Blogger: James Osborne, Technology Consultant at Osborne Technology Consulting
This is the second in a four part series of blog posts from our 22 March ITMA meeting, “20 Questions You Should Be Able to Answer About Your IT”. Part 1 covered Hardware, Software and other equipment. Part 2 covers Security Concerns and other Policies. Part 3 will cover DR/BCP and IT Department Processes, and Part 4 will cover Miscellaneous Topics. The presentation itself is available HERE.
#6 – Do You Have a Cyber Security Breach Response Plan?
Your odds of suffering a cyberattack vary greatly depending upon your size, industry and exposure. Health care, for example, is a prime target for attackers. 81% of health care companies suffered a breach over the last two years. While you can reduce your odds of being breached from a cyberattack, it’s still a possibility you should face.
Having a written Response Plan will provide you with guidelines to respond quickly. Working on the plan BEFORE any incident happens ensures that you are thinking clearly and dispassionately about how to respond, rather than reacting in the moment. It also provided you with time to research responses and their repercussions, rather than making a panic stricken response that may be ill-advised.
#7 – Do You Have An Emergency Action Plan
There are many threats to our day to day operations – tornadoes, fires, criminal activity, chemical spills, etc, can all impact our businesses. If a neighboring tenant has a fire, will the sprinklers affect your offices? If a disgruntled employee storms in with a gun, how do you respond? What if the estranged spouse of an employee makes bomb threats?
Many buildings now require tenants to have a written Emergency Action Plan (EAP). They may require periodic testing. If yours doesn’t, you might wish to consider developing one anyway. The slight loss in productivity from testing your plan will be worth it should you ever need to actually enact your plan.
While these aren’t necessarily technology challenges, they do spill over. You can ensure that your plan requires people to bring their laptops, provided it’s safe to do so.
#8 – Do You Have a Communications Plan?
How do you alert staff to ‘snow days’? How do you tell people to not come in because there’s been a chemical spill? How do you tell people that you’ve had a power outage, and they should work from home for the day?
In years past, many have used a ‘phone tree’ to communicate with staff. It works, but it’s cumbersome and takes a while with any sizeable group. E-mail notifications can be effective, but only if your staff all have access to e-mail and check it regularly. Text messages can also be effective, but again, only if your staff have access to text messages. Whatever method is used, you must be certain that it’s not reliant on your network resources, as they may be unavailable.
#9 – Do You Perform Security Audits?
Unless you’re in the business of Information Technology Security, you likely have many holes in your security. After all, it’s not a core competency, so it shouldn’t be a surprise if you don’t have everything nailed down. Even if you’re a IT Security expert, there are likely some holes in your security. If you don’t perform internal security audits, you should probably contact that work out on a regular basis.
There are many providers out there who would be happy to provide various levels of security audits, from simple network probes to sophisticated ‘social networking’ attacks. Maybe you’re running an older firmware version on your firewall, or have ports that were left open for an old project. Maybe you haven’t updated some of your software and there’s a known exploit out there that could allow nefarious individuals into your network. Maybe your staff are just too trusting and need to be educated how to deal with threats. Just like you go to a specialist if you have a thyroid problem or suffer from migraine headaches, you should seek the assistance of a security specialist.
However, simple having a security audit performed is not enough….you must follow their recommendations and plug any holes they find. Unfortunately, many companies who contract an external security audit do not use the audit findings to secure their network. Either they’re unable to get buy-in from management and earmark the funds necessary to address the issues, or they were compelled to have the audit done for some reason and have no interest in responding to it. This is as irresponsible as going to your doctor because of some complaint and then ignoring her recommendations and prescriptions.
#10 – Do You Have Complete Network Documentation?
As any who know me can attest, Network documentation is a cause of mine. I frequently have to come into an existing network and try to figure out how things are done because there is no documentation. Or, worse yet, documentation exists, but it’s inadequate, incomplete or inaccurate documentation.
Network documentation should cover everything in your environment – servers, workstations, print/scan, backup, your cabling infrastructure, your telephony, etc. If it’s something your responsible for, you should have documentation for it.
People are often unwilling to devote the time to develop good documentation. Either they feel they’re too busy, or they feel that they have a good handle on things on their own. Or, they may feel that not making documentation available is some sort of job security.
Good documentation should enable anyone to get into your systems and do the work they need to do. This includes a consultant assisting with an Office 365 migration, an IT intern adding a new network printer, or your replacement attempting to determine what equipment should be upgraded in the coming years. Good documentation should also allow you to completely replace everything should Aliens ever take your building – inventory of all hardware and software, contracts, contacts, notes, configurations, etc.