Some 40 percent of PCs in the workplace are ancient — four years old or older, according to a report from the Information Technology Solution Providers Alliance.

Even though older machines are more vulnerable to security threats and hamper worker productivity, many firms simply aren’t buying new ones. Reasons cited by businesses include the economic slowdown and a burst of spending for Y2K.

Local Tech Wire asked Robert Moroni, vice president of sales for Oculan in RTP who sits on the ITSPA board, to address questions about system modernization. (Oculan builds infrastructure and security management platforms for smaller businesses.)

Y2K obviously scared CIOs and CFOs to push through changes and upgrades. What’s the “fear factor” now – if that’s what is needed as apparently it is?

The “fear factor” is more about how the world has changed since 1999 and the growing need to protect critical company assets, such as proprietary information. Some of the older tools still in use from this Y2K upgrade period simply didn’t contemplate these changing conditions.

According to the Association of Computer Operations Managers (AFCOM), a “climate of terror” that has included terror alerts and the Iraq war has catapulted cyber-defense issues to the top of the agenda at the nation’s data centers. A recent AFCOM survey of 257 senior data center managers indicated about one-third of their organizations had experienced a cyber-attack in the past year, and more than 16 percent were now allocating up to 20 percent of their budgets to security needs.

As interesting, despite economic uncertainties, security expenditures have been increasing as well. It appears that new regulatory requirements like HIPAA in the health care field, Gramm-Leach-Bliley in the financial vertical, and others are combining with the threat of terrorism to catapult security to the top of the list for IT investments. About half of those surveyed had hiked their security budgets by up to 15 percent. Sixty-three percent said their organizations would spend $100,000-$250,000 on information security, and nearly 37 percent plans to allocate between $250,000 and $1 million, in 2003. The main security concerns are virus attacks and unauthorized access.

Were you surprised to find that such a high percentage of workforce PCs are so “old”? Don’t PCs age in dog years or Internet time? The recession/downturn hasn’t been going on that long.

There are two conditions that have overlapped each other. The first is the “spike” in PC purchasing that occurred in the year or so prior to Y2K. This meant that the bulk of customers who upgraded then wouldn’t need to be back in the market for new equipment in a big way until 2002.

The nation’s economic downturn began in March 2000 when the Internet “bubble” burst and the stock market went into a steep decline. By 2002, when many customers would have replaced their older equipment, the recession/downturn was in full effect.

Now, in mid-2003, many companies have still not replaced their 1999 equipment. In addition to the security risks inherent in this older equipment, the technical support costs to maintain this older equipment are increasing. These costs are “hidden” because they often get identified as simply the cost of doing business (maintenance, replacement parts, etc.).

When you combine the security advantages of newer equipment, the reduction in price of replacement PCs, and the high level costs associated with maintaining older equipment, there are compelling economic reasons to upgrade your company’s PC infrastructure now. And the best place to turn to for help in the replacement process is your local solution provider, who can recommend and implement a cost effective and secure network solution with replacement PCs that handle these concerns and fit your budget.

Survey after survey shows incremental increases for IT spending – at best. Even chip sales are projected to decline in US this year. What has to happen to get CIOs/CFOs to wake to the threat?

CIOs/CFOs need to be reminded that they should reprioritize IT spending now, before they become a “statistic” in the cyber wars, and that the total cost of ownership of a newer PC versus what they have now is not that great.

We are seeing more and more solutions on the market today that allow IT managers to “do more for less”, which makes those incremental increases in IT spending produce more overall value. Those solutions tend to be multi-functional and are easily integrated into a network infrastructure. When you factor in security risks, the cost of maintenance, and the productivity improvements that occur when companies run their software on more up to date machines, there is a compelling economic story for customers to consider about replacement.

I was surprised to see only 7 percent of attacks were successful. That seems low. Do you think your respondents were understating success attack ratio? It also seems low that only a third have been attacked. To read general media and info from security-related firms you would think attacks are much more common.

Remember that the data points came from senior data center managers and had a sample size of less than 300. That means the bulk of this data was coming from seasoned industry professionals in Fortune 1000 companies. Many, if not most small to mid-sized companies do not have the IT staff or the technology in place to even know if they are being attacked. For many small to medium businesses, “security” means “firewall”, when in fact technology like intrusion detection or vulnerability scanning may be necessary for them to truly security their network or be able to report reliably on just “how secure” it is. These SMBs geneally don’t have the technical sophistication or budgets to access traditional security solutions built for “enterprise” size customers, hence the need for multi-functional, easily integrated technology solutions that they can afford and that get the security job done.

In addition, the trend calls for cyber attacks to increase and many companies with older computers are more vulnerable than ever to such attacks. Our best estimate is that as many as 40 percent of all workforce computers, or more than 30 million machines, are over three years old and subject to possible attack. Most companies are way overdue for a security audit by a solution provider and a determination of what steps they should take to make their business less vulnerable to attack. We recommend that businesses seek out a solution provider who has experience with a number of security tools, software publishers and hardware manufacturers, so that a business can be sure that the solution recommended strikes the proper balance between security, productivity and cost.

If prices on new PCs have come down so much, what is keeping more companies from upgrading? Do IT departments need to do a better job of explaining costs, warranties, repairs, and productivity?

There are a number of factors contributing to the current situation. First, the economy has pinched the ability of most businesses to invest properly for the future. Second, in many instances IT departments have been subject to staff reductions. There may simply no longer be the internal infrastructure needed to craft the PC replacement message. Third, while PC purchases might reside in a capital budget, the expenses to maintain the current infrastructure may reside in one or more expense budgets without a clear understanding of the cost of ownership. Finally, protecting yourself from a cyber attack is a lot like buying insurance, and in tough economic times it isn’t uncommon for people and companies to try and get by with less.

We know that economic conditions have also shifted critical technology buying decisions into the hands of mostly non-technical “C” level executives, like CFOs, CEOs and Owner/Operators. ITSPA, the Information Technology Solution Provider Alliance, has been created because of this shift. ITSPA is a national, non-profit organization designed to help small and medium businesses understand how technology can be used to help their business grow, and is dedicated to helping non-technical SMB decision makers find the local solution providers who can best help them solve their business problems.

Do the same problems apply to storage units and networks? Should firms be considering such advances as VPNs and remote secure storage?

Yes. In some instances, the presence of storage units and networks implies a more sophisticated level of network management, which may be more secure. But almost all firms could use the help of an external expert in performing a security audit for all their technology components. And as in all security environments, a company’s infrastructure is only as secure as its weakest link. Company’s that turn to solution providers for assistance in this area will find that new business models based on VPNs, remote secure storage and managed services may be much more cost effective and efficient than their current IT infrastructure

Related story: How to build an argument for upgrades:

Original report on aging PCs: