Robbing Peter to Pay Paul

June 5, 2017

Let’s Keep The Money With Peter

We have all heard the saying, “Robbing Peter to Pay Paul”.  It is believed that this metaphor dates back to 16th-century England, when part of the estate of Saint Peter’s Cathedral in Westminster was used to pay for repairs to Saint Paul’s in London.  In today’s society, the basic meaning is the elimination of one debt by incurring another.

While the roots of this idiom may date back to a primitive era of the early 1600’s; the practice is alive and well in today’s modern business, it’s just that the stakes and implications are far more costly than the financial tally.

In the past decade, I have spoken to many C level executives guilty of Robbing Peter to Pay Paul.  Here are a few examples I have encountered in the workplace:

A common philosophy among many SMBs is to hire someone for their particular area of expertise but unofficially giving them other lesser skilled work in addition.  The job-speak goes something like this:  “I am paying you well because I hired you for this particular skill, but I have these other lower level tasks that need to be done that I would rather not spend the money hiring someone else to do.  You wouldn’t mind taking care of these would you”??

To the Executive, it is cost management thereby dropping more money to the bottom line.  To the Employee it is a degradation of their perceived value to the company; and to the Company, it actually has incurred several costs.  First the unintended costs of a higher paid employee performing lower level tasks (misallocation of resources); second, higher level work that could be done by that employee (lost opportunity costs); and third, the cost of a less motivated and potentially mentally distressed employee.

Another theme among Owner / Executives is the “If it aint broke, why fix it” philosophy.  The issue is that the vantage point from the C-Suite doesn’t always have a clear view of the dysfunctions that creep into the workplace.

For example, just because email is working doesn’t mean everything is fine with the Company’s IT systems.  In fact, it is email that is a major vector to attacks on system security.  You could be happy as a clam with your email, while company assets are being stolen without any obvious clues.  The cost of not having a healthy IT Ecosystem could be Hundreds of Time More Expensive than having resources employed that go beyond email

Lastly, it is alarming how many organizations I have talked with that do not have a good understanding of Disaster Recovery / Data Backup and the difference between the two.  Most companies perform some form of data backup.  Many company executives I have spoken with believe that data backup IS disaster recovery.

However, national statistics reveals that there are a large percentage of companies that backup their data, but don’t recover it when a disaster occurs.  The problem is that it is difficult to know if the backup you are doing will actually be recoverable until the day you actually have to recover it.  Having a true disaster recovery plan is vital to business continuity.

At many SMBs that I have talked with, the C-Suite would like data backup to be cheap, and would prefer that disaster recovery not be necessary.   But 80% of companies that experience a significant data loss, go out of business within 5 years.

Ben Budraitis, CEO
iTruss Solutions, Inc.

WannaCry??

WannaCry??

I spoke with an executive in the professional services industry that is being asked to submit a formal bid for the services their company provides.  He has responded to hundreds of requests over the past 5 years, but this request for proposal was different than all of the others he has had to respond to.

The proposal he was responding to had a mandatory insurance requirement to carry coverage of several million dollars for Security and Privacy Liability Insurance (Cyber Risk).  Why?

This is likely going to become a more standard practice as we move forward.  Companies that seek services from outside firms to meet the needs of their business are not willing to put their business at risk due to the poor business practices of their suppliers.  But can requiring companies to carry Cyber Risk insurance really do anything to solve the problem?  Not likely…but it raises the ante as it pushes risk management back into the arms of many small businesses.

The cost of this insurance varies depending upon the risk exposure presented to the insurance provider.  If you are a small business providing services to a large company, that company has years of intrinsic value and good will created through reputation and performance within their market vertical.   It is one thing to have a machine go down that prevent widgets from going out the door on time.  There is a tangible protection in this case.  Perhaps a virus brings down production equipment directly or indirectly.  But the scope of the issue is limited and it is internal.

What happens when a security breach occurs that is tracked back to the outsourced service vendor employee and this breach has a direct impact on the company’s customers for whom the vendor is providing services for?  What is the cost of this breach?  Can insurance really cover this cost?

If you are a small or midsized business, the dollar cost for the Cyber Risk Insurance may not cost all that much, if you are able to find an insurer willing to provide it to your business.  If your business is being proactive with Cyber Security you are more likely to be insurable.  But it’s not the dollar cost of the insurance that really matters.  It is the use of that insurance due to IT and employee security related issues that have manifested itself in someone else’s back yard.  How much will that cost your company?

Is this hype or is this for real??  “A ransomware attack that began in Europe on Friday is lingering — and hitting new targets in Japan and China. The WannaCry software has locked thousands of computers in more than 150 countries. Users are confronted with a screen demanding a $300 payment to restore their files. The cyberattack has hit more than 300,000 computers, White House homeland security adviser Tom Bossert said at Monday’s midday White House briefing”. (Bill Chappell, NPR, May 15, 2017)

How much longer will it be before the US Government requires all companies meet a level of Cyber Security Compliance?

Ben Budraitis, CEO
iTruss Solutions, Inc.