[BreachExchange] Legacy clearout? Not all at once, surely. Keeping tech up to snuff in an SMB

Audrey McNeil audrey at riskbasedsecurity.com
Thu Oct 5 19:24:29 EDT 2017


https://www.theregister.co.uk/2017/10/04/keeping_tech_up_to_snuff_in_an_smb/

“Legacy” is a word that we tend to associate with big companies. After all,
they’re the ones who have vast piles of equipment that go out of date in no
time at all but require big money and big projects to replace them with
modern stuff.

Not that they all do the updates, mind you: I have an entertaining photo I
took the other day of the Windows XP crash screen on a well-known
retailer’s Point Of Sale terminal …

Smaller companies are affected just as much by their kit getting old,
though. And in many ways it’s worse for them, because resource is usually
considerably more limited than for the bigger players: the budget is
smaller and the in-house expertise less extensive. How, then, so small or
medium businesses cope with the aging of equipment and keep their systems
as modern as they can?

Keeping it low-maintenance

If you don’t have much of a technical team, why would you have a load of
equipment and software that’s hard to manage? I’ve long been a huge
believer that possessing and running an in-house email platform is the
first sign of madness, because the cloud-based alternatives are so solid,
so flexible and so reasonably priced that I just can’t see why you wouldn’t
cloud it.

If you do have a good reason to use in-house systems, though, understand
fully the support implications of doing so. Can you buy it as a supported
service, for instance, where the vendor can manage it remotely for you?

Trying to do stuff in-house with no external help is the path to ruin for
an SMB’s technology platforms. Where you can, give it to some other poor
sod to keep the lights on and make sure the patches are up to date.

Paying for help

SMBs have a tendency to try to do stuff themselves. It’s perfectly
understandable, of course, as outside help costs money. I’m reading the
results of a recent survey that says 56 per cent of UK SMBs do all the
research and buying of laptops and desktops themselves, with just 14 per
cent asking for consultant help. For server purchases the majority flips –
more companies use consultants to recommend server purchases – but it’s
still only a third that do.

Attempting to specify technology yourself is only sensible if you really
understand how to make the decision. I know plenty of “amateur
technologists” who have become very effective IT managers (in fact the best
support guy I ever employed was your classic home PC tinkerer) but in the
big picture such people are in the minority. You can’t make an informed
choice without a wide view of the market and a solid understanding of how
particular technologies fit your business, and this usually means asking
(and paying) for help.

Acknowledging what you don’t know

In the same survey I just mentioned, 35 per cent of businesses say they
have consultants to advise them on security solutions, with 37 per cent
choosing their own. That doesn’t strike me as very many (though I’m more
frightened about the 15 per cent who say their employees choose the
security solutions themselves). Are the 37 per cent following the DIY
approach suitably informed on security? Some are, and I bet some aren’t.

With security products in particular it’s essential to acknowledge what you
just don’t know, and spend some money to fill the gap.

Sticking to a model

You know the desktop and laptop purchasing survey I mentioned just now? The
scariest figure in it is that 19 per centof UK SMBs surveyed allow their
staff to specify and purchase their equipment themselves. This, in an SMB,
is dumb. (Actually, it’s dumb everywhere, but it’s particularly problematic
in an SMB).

A standard hardware platform is an absolute must – for more reasons than I
have space to list here. To pick three: buying multiples at once gives
discount; supporting ten identical machines is way easier than supporting
ten different ones; and it’s easy to replace or re-image a machine if it
dies.

Have a standard model, and stick to it. This doesn’t mean you have to get
everything from a single vendor: I’ve worked for places that do, but I’ve
worked for plenty more that have desktops and laptops from vendor A but
servers from vendor B.

Bear in mind that the duration of this “sticking to it” exercise will vary
depending on the type of kit. If it’s a desktop or laptop PC then it’s
probably fine to switch brand every three or four years, when the kit
reaches the end of its useful life: the vendors won’t thank me for saying
this but supporting one make of desktop PC is much the same as supporting
another. For servers I’ve tended to stick with a single vendor for two
lifetimes rather than just one, though this is largely because some of the
less critical stuff has been allowed to live on for seven or eight years if
spares and patches have remained available.

For networking kit the story is different, because the skills you need
differ wildly between vendors. Choose to switch from (say) Cisco to NetGear
in year six and your support guys will beat you to death with specially
sharpened rack-mount rails because you just made them forget everything
they’d learned and start from scratch with an alien new brand whose foibles
they now have to find out – usually the hard way, and when answering a 3am
call – from a standing start.

Choosing a vendor

Just because you’ve decided to be firm about the brand and model of your
particular type of kit doesn’t mean you shouldn’t shop around for the most
suitable. Seventy per cent of UK companies said they shop around for new
technology products, and I applaud them for doing so.

This doesn’t mean looking around for the cheapest offering in the market,
though: you want to be seeking out the best value option. In my experience
neither the cheapest nor the most expensive is usually the best (except in
a market with only a small handful of vendors). There are all kinds of
variable that could contribute to your definition of “value”: reliability,
availability of spares, tech support, performance and price are the five
starting points for me. Try to pick things that can be quantified (i.e.
where you can use real numbers for comparison rather than relying on
subjective judgment).

And bear in mind that shopping around is a game of two halves: once you’ve
shopped around and decided on the platform you want to buy, you can still
shop around again to get the best deal on that particular kit.

Summing up so far

OK, so let’s revisit the key things so far. I’m absolutely convinced that
not enough SMBs take good advice when making investments in technology.
Spend money with consultants to get it right at the beginning, and you’ll
save in the long run: and shop around for a consultant because you can get
good ones for non-ridiculous money. Standardise as much as you can:
eclectic collections of computer kit are a bugger to support. Outsource
apps to the cloud unless you have a compelling reason not to. And shop
around for the in-house kit so you get the best compromise between the
attributes that contribute in your mind to “value”.

Ask why you’re changing

One more thing, though: before you make a change, ask yourself why you’re
doing it. If it’s because a server you bought four years ago is now fully
depreciated in the accounts, that’s probably wrong. If it’s because the
same server goes out of support in six months and security/stability
patches will cease, that’s more like it. Most importantly, then: look
forward to when each of your key components will reach the end of its
useful, supportable life. And then plan a rolling programme of replacement,
with each of the elements staggered.

After all, if you don’t have enough internal expertise to support masses of
different stuff, you probably also don’t have the resource to replace
everything at once.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171005/14d84a6c/attachment.html>


More information about the BreachExchange mailing list