David Strom has an interesting article in Network World about 7 Lessons That SMBs Can Learn from Big IT. It’s basically sound and definitely worth checking out. But there are some important gotchas and caveats that didn’t make the cut. So I thought I’d just stuff in a few extra ideas and warnings into the list.
1. Standardize on Desktops and Cell Phones to Reduce Support Differences
This is really a great idea, and you will definitely save money, pain and suffering by standardizing your hardware and software. This would work really swell in an ideal world where you started from zero – with no existing “legacy” equipment or software and were able to bring everything in completely new. Problem is, not only do you have legacy hardware and software, you also can’t afford to refresh every desktop or cell phone simultaneously. So what you are forced to do is review your standards continuously and develop a “refresh path plan” that takes into consideration that different departments (or users) have completely different refresh schedules. For example, you need to refresh engineering every year, but accounting can probably refresh every 3 years. This also leads to some gnarly incompatibilities with different versions of software. A notorious example of this is brought to you by Microsoft who chose a new, improved and decidedly not backward compatible format for Word documents in Office 2007. Finally there is the problem of what “standard” means to hardware vendors. Just for grins compare actual hardware – with the same SKU – that ships in early and later versions of a Dell model number. Just keep in mind that if you choose to save money by standardizing on consumer hardware you run the risk of incompatibilities even with the same model number.
2. Perform Off-Site Backups
Off-site backup are definitely a must have. But they must also be automatic. No transferring data by hand from one place to another. Recall those data breaches by way of lost backup tapes? David suggests some online solutions and even cites a nifty side effect of this method.
Earlier this summer, Damian Zikakis, a Michigan-based headhunter, had his laptop stolen when someone broke into his offices. He replaced it a few days later; and because he had used Mozy, he thought that he was covered in terms of being able to bring back his files from the Internet backup.
When Zikakis had a moment to examine the layout of his new machine, he “found several incriminating files. The individuals who had my computer did not realize that the Mozy client was installed and running in the background. They had also used PhotoBooth to take pictures of themselves and had downloaded a cell phone bill that had their name on it,” he says.
Another possibility is to utilize your web hosting provider or colocation service to provide backup and archive space. In any case, it has to be offsite, easy and automatic otherwise it just won’t work.
3. Use Hardware to Secure Your Internet Connection
An article like this really shouldn’t have to include a point this obvious. But sadly it does. Not only that, it cannot be stress strongly or often enough that you have to understand and configure your security hardware. You can’t just plug it in and be safe. Furthermore, the appropriate selection of a security solution is critical. No, they are not all created equal. And no, they don’t all do the same things. The hardware that David mentions by way of example is a Unified Threat Management (UTM) system which generally puts quite a bit of security functionality into a single box. UTMs basically secure your internet access and if you intend to become larger than an SMB you need to be aware that they don’t scale up that well. Also if your problem is access control, rather than internet security a Network Access Control (NAC) system might be more appropriate. Or you might need both. Or something lighter weight like StillSecure’s Cobia network platform. Or something completely different. The point is that while everyone agrees that you need something – just which something is a not a trivial question. There is no one size fits all security solution. Here’s where judicious use of your consulting budget makes a lot of sense. And no, I’m not a consultant. I just play one on the internet.
4. Use a VPN
If you don’t like eavesdroppers and you do anything remotely, you need a Virtual Private Network (VPN). Period. They are cheap, easy to set up and will probably even come with that UTM solution you are considering in #3. If you choose to do this in-house instead of a managed VPN services like the ones mentioned by David, make sure you have the internal expertise to handle it. Do not hire a contractor to set up your VPN. Either outsource it all or none of it.
5. Run Personal Firewalls, Especially on Windows PCs
Actually what this title should probably be is “Run a desktop security suite on Windows PCs and make sure that all endpoints are compliant to your policies before you let them on your network.” While that is certainly longer winded that David’s succinct title, it more accurately captures what he is saying. The point is that you should have a desktop security policy that specifies what software your network endpoints must be running and have a way to determine if your network endpoints are compliant to that policy. The best way to accomplish that is with a Network Access Control (NAC) solution, like the Napera appliance mentioned in the article. There is, as usual, more to the story. Once you determine that an endpoint is non-compliant you can’t quarantine them forever. You have to provide a remediation mechanism, preferably automated, so that they can get back to work as soon as possible. It’s been my experience that sales guys get really cranky if you quarantine them for a long time. And just try that with your CEO. Bet it only happens once. And if you are going to have a NAC solution in place, what about “guest” users – you know contractors, visiting product reps, partners. They all need varying levels of access to your network as well, while you still need to be protected. The point is that this isn’t as easy as slapping in an appliance and your endpoint compliance problems are solved. If a sales guy tells you different, hang up the phone. Now.
6. Rely on VoIP PBX for Your Phone System
This is definitely one of the biggest money and time savers you can do. The services associated with a good VoIP PBX system are killer and my experience with these systems has been excellent. The only caveat here is that you should definitely get VoIP as a managed service unless you have some really serious talent in-house. If you think you can just whip an Asterisk server on one of your Linux boxes and you are good to go, think again. VoIP is very cool and it isn’t that hard if you really know what you are doing. Which I don’t and you probably don’t either.
7. Have a Solid Test Plan for Adding New Technology
This is probably the most important point. Treat your technology test plan like an actual project. It’s not good enough to simply say, “Joe will look into it”. That’s not a plan. And it assumes that Joe will do it during his slack time (an IT guy with slack time – whoa!). What will actually happen is that Joe will call one or two vendors and talk to the nice sales folks and ultimately pick the one with the best swag or the hottest looking booth babes. Just pony up and do it right. It will save you beaucoup time, money, pain and suffering. And you stand a chance of actually developing some of that in-house expertise.
Security For All 