There seem to be two types of business owners in the world: those in the know, and those stuck in the past. The latter are at the helm of organizations making news because they’ve collapsed beneath the weight of disasters and cyber-attacks, while the former enjoy the ease of business success, appearing to weather just about anything. Which one are you?
In many of my speaking engagements before business leaders, we touch on the importance of technology, and its real value to the business in providing huge improvements in productivity and efficiency for the organization. Specifically, the focus is on its ability to provide the necessary information to make more effective decisions faster. While technology can also be a real pain in the keister, everyone agrees that it does have the potential to offer significant benefits to their organization. Realizing those benefits is a matter of planning, implementation, execution, and support.
One of the greatest opportunities to keep your systems running effectively, and providing for increased productivity, is by addressing your IT operations. Consider your automobile for example; when the red light appears on the dash, there is a problem. The same concept is true with your IT systems. And usually, like in your automobile, that red light could have been prevented with regular maintenance.
As we approach year end, review these suggestions of what leaders should be asking their internal IT teams, or 3rd party providers, to ensure your systems are properly maintained, protected,
Update the organization’s asset inventory
Review the asset inventory for the organization, and update any changes (additions, changes, and removals) of the technology assets. Many organizations do not have a formal asset list - if you don’t have one, ask that it be created. This list should contain basic information about the assets, as well as where they are located and who they are assigned to, so that the organization is prepared in case of an issue of a lost or stolen device. Additionally, the list can also be used to address a lifecycle program for refreshing equipment, maintenance, or to easily recognize operating system or firmware levels on each device. Also, having an asset inventory is one of the 1st items required in building your Cyber Security/Disaster Recovery Plan.
Review the organization’s Active Directory (and other applications) users lists – Over the course of the year, your organization may experience turnover and staffing changes; how do you know that all users have been properly processed? Performing a review of the Active Directory (and other applications) users list allows your organization to validate that those individuals that have left the organization have had their permissions revoked. It is a prime example of good operational hygiene, and provides an additional level of security to protect your systems and data by reducing exposure risks from former employees. This process should include your cloud applications, that have independent access, to verify only those permitted users have access to your systems.
Review and update your network documentation
Over the course of the year, a number of things may have changed in the organization’s network configuration. In order to be prepared to troubleshoot an issue, or react to a cyber slash disaster incident, the network documentation must be current to allow your team to more effectively address and resolve the issue. Ask to see the most recent version of the network documentation, and its previous version, to access how often the documents are updated.
Review and update the firmware on your network devices
In today’s environment of elevated threats, all vendors should have network devices providing periodic “firmware” updates. Check with your team as to when the last time they updated, and backed up, that firmware on your devices. This is another great use of the asset inventory, to check for these updates. Many times assets are installed and configured, then left to run until they break, or are replaced 5 or more years later. If you should
have a service problem with one of these devices, the vendor is going to expect you to be at a current supported firmware level, allowing them to provide prompt and effective service. Keeping your network updated will save 24 to 48 hours of additional downtime.
Review your Office 365 subscription or on-premise exchange configuration
Reviewing the configuration of one of your most important applications is vital to protecting your organization’s productivity. Many organizations that have Office 365, originally did a bare bones conversion and license subscription. However, in today’s threat landscape, every organization should be looking at their Office 365 subscription to validate that they have advanced threat protection, and have configurated their system to provide maximum protection to their users. Furthermore, you should ask your team about your Office 365 backup program, as Microsoft does not provide a backup solution for Office 365. If you have an on-premise exchange system, you will need to verify that your team has updated the latest service packs on that server to ensure you are adequately protected. For good measure, you should also ask your team about the organization’s data management and archive policy for your email systems. Now is a good time to make appropriate adjustments to provide an efficiently running system for your users.
Review and validate your backup systems
When you need to do a restore is never the right time to find out you have a problem with your backup system. Check with your team to validate, both execution and frequency of, what is being backed up (data, applications, operating systems), as well as the last time, and again how often, a test is performed to validate the backup is working properly.
Validate your operating systems are at supported levels
Have your team validate that your workstation and server operating systems are at the current supported level. Microsoft has announced end of life support for various operating system software versions for workstations and servers. Using outdated operating systems leaves your organization exposed to security threats. Besides, you will significantly reduce both response and downtime, if your operating systems are on current versions and are properly patched.
Ensure your operating system patches and antivirus are up to date
Again, charge your team with validating that the operating system patches are properly applied to all of your devices, and that a current antivirus subscription is active, and up to date for all covered devices. Many laptops and remote devices are not effectively patched or updated with antivirus, leaving them exposed to security threats. Approximately 1/3 of all cyber security incidents are caused by lost or improperly maintained devices.
Make sure your user security training program is effective
If you don’t do this monthly, ask for a review of the last two quarters of training and testing program results. If you don’t have these, you need to improve your program. Providing basic security training without ongoing, regular testing is not effective to protect your organization’s systems, data, and productivity. 27% of cyber security incidents are caused by users inadvertently allowing access to your systems. An ongoing interactive training program has proven to significantly reduce this threat.
Determine when your last network security risk assessment was performed
If it is been longer than 12 months, it’s time to get it scheduled. This will help you, and your team, understand your current risks and exposures, allowing you to build a remediation plan, and highlight any issues hindering your productivity protection.
As an organizational leader you are charged with safeguarding your assets. By reviewing these 10 IT operations steps, you are being proactive in the protection of one of your most valuable assets, and guaranteeing that it is properly tuned and prepared to provide your team with the efficient productivity you need to achieve your goals. If you have any questions about these items, or how you can get your network security risk assessment covered, please give us a call at 614.495.9658 and ask for Jason and he will be happy to coordinate a conversation with you.