Technology pervades every aspect of how we work, communicate, write, setup contractual agreements, sign those agreements, operate, manage finances, analyze results, etc. As businesses or organizations, we need to make sure we see technology as the asset that it is.
Maintaining any asset involves investment and maintenance – just as you would a physical asset such as a building or vehicle. Technology is no different.
Cybersecurity is one of the most important aspects of day-to-day operations that all businesses/organizations must manage. The bad actors do not care about the size of your business to start a ransomware attack, either through using software bots to sniff out weaknesses in your network or using phishing attacks to exploit the behavior of you or your employees.
Thus, you need to make sure you have setup your network infrastructure so that you have the right protection for the systems you connect to the internet, whether they are at your office, warehouse or store, or you host your web site through an external party.
Protection doesn’t solely rely on tech: it’s down to behavior too. Set up policies specifying how employees must handle information, who has access to key information, and ensuring access is given when needed and withdrawn when not. Educate employees on phishing, spear phishing, and social engineering attacks, including spotting red flags in a phishing attempt.
Cybersecurity is such a broad subject that it is best to start with a security profile analysis to manage where the highest risk to the business or organization exists. You then can address the highest risk items and develop a roadmap to continue to refine and increase your overall security profile.
Business Continuity/Disaster Recovery
What happens if a critical system fails?
- Your ecommerce site crashes.
- Your ERP system goes down.
- Your accounting file is corrupted.
- You are the victim of a ransomware attack.
All these things can happen at various times and in some cases a system restart or quick restore of a local back up file gets you up and running again with little time lost. But what if the impact is more critical and takes time to get back to normal operations? What do you have in place to recover and how long will it take?
The typical metrics are:
- Recovery Point Objective (RPO) – this is the point to which you feel that work can be lost, and the firm will be in a good position. For example, if the backups are daily, then you can potentially lose a day’s worth of work (word processing documents, spreadsheets, accounting files/data) and still be up and running and recreate what is needed to keep the business going. However, if losing a day’s worth of data would be harmful to the business you need to plan for more timely data backups or redundancy.
- Recovery Time Objective (RTO) – This is the time measured from the beginning of the fault to when service is restored.
The overall goal should be to minimize the time you are “offline.” Depending on the business, the tolerance of the time offline will vary greatly and must be determined by your situation.
Cloud services help mitigate downtime as those services are maintained 24/7 and, in general, are setup for rapid recovery as the provider is managing the infrastructure. If you are using on-premises servers or managing virtual machines in a data center you should operate based on the 3-2-1 rule for backups – 3 copies of the data, in 2 locations, 1 of which should be off-site. The cost of this will be based on how quickly you want to recover. The faster the recovery the higher the cost.
Systems & Software Management
This is more typically the domain of the managed service provider or a local business technology company. This is network management, helpdesk support, and general support with the operational side of the use of computers, terminals, and other devices used daily. And likely the most visible element of your technology services besides the workstations and other physical devices you use.
Make sure you have a clear understanding of how your provider handles helpdesk requests and Service Level Agreements (SLAs) they have in place. SLAs document a response time and when you can expect to get service. This is usually broken down by the severity of the request. A key system offline is more critical than a requested upgrade to that system for example. Also, be sure to understand and document what is in-scope/out-of-scope for the standard service fees you are paying and what you may need to pay extra for.
- Operating system management
- Ensuring that system updates, patches, and hotfixes are applied in a timely manner.
- Upgrading to ensure you maintain a supported system as versions of Windows will reach end of life at some point.
- Keeping up with new versions ensure that you are using the latest security updates.
- Application of feature and security patches
- Standard Schedule – Upgrades and new release management. Note that this is a typically a non-issue if you are using a SaaS based service that you access via a Web-browser. SaaS software will update when they need to and each time you access the server you will be using the most recent release.
- Emergency updates – For the software you do have installed on workstations or terminals, make sure you keep up with the providers’ latest security bulletins so that you can apply urgent fixes when they are released.
Policies are the written rules/guidelines that document what and how data and systems should be managed and used. Typical policies include:
- Acceptable Use Policy – This provides guidance on what company systems and software can be used for.
- Email Policy – Guidance on what constitutes appropriate use of company provided email and what is considered unacceptable.
- Security Policy – Guidance on the accepted security steps that should be taken to protect confidential information. This will likely cover password standards, use of multi-factor authentication, communication of encrypted data, handling of external data sources, and much more.
- Systems Access Policy – Depending on the nature of the business, there should be clear guidelines on who has access to what systems and software and the duration of that access. For some tasks a user may require access only for the time to complete their work. For others it may be tied to their role and thus they would have longer term access.
By providing clear guidelines via such policies, and the ongoing training and reviewing of these policies, it should reduce ambiguity in how your teams work and manage company data, which may include confidential data such as the financial and/or health information of your clients and confidential company information.
The technology team at MarksNelson can help guide your company through your technology needs and scale to the size of your business. From ecommerce to CRMs to long-term strategic technology planning and more, we can help. Reach out today.