners to confidentially help them identify their options for solving the problem. Working with Bridge, the Fund identified that the problem of not being able to update the website in a timely manner was a symptom of a much larger problem.
Control of the Website
Like most professional service firms, the Fund had backups of their websites, some documentation, and IT people who they trusted to keep things running smoothly. The Fund’s IT firm kept things under control. This worked just fine for years – until the Fund’s IT firm became unresponsive, taking weeks or even months to make simple, but important, updates to their website. Bridge’s investigation revealed that the Fund was not in full control of their website, and in fact was at the mercy of their IT consultants. They didn’t have control over one of their biggest investor relations assets. Bridge outlined the steps for the Fund to gain control back of their website, and proposed the following goals for their website:
1. The Fund should have access to manage (or delegate the management of) their Domain Name Service (DNS).
DNS is what allows a common website address (like www.yourwebsite.com) to point to the specific computer where your website is kept. If you want to change where your website is hosted, you need to have control of your DNS.
2. The Fund should have access to manage, or delegate the management of, their web servers.
The web server is the computer where your website is stored and where your clients view them on the Internet.
3. The Fund should be able to restore their website in minutes, at most, hours.
Most businesses assume they can restore their website using their backups – but most businesses have never actually tried to restore their website from a backup. In actual fact, because restoring from backups is rarely done, it is rarely well thought out and often problematic when the need arises to restore from backups – and of course this need often arises in times of crisis.
4. The Fund should have everything they need to change their IT provider – without cooperation from the IT provider.
Bridge Technology Partners believes that a business should never be beholden to any one IT provider. Because of this core value, Bridge builds in an “exit” for every client they help. Bridge goes over this exit strategy with each of its clients — no more being held hostage by outside IT providers ever again.
The Fund accepted Bridge’s recommends in full, and, as a result, the Fund now has control of their DNS, a new web server they control, and a documented and rehearsed backup and restore procedure should they ever need it. This was Step 1 – let the client regain control.
As Bridge continued to assess the original symptom of not being able to update the website, they discovered a potential root cause beyond a simple unresponsiveness from their IT provider. They discovered “software rot”.
As far back as the early 1980s (a long, long time in computer years), people started to identify the problem of “software rot.” Software rot is when a system degrades in performance, becomes unstable, and/or incompatible within itself. No matter how well engineered the software system was originally, so many things change over time (both with technology and business needs) that eventually it becomes just too difficult to work with and support.
Although in the Fund’s case the website was only a few years old, some of the components used to run the site were much older — one component hadn’t been supported in years. The site also suffered from another common problem: there was little or no documentation in the code, turning simple website updates into a risky situation. If the IT consultant who coded it is no longer around, and the backup and recovery systems are untested, it makes for a precarious situation. Depending on how complicated the original engineering was, or how obscure the technologies are, it may be difficult to find someone who can make even simple updates.
After discussion the situation with the Fund, Bridge was to asked to provide a quote to re-engineer the entire website. The goal of this phase (Step 2) was to simplify the architecture, removing unnecessary and unsupported components, and enable content updates to the site with minimum effort. Bridge’s quote came in at 12% of the price of the previous website revision which was poorly engineered and outdated even before it went live. The Fund now has an identical looking website for clients, but a simple, secure internal structure that can easily be updated and maintained with minimal risk by any web development professional.
Doing Nothing is Risky
As an added benefit to simplifying the architecture and removing old components, Bridge was able to reduce a huge risk for the Hedge Fund. Leaving software alone (not upgrading or patching it over time) dramatically increases the chances that the website and databases will be attacked. Doing nothing often creates a hacker-friendly website, exposing not only proprietary content but also personal customer information and passwords.
Many people use the same login name and password for multiple websites. Hackers can take a list of usernames they stole from your website and load them into a program that automatically tries to uses these logins and passwords at all the major banks and credit card companies. Authorities could discover that the common thread to all of these victims was that they also do business with you.
To compound the problem, websites risks are often taken too lightly — because they are viewed as just a piece of marketing literature. The risks can be hidden in plain sight but overlooked because “it’s just a website.” Many websites have evolved from a set of documents and pictures online, to online applications without the support structure needed to maintain a web application.
At the end of every project, we ask for feedback from our clients. Here’s what the project manager from the Hedge Fund had to say:
“You have been great to work with – super responsive and accommodating. You work quickly and efficiently, while still maintaining a high degree of integrity and quality. All of this has resulted in us having a high level of confidence in you and your ability to work independently from us and also to produce exactly what we are looking for. You listen to what we want and ask the right questions to get us there vs. just doing whatever you think is best without bothering to see what we need. You tell us up front how long things will take and you stick to your promises. And if there is an issue, you communicate it proactively and don’t leave it up to us to follow up when a deadline passes or we realize something wasn’t done.”