IT Support Blog for Small Business Owners

Michael Silverman

Recent Posts

Is Your Network Security Adequate? Think Again!

Posted by Michael Silverman on Tue, Feb 18, 2014

network security resized 600Back on February 7th, NBC reported on potential security risks at the Olympic Games.  There was a lot of controversy about the article itself, but, accurate or a hoax, IT security doesn’t get the attention it should in small businesses.  More and more organizations, large and small, are being audited either by regulatory agencies or by existing or potential clients.  Years back, news was about virus attacks, followed by malware; today we’re regularly hearing about hacking.  Everyone wants to know their data is secure.

Data security is critical to ANP’s network management practices.  We protect data by leveraging “organizational wide” network security management best practices.  Having a firewall, unique passwords, and anti-virus programs might feel adequate, but times have been changing.  It’s critical to look closely not only at the IT infrastructure within your offices, but also at equipment owned by your staff and maybe even your vendors.

As I’m writing this blog, I’m sitting at home on my personal computer connected to the office.  There are lots of options for remote workers these days, but there are also network security risks that need to be mitigated if you have a mobile or remote work force.  Let’s touch on a few.

Home computers are usually vulnerable to viruses and malware due to lack of ongoing management and “the kiddie factor.”  Microsoft and other vendors do an adequate job of providing anti-virus and malware support for home computers, but only if the tools are leveraged and leveraged correctly.  If virus or malware activity infects your home computer and it is connected to the office network, you’ve just introduced a “back door” network security risk.  Could your organization be vulnerable to a home-based worker?

What about mobile devices like smart phones and tablets?  Apple iPhones and iPads are acknowledged to be natively more secure than Android devices.  Do your employees use both for connecting to the office?  You may limit their use to email, but do you also allow them into the office?  Onto the office wireless network?   ANP regularly performs Network Assessments for prospective clients.  It’s surprising to see how few companies segment their networks, restricting mobile device traffic solely to guest wireless networks.  There are also data security risks associated with email on mobile devices.  Just last week we completed an assessment for a company that was sending unsecured email to mobile devices, risking precious client information being shared with the outside world.

What about inside your offices?  Firewalls are designed to protect your network, and they do, but they are only one piece of the network security equation. Some of my clients leverage Intrusion Detection software to further analyze traffic passing through their firewall.  Though this software can be pricey, understanding the data these systems produce reinforces the need for a strong network security policy and operational discipline.  

In a 30-day period, I’ve seen “locked down” firewalls allow attempts at accessing servers from almost 20 different countries around the world.  That’s why network security is about a “system” of hardware, software, and operational procedures tightly woven to protect the organization and its sensitive data.

IT Security Equation

Here are a few questions to discuss with your IT staff or outsourced provider. Your answers will determine the next steps needed to establish appropriate levels of network and data security in your business:

  • How old is our Firewall and how current is its Operating System?
  • What is our Server and Workstation Patch status and update process?
  • Do we have any Windows XP computers in our network?
  • What is our password management strategy?
  • How do we control and manage access to sensitive information on our Servers?
  • Do we have a guest wireless network for employee smart phones and guest traffic?
  • When is the last time we had an outside network security Assessment?
Have any questions or comments? Interested in a free network assessment? Click the button below.
Request A Free Network Assessment

Topics: data security, IT security, network security, network assessment

Did You Budget for Increased IT Support Costs This Year?

Posted by Michael Silverman on Mon, Feb 03, 2014

Windows XPLast month, I blogged about Technology Management strategies and how to link good IT management back to a predictable IT budget.  This April brings not only its usual tax day, but, crucial for IT management and business continuity, the end of support for the Microsoft Windows XP operating system.  Unless you’re in the minority, look around, you’ll see Windows XP desktops or laptops.  So what’s the end of support for XP have to do with increased network management costs?  It means you’re going to need to upgrade old computers or risk unplanned downtime due to an exploited unsupported operating system.

Microsoft has stated that “after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.  This means that any new vulnerability discovered in Windows XP after its ‘end of life’ will not be addressed by new security updates from Microsoft.”  IT security is a leap frogging game between those desiring to attack a computer or network and those tasked with protecting it.

