My colleague and I had just had a terrific meeting with our contact at TechSoup. If you aren’t familiar with Tech Soup, they’re a great organization who helps non-profits worldwide obtain discounted, current versions of software, along with hardware and other tech needs. They got their start redistributing old software to charities in Silicon Valley, then moved up to discarded hardware, and then end of life software. Originally, repurposing was a win/win scenario. Today, it’s a cost-cutting, short-sighted approach that may not end well for the many small businesses that use it. And that’s where this story begins.
We all understand the benefits of being proactive: it saves costs, reduces incidents, and then saves both money and tears. But for many non-profits and SMEs, it's really hard to plan ahead when you are limited in terms of budget and manpower, and the only management style you know is day-to-day. What came to light was how there are lessons to be learned and shared by non-profits and SMEs right on up through big business. Everyone measures things by their ratio of dollars to urgency.
In the course of doing tech audits, be prepared to unearth some rather ugly truths. Because what’s buried in the server closet doesn’t stay buried in the server closet. You’ll find discarded devices that were never deployed because nobody knew how to use them. A conglomeration of wiring that someone’s Uncle Bob, a tech enthusiast with no real training, patched together for almost nothing. Unpatched, out-dated operating systems practically flashing a neon sign “Open for Exploit.” Our challenge, should we choose to accept it, is to help people move past this.
Good "hygiene" and keeping things current are not simply nice-to-have or a luxury only large enterprises can afford; they are fundamental to an effective security policy. But it won’t be quick or easy to help shift the existing mindset and show non-profit organizations and SME’s why they need to overcome the inertia of no perceived cash/time/manpower. The fact is, when businesses and non-profits try to take it all on themselves, consequences ensue. It’s inevitable with older systems; outdated software; not knowing how to use all the necessary components; network no-no’s; failure to patch or upgrade. A penny saved here won't be a penny earned when a security incident or worse - a breach - happens. There's a reason they call it "accidental" tech.
Proactive vs. Reactive Management
So what if we offer up a “success audit” instead? Here are some guidelines that can help clean up that server closet and make a positive impact on the bottom line.
- Start with your operating systems. Are they current or out of date? You don’t want to run out of date software because it cannot be patched for security. That leaves you vulnerable, and if you need to follow compliance regulations, that could be a costly error when, not if, a breach occurs. The costs of licensing newer copies of software are negligible in contrast.
- Next, does your inventory of existing hardware – servers, desktops, laptops – support the newest version of the Operating System? If it can’t, find out if you can upgrade the RAM or the BIOS. Or do you need to purchase newer items?
- Third, whatever size your business is, you need to have a patch management strategy in place. That’s not as hard as it might sound. Especially if you are using Microsoft Windows and can configure automatic updates. Yes, there is a right way and a wrong way to patch. Ideally, you want to test any patch in isolation before risking the health of your entire network. So either you have someone in house who is knowledgeable about how to do this, or your hire someone to do it correctly for you. Again, the cost here is far less than risking the network, or leaving the network open to exploit.
- What is the state of your network? This isn’t the place to be cutting corners, especially with all the emerging high-level risks and vulnerabilities. You need an enterprise-grade firewall in place, routers and switches properly configured, a UPS as failover for when the lights go out unexpectedly. Now ask yourself this question and answer honestly: Do you have someone in-house who understands how things work, and how they need to work together? If you don’t, there are companies who provide managed services as you need them, who can monitor the health of systems and be ready to react when things stop working. And again, all of this does not cost nearly as much as you’d think, and nothing compared to the cost of a breach.
To safeguard everything, as a bare minimum you need a robust, reputable antivirus deployed and monitored from a central location so that all devices can be scanned and updated. Antivirus definitions change frequently. It won’t work effectively if it doesn’t know what’s out there. Over and above are Intrusion Protection/Intrusion Detection systems, but these require an investment of time, money and dedicated manpower to accurately analyse the findings. Recommended but only when you won’t lock it away in the server closet to run itself.
It’s no surprise that small organizations and non-profits can feel overwhelmed by trying to stay on top of their tech. Don’t let that discourage you from moving past the inertia. It's okay to ask for help. In fact it is essential when so much is at stake. Instead of managing the unmanageable, organizations of any size will benefit by looking ahead and planning beyond just doing the day-to-day. Because living in the moment is good for some things, but not so much for managing your technology and information security.