If you’re in business, chances are you need to meet some compliance standard with a bunch of letters or numbers in it. Think HIPAA, PCI, NIST 171, etc. We could discuss each indepth, but you wouldn’t make it to the end of this article without getting sleeeeepy, so let’s not.
Instead, what if we define what it means to be reasonable about IT and security? Do you fit the definition of “reasonable?”
Being reasonable doesn’t sound too bad, right? For example, you might (should?!) use deadbolts, alarms and camera systems to protect your office. This is entirely reasonable.
There are some IT things that business owners and executives should know. We’re not talking technical skills; we’re talking about conversational knowledge and an awareness of current expectations.
Firewall: You have a network of computers connected to the internet. You need a firewall to separate your business network from the rest of the internet. A good one does all kinds of other stuff like making sure your employees don’t use your computers to mine crypto-currency all day long. (There are many super-helpful business functions that a well-configured firewall can provide, but more on that another day.)
Patch Management and Antivirus: Patch management involves keeping all devices up to date with the latest security updates and patches. No device is immune. For the most part, if it runs on electricity, it needs to be updated regularly. Same with antivirus. You need updated antivirus software on your devices. All of them. And those devices need to be monitored to be sure antivirus stays up to date. If you have 100 PCs, it’s not reasonable that once you install antivirus, all PCs will update automatically without fail. Monitoring tells you which ones need help.
Mobile Device Management (MDM): MDM is used to secure company data on mobile devices, such as phones and tablets. The data on your phone should be encrypted so it can’t be read by someone other than you. MDM does that. If you lose your phone, what would it take for someone to access the data stored on it? MDM helps you contain that sensitive data and wipe it if it should fall into the
WiFi Security: This one’s easy. WiFi needs to be encrypted to be considered secure. Encryption is improved from time to time so it’s good to know what encryption level you’re at and what is the current, most-secure level. Update your devices to match the current standards.
Reliable Data Backup: You need to back up your data. All of it. It’s not optional. And you need to test it. It’s reasonable to ask you to test it. Delete a non-important file and restore it from backup. Often. Even cloud servers need to be backed up.
Data Destruction: Where do the hard drives go when you replace a PC? That data needs to be destroyed. You should know who’s doing it and how it’s being done.
Continuity of Operations (CoOp)/Disaster Recovery (DR): You need a plan to keep your business running when your technology isn’t running. It will happen. At some point, on an inconvenient day, you’re going to deal with a technology outage. What’s your plan to deal with it? You don’t need to write the plan yourself, but you should understand the basic functions of it and test it.
Written Information Security Protocol (WISP): A WISP describes the security of your company. It puts into writing how often you change your passwords, who’s responsible for your IT security, what data is most vulnerable to a breach, etc. Often, it includes an Acceptable Use Policy (AUP), which lets your employees know that they’re using a business PC and it should be used for business purposes only.
Equipment Life Cycle: OK, no one likes to throw good stuff away, but keeping to a three- to five-year equipment life cycle is reasonable. If you spend $650 on a PC, you should expect to use it for five years and then replace it. The older your technology, the more likely it is to break, and it will break on the worst day.
Penetration Testing: A “pen test” is a planned attempt to poke holes in your network from the outside. You’re paying someone to tell you what your network looks like from the internet. How easy would it be to penetrate your firewall? How close to your data could someone get with minimal effort?
Sometimes the best we can do is take reasonable precautions to be secure. Like locking the deadbolt. We know a determined criminal can still get in, but locking the deadbolt is a reasonable step towards feeling secure. When it comes to IT, by addressing the items discussed, you’re on the right path to feeling secure about your technology.
Kurt Simione is owner of Technology Seed, an IT support firm in Salem. He can be reached at 603-458-7190, firstname.lastname@example.org or TSeed.com.