Adopting new software exposes businesses to a variety of pitfalls. Before we take a look at some of the worst, it is important to highlight the dangers of stumbling into them.

For ICAEW Head of Data Analytics and Tech Ian Pay, the consequences play out on three levels of escalating severity. “At the most basic level,” he says, “you’ll just get frustrated, because it will require more work to reverse out of the slump. Everything will take more time.”

On the next level, there may be higher costs attached to putting things right, such as extra fees you didn’t factor into your initial decision-making. “Then, at the most severe level, you may fall foul of regulators and incur all the various ramifications.”

As such, Pay stresses, it is vital for anyone involved in software procurement to look out for their future self. “Ask: ‘What are the sorts of things that ‘future me’ might have to deal with as a result of making this choice?’” he says.

Now, let’s take a look at those pitfalls.

Failing to form an ‘exit strategy’ for the chosen product

It may seem counterintuitive to put this first, but one of the most crucial points to address when you are going into a new software product is thinking about how you will one day need to get out again.

“At some stage, you will take the view that the software is no longer right for you – that you must end your licence agreement and migrate away from the product,” Pay says. “It’s really helpful to have an understanding of how you are going to do that right from the outset.”

Pay notes that having an exit strategy for the product ties into critical areas such as ongoing data accessibility, accounting for the notice period within your operations, whether there are charges for maintaining read access and whether you will be able to bulk-download all the data, or have to spend weeks downloading client records individually. “Your future self will thank you if you’ve thought about all this – and hate you if you haven’t,” Pay says.

Not considering cyber security during selection

Even amid regular coverage of highly damaging cyber attacks, software buyers often do not prioritise cyber security in their purchasing decisions. That stems largely from management pressure to adopt a product quickly, leading buyers to mull the software mainly as a utility – “What will it do for my business and clients?” – rather than a potential source of cyber risks.

Pay warns that those risks are increasingly emerging from the software supply side rather than direct attacks. With that in mind, ask all the sensible questions. For example: does the product support multifactor authentication? How will it store your data? Is the provider ISO 27001 certified? And do they have Cyber Essentials, or a trustworthy equivalent?

Falling prey to sales patter

“When you’re looking for new software, there’s a lot to think about,” Pay says. “You will probably go to some of the big expos for research, and seeing endless stands of vendors trying to sell their wares can be quite overwhelming. It’s easy to get caught up in that noise and make an impulsive decision.”

Pay points out that salespeople tend to focus on the impression that the provider wants to give about what a product can do, but that may be overpromising or misleading.

As such, he urges buyers to speak directly to providers’ non-sales, technical staff to verify claims. Will the product’s functionality really answer your needs? And will it provide a roadmap for assisting your business’s future development? “I would also recommend speaking to existing customers of the software you’re considering to understand the realities of using it.”

Overlooking questions around data accessibility and backups

Again, pressure and haste may cause buyers not to take time to properly evaluate measures within and around a software product for data access and backups. However, the nature of those provisions can be highly nuanced.

In terms of access, Pay says, it is important to examine a product through a lens of user-friendliness.

• How easy is it going to be to extract the data you need, whether for tasks such as management information, reporting or regulatory compliance?
• What format is it going to be in? For example, will the product simply deliver Excel files, or something more robust and versatile?
• Can you use application programming interfaces – and if so, how open are they?
• Can anyone use them, or do they cost extra as part of a premium package?

Turning to backups, Pay notes, a data recovery process may be in place purely to help the provider maintain continuity of service, and may not suit the customer’s requirements. Plus, a user may find after an episode of data loss that recovery is obtainable only for an extra fee. Ask about those issues as early as possible to avoid any hassle in the future.

Not checking whether a provider will help you meet your legal obligations

Pay used to work in audit and often had to try to get data from clients. Some of the trickiest conversations he had involved cases where a client's data was hosted and managed by a third party.

“The problem was that, contractually, that third party had no obligation to support our request as auditor,” he explains. “So, even though we had a legal right to ask for that data to complete our audit, there was no wording in the service contract requiring the provider to help us.”

Pay encourages customers to obtain contractual terms that will require the provider to actively assist with requests from auditors, regulators and HMRC, plus GDPR enquiries and Right to be Forgotten requests.