[BreachExchange] Small Business IT: Starting Off on the Right Foot

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 27 18:45:54 EST 2018


Can I be totally honest with you?

Providing IT services to small businesses is often frustrating.

That’s especially true when the first thing you ever hear from someone is
when the whole office has collapsed into a catastrophic mess.

I mean, sure—from a service provider’s point of view, there’s money to be
made in the rescue effort.

But there’s also that persistent nagging thought that, with the right
preparations, none of this ever needed to happen.

Here’s the inside dirt on how to do IT right from the very beginning:

You can’t skip strategy

O.K., I know what you’re thinking.

“I don’t need an IT strategy. I just need some computers and an internet

And you’d be right. You can totally get away with this—for a while, at
least. Most days, you’ll show up at the office and it will all work like
the day before.

But, here’s the problem

Without a strategy, you’re bound to end up endlessly deferring necessary
upgrades and replacements to infrastructure. You’ll also skip the kind of
prevention and maintenance work that stops small problems from developing
into disasters.

This can turn into a “death by a thousand cuts” situation—small problems
that keep recurring because they’re never properly fixed. The technician
callout fees and lost productivity will keep adding up.

They can also develop into all-out disasters that bring your whole business
to a grinding halt.

It’s not that different to driving an old jalopy that never gets a
scheduled service—you’re doing it to save money, and yet it ends up being
so expensive to keep on the road.

And, in the same way that an old and poorly maintained car might well break
down on the way to the airport, unmaintained IT systems might blow up right
at the busiest time of year.

Without an IT strategy, you aren’t managing IT problems—you’re just
responding to them as they occur.

Place a value on your productivity

A big part of the problem here is that you probably have a much better idea
of what it costs to avoid IT problems than it costs to experience them.

New hardware, software, and IT support contracts usually come with clear
price tags. But unless you’ve sat down and done some sums, you probably
don’t have a clear idea of what your downtime really costs.

How much do you spend an hour on wages? How much in a day on rent, bills,
and marketing costs?

When your systems are down, you still rack up these expenses. You just
don’t have anything to show for them.

The hit you take to reputation, morale, and momentum is harder to
calculate, but still very real.

You probably don’t need to get too in-depth with this—you can never
anticipate exactly how any given problem will impact you. Just a rough,
back-of-the-envelope idea will help you better value your productivity.

But if you never sit down and think about what your downtime really costs,
chances are you will drastically undervalue it. You will continually avoid
and defer any kind of active decision to take control of your IT
hassles—without realizing how much cash you’re bleeding on operational
expenses as these hassles freeze your business.

Set clear responsibility for IT

Perhaps the worst part of having no clear IT strategy is that you tend to
end up with nobody properly in charge of your IT environment.

The most common way small businesses get this wrong is to rely on an
employee with no formal IT role but who “knows computers.”

The other way is to engage an IT professional on an impromptu basis as
problems appear.

In each case, you’ll be waiting for things to go very wrong before taking
action. You’re not solving problems before they happen.

Let’s see exactly how this works

This will make more concrete sense by looking at how it can play out in the
real world.

Let’s say that, after a couple of years of regular use, the hard drive in
your file server wears out. This is actually one of the most common
hardware failures in a server.

Which is why just about every server keeps the same data on two drives.
That way, when one breaks, it immediately switches to another and you can
carry on without losing a second of productivity.

The server also sends a message to your systems administrator to let them
know that the drive needs to be replaced. There’s a good chance that your
server’s drive bays are “hot swappable”—meaning that the technician can
open it up and replace the drive while it’s still running.

Losing the drive that holds everyone’s work is potentially a total show
stopper. But with this combination of neat little innovations, it can be
handled so smoothly that the rest of the office probably won’t even notice.

So far, so good. But what if nobody is receiving or monitoring these alerts
that something’s wrong?

Well then you’re just one hard drive failure away from your whole office
stopping. Your remaining hard drive is just as old and has been subject to
the exact same use, so that moment won’t be too far away.

This means nobody can do any work until your technician has a free moment
to replace your dead hard drives and recover your data from your backups.
It’s urgent work, so you’re probably on the hook for an emergency call-out
fee or after-hours work.

And here’s the scary part: because nobody has been clearly responsible for
any of this, it could also be the moment you discover your backups are

This is just one of the ways a minor matter of routine maintenance, left
unmonitored, can turn into a stressful and hideously expensive freeze of
your whole office.

It’s crucial for security

Computer security breaches are an increasing cost for businesses of all
sizes. In 2017, billionaire businessman Warren Buffett even declared
cybersecurity to bethe greatest challenge facing mankind.

Without any clear responsibility for IT, there’s no clear responsibility
for keeping systems secure—to ensure that software and firewalls are
properly configured, to keep your operating system and your router firmware
patched for security updates.

With nobody attending to this, an expensive and stressful security breach
is not a matter of if, but when.

Employing, contracting, or outsourcing

If there’s the volume of work to keep them busy, it can make sense to hire
a technician or systems administrator on a part-time or full-time basis.

