Running the entire IT Operation for even the smallest business can be a tremendous challenge. Between keeping up with new technologies and threats that emerge on almost a daily basis, to handling licensing and budgeting, to squeezing extra life out of stubborn aging equipment, to handling an end-user community that may be “less than computer-savvy,” one wonders where the hours in the day for sleep can be found. And, in our experience, this is frequently not the only job the “Computer Person” has at their organization! Many people in a solo support role have ended up there simply through taking on various technology-related tasks. As their company grew over time, their responsibilities increased to the point where they are doing at least two full-time jobs.
CIS has worked with the small and medium sized business community throughout the company’s 22-year history. The organization provides both monthly managed IT services as well as IT support blocks, both of which lead to directly working with many individuals who are that sole “IT Person” for their organization. Through this experience we’ve come to recognize certain common challenges and things left undone from client to client. Typically these are issues that a larger staff, or a support organization, can handle as priority items. For the small and medium sized IT person, they can typically be found on the “if I had more time” list.
The following suggestions are 25 quick recommendations we’ve provided to countless Small and Medium Sized Businesses to improve Security, Policy, Administration, and Stability. CIS can provide direct support for any or all of these efforts, and many more, with an ongoing managed services agreement, or can provide staff augmentation and consultative services for clients that prefer to handle things mostly internally.
To get us warmed up, here are a few easy logical IT practices that everyone should follow
Unified Security Management provides a “single pane of glass” view into your organization’s network security, asset inventory, vulnerability, intrusion detection, behavior monitoring, SIEM, and log management, dramatically reducing time-consuming tasks such as log reviews, and condensing everything into easily understood reports that can be immediately acted upon.
This may seem obvious, but the vast majority of devices end up in “set and forget” mode, leaving them vulnerable to brute-force and phishing attacks, as well as breach from a current or former employee. Where applicable, have passwords that are a phrase, the more complex but memorable the better.
A thought straight from the oft-quoted The Art of War, if you don’t understand your “enemy” – in this case hackers of all types as well as, unfortunately, internal threats – you cannot hope to defeat them. If you approach your layering of network security not from an internal place of comfort, but from an external place of seeking access, you will be on your way to thinking like the enemy.
Nobody knows everything, not even our team, but sometimes the hardest thing to do can be to ask for help. We’ll just leave this here: Contact a CIS Rep Today
A well-documented environment is a well-protected environment. This is a crucial but often forgotten step in the disaster recovery planning process. Backups and the ability to spin up virtual or even physical servers are great, but good documentation is the roadmap on how to get from hopelessly lost back to functionality.
What would happen if your primary production server crashed? What would happen if the office lost power for a week? If you can answer basic questions like these, you’re on the way toward disaster readiness.
Have a backup. Use your backup. TEST your backup. Sending your data offsite is a great start, but how long does it take to bring it back, stand up a new server, and get everything running? Know your Recovery Point Objective (RPO) and Recovery Time Objective (RTO), the point in time to which your business must recover, and the time it can tolerate it taking to get there. Be sure that you have full image based backups. If there is anything important, have a backup. Have at least one backup offsite.
As Harold Melvin and the Blue Notes sang, “If you don’t know me by now…”. We could list endless examples of company breaches based on one user clicking a bogus link in an unknown email, corporate messages landing in the News, or payments being sent to phony vendors based on invoices that “looked real to me.” Educating yourself and your end users about the looming threat posed by everyday email is critical.
CIS recommends running a network vulnerability assessment on at least a yearly basis, if not quarterly. Our team’s offers NVAs that are geared toward the Small and Medium Sized Business, designed specifically for affordability and effectiveness. Additional security can be gained by running more regular reports with tools such as Network Detective or Nessus. Management reviews of security reports should be undertaken on at least an annual basis, to provide visibility for issues potentially impacting compliance and finances.
A wall with a hole in it is not a wall at all.
Stronger encryption standards yield more secure communications. If you can use the same encryption as a federal agency, why wouldn’t you?
Limiting traffic is a great way to manage bandwidth as well as security, only allow business-related traffic to flow.
Exposing the network to remote access and control can be a dangerous proposition, unless it is well implemented. Restrict access to only those who absolutely need these services. Putting SSH behind a VPN provides an additional layer of security.
Hackers are knocking on the virtual door every day, it’s best to keep an eye on them and monitor any suspicious traffic. If patterns emerge, it’s best to consider if attempts are random or targeted and more nefarious.
Administration & Policy
This is the easiest path into any environment. If someone looking to breach your environment finds an end of life OS, it’s Game Over. End of Life systems receive no security patches, no updates, and no support from vendors, leaving the business at risk. Even a system as recent as Windows 7 is already in “extended support” and should be updated.
Patching is so simple and so frequent that it has become a mundane part of the routine, one that’s easy to ignore or postpone for something more interesting. Unfortunately, patching is the one surefire way to stay up to date with known vulnerabilities. CIS strongly recommends monthly patch review and deployment; systems that were patched on even a quarterly basis were impacted by WannaCry. Any device that has an IP address on the network is vulnerable; maintain the latest patches and updates to stay a step ahead.
You’re not President Skroob, the password for your network – or your luggage – should not be 1-2-3-4-5! Don’t make it easy on someone looking to breach your environment, as a standard practice and written policy, change standard or default usernames and passwords to something non-standard. The frequency with which we see “admin/admin” credentials is astounding.
Basic security administration can be accomplished with simple policies such as these. If an employee is leaving their workstation for 30 seconds for coffee refill, typically, it is fine to leave their computer unlocked, but if they’re gone for 15 minutes? An open computer leaves both data and privilege open to anyone who happens to pass by. Rotating passwords, no matter how much users may grumble, is simply basic entry-level security.
SSL, or Secure Sockets Layer, is the current standard for secure access between web browsers and web servers. Http is antiquated and no longer secure, it must be replaced.
Typically database information is considered critical company data, it is where you store information about clients, projects, and vendors. Most organizations protect database information while it is at rest by deploying encryption, however as the workforce changes, more users access database information remotely. If a user’s application exists outside of the server on which the database resides, the data will be in transit while it travels to the user. It is critical that this communication maintain the same level of encryption as when the database is at rest.
The best approach to access is to provide a Least Privilege model, giving users only the access they need to do their jobs, and nothing more. No user should have access to systems they have no need for, and no users should have access in overlapping systems such as accounts payable and accounts receivable. Separation of Duties reviews should be conducted on a regular basis and enforced via policy and automation.
Tracking what workflows reside on what servers is critical in supporting an environment. A proper assessment of the risk to any critical business application must include thoughts about the hardware or server environment in which it resides. As hardware goes end of life, tremendous benefits can be reaped from migrating its applications to cloud-based virtual servers.
Documenting things makes process easier to implement. Any documentation of passwords should be stored safely.
Active Directory is the backbone of your network environment, it should be kept up to date and healthy. CIS recommends a Active Directory management utilities such as DRA from Micro Focus, to help with regular AD administration.
Monitoring server thresholds and utilization, network equipment online status and access attempts, and many more things going on in any environment is a key component of successful management. Without monitoring and the associated alerts, we would constantly be putting out fires, rather than handling things proactively.