Very few new businesses will require this volume of work. Here, it can make
more sense to hire a freelancer to monitor your systems remotely and to
provide on-site services for the number of hours you need.

Whether you’re hiring or contracting, it’s important to engage someone with
experience provides IT services in a business environment. Otherwise, it’s
all too easy to end up with someone who doesn’t understand industry
conventions and standards and does things in their own weird and wonderful
way. This leaves you with an IT environment that’s completely
incomprehensible to any other technician. This is where it can be helpful
to engage a consultant to help you vet candidates.

Many small business owners feel like they’ve got enough to manage without
having to navigate this, and will instead outsource their IT support to an
external business.

Take control of your IT infrastructure lifespan

Look: When your IT environment is just you and your computer, lifecycle
management is easy. All you need to do is buy a computer and use it.

A few years later, it’ll get a bit slow and struggle to keep up with the
increasing demands of new software. That’s when you buy a new one.

This “let’s just see what happens” approach doesn’t scale very well. You
start to run into problems in a more complex environment, such as a
client/server network.

Breakages cause interruptions and downtime

Unfortunately, replacing things one at a time usually means waiting until
they eventually break. This means every single item you buy gets the
opportunity to interrupt your work day—and perhaps at the worst possible

The interruptions and lost productivity are often much more expensive than
the hardware itself. You can also run up further costs by paying a callout
fee to your technician every time something needs to be replaced.

Your IT environment will grow more nonstandard and complex

As the years wear on, the bigger problem with replacing everything one at a
time is that, to keep all the bits and pieces talking to each other, your
IT environment will gradually accumulate weird one-of-a-kind configurations
and quick-fixes that end up hanging around for years.

As your IT environment becomes more idiosyncratic, it becomes much more
difficult for technicians to understand. Basic tasks become much more time
consuming—one way or another, you’ll be paying for that time.

One of the most troubling parts of this is that you can end up relying on
old software and old protocols—this can mean that applying security updates
can stop your software from working or can stop your machines from talking
to each other.

Some businesses in this situation end up just not applying security
updates, leaving themselves wide open to ransomware. In 2017, the two worst
ransomware attacks both targeted a security vulnerability that Microsoft
had already patched.

By having a clear replacement date for your infrastructure, you can avoid
some serious headaches in years to come.

Scheduling a time to replace your infrastructure

One of the nice things about taking control of infrastructure lifespan is
that replacement times are no longer forced on you. You can schedule it for
the part of the year when there.

For many businesses, this will be during summer when your staff and
customers are away on holidays. But if summer’s your busiest time, perhaps
winter might be better.

Of course, the slow part of the year is also when cash flow is tightest.
But by knowing years in advance when everything has to be replaced, you’ll
have adequate time to budget.

Leading up to this time, you should sit down with your technician to
properly plan your migration to new infrastructure. If the rest of your
office isn’t completely shut down during the migration, you may also want
to consider ways to keep your workers productive at this time.

Write policies for IT security and recovery

IT security is about more than just properly configured and updated
software. Many attacks target the human vulnerability—by tricking users
into running malicious code, or by cracking guessable passwords.

Of course, despite your best preparations, you might still get burnt. You
need to be prepared for that too.

School your staff on phishing and spear phishing

Phishing attacks masquerade as legitimate emails to trick people into
running malicious attachments. Increasingly, businesses are also being
targeted by “spear phishing”—a kind of phishing email written to target a
specific individual.

You need to train your staff to recognize these threats. Be sure to have an
actual conversation about this, rather than just having them sign a
document to say they understand the company policy.

Don’t just assume this stuff is obvious. It might seem obvious to you, but
not everyone has the same level of knowledge. These attacks only persist
because some of the time they work.

Internal and external password policies

Increasingly powerful computer hardware makes it ever easier to crack

If you don’t set password policies, it’s likely both you and your staff
have chosen something insecure. Good passwords should be at least 10
characters in length, and not be overly dependent on common words. They
should also be unique.

Because it can be difficult to remember a great many passwords that meet
these conditions, you may want to consider the use of a password manager—we
use LastPass, but any of the popular alternatives do much the same thing.

Disaster recovery plan

Most business owners are realizing how important it is to have backups. But
rather fewer understand the need for a disaster recovery plan—a documented
set of procedures to follow in case of major disasters like ransomware,
burglary, or flooding.

When these disasters strike, every ticking second of lost productivity
costs you money. You don’t really want to spend this time working out what
you need to do next—and it’s too late to identify any extra preparations
you should have taken.

Disaster recovery plans should be revisited as your IT environment changes
and grows.

It’s about avoiding headaches as you grow

Most of us have spent a large part of our lives using computers at home,
school, university, and the workplace, without ever really thinking about
what our “strategy” is. We just switch it on and start using it to get
things done.

This attitude is fine in many situations, but if it’s how you manage your
IT needs in a new business, you are setting yourself up for stress,
expense, and headaches. The good news is that this can be avoided.

By properly planning who’s in charge of your IT, how long you expect it to
last, how your staff should use it, and what to do when things go wrong,
you can give your new business the best chance of success.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180227/fab201da/attachment.html>

More information about the BreachExchange mailing list