The graphic below illustrates the typical IT management strategy for protecting a computer or network.  Security systems are designed to prevent attacks, but what happens if an attack is not detected? Computer systems can screech to a halt and valuable data can be lost.

IT Virus Detection, Response, Prevention 

For years I’ve expressed to clients that someone needs to be the first to get a new virus, or be the victim of a software security flaw before patches or updates can be introduced.  About four years ago, one of my clients was one of the first to get hit with a new virus.  It was identified by Symantec two days prior and the virus definition update, the response, had not yet been released.  Fortunately, there were good monitoring controls in place and we were able to limit the damage until Symantec got us the interim software release.  The net effect was limited downtime and minimal loss of productivity.

Now let’s fast forward to April 2014.  You’re a small business, say 40 employees, all with Windows XP desktops.  One of your employees innocently goes to a web site with a corrupt display ad designed to exploit a Windows XP flaw.  It attacks their computer and begins spreading throughout your network.  What might you expect?

  • IT Productivity could drop to a crawl; 40 employees times $100 an hour burden rate will cost the business $4,000 an hour.  Can the technicians eliminate the issue in an hour?  Probably not; could take a couple of hours just to identify the root cause.
  • Do you have a solid business continuity plan addressing these kinds of issues?  If you have a remote worker strategy leveraging Citrix, you might be able to get partially back in business in a few hours; now maybe up to $20,000 in lost productivity.
  • The IT team says, “We’ve got no choice but to upgrade to a supported operating system like Windows 7 or Windows 8.”  Ugh, now you’re hitting cash flow.  The upgrade could cost $6,000 to $12,000 to purchase, but how much longer to deploy it?  Couple of days to get everyone back on-line? There’s $60,000 in lost labor, but what about lost business?
  • Maybe your computers are too old to run the new operating system.  Now you’re spending $32,000 in new computers, another couple of days lost labor, $60,000 plus labor to deploy the new machines, and more lost business.

Get the picture?  It’s just not worth it.  The pennies saved while everything works can cost you thousands without any advance notice.  Talk to your IT support company, IT consultant, and your peers.  The gamble just isn’t worth the price.

And it’s not just Windows XP.  Every piece of technology linking your network exposes you to some degree of risk as it reaches its end of life.  Do you have an IT strategy or lifecycle management plan in place to mitigate these risks?  Want perspectives?  Check out my recent blog about technology management or just drop me a line.  

 

Request A Free Network Assessment

Topics: IT Support, Windows XP, IT Productivity, IT Strategy

IT Technology Lifecycle Management for Small Business

Posted by Michael Silverman on Fri, Dec 27, 2013

IT Technology ChangeThose who know me know I believe that business requirements drive technology investments (not the other way around).  So let’s assume everyone agrees with me on that, but what about managing existing technology investments?  A few of the more common technology management scenarios we see in small businesses include:

 

  • Upgrading when the existing technology literally fails and becomes unusable

  • When a visiting engineer tells you, “Houston, we’ve got a problem”

  • When introducing a new business application, the vendor “requires” new equipment

     

IT managers, or outsourced Managed Service Providers, should always steer management with technology management recommendations proactively.  Hardware does get older; new software versions come along; hardware and software even becomes obsolete.  Lifecycle management is a subset of technology management and should be reviewed regularly by either internal staff or your outsourced Virtual Chief Information Officer.  I utilize a Risk Assessment worksheet to document everything critical to my client’s IT environment from hardware to software, local and remote technology.  Some of the considerations, beyond business drivers, include the physical age, performance metrics, end of life, and end of support data for hardware and software.

So, you might ask, “what’s the risk to my small business if I’m not managing and attending to my technology’s lifecycles?”  Worst case is you’re exposing the business to unplanned downtime.  One of the most common examples is an expiring agreement.  Virtually every business has a domain name used for accessing a web site and managing the flow of email.  If the registration for your domain name expires, the business is not only at risk of disruption of email flow or access to the web site, but another organization or individual can actually take ownership of your domain name, forcing you to find a new name.  Some other expiring agreements associated with lifecycle management include SSL certificates (equally as disruptive as domain names) and both hardware and software maintenance agreements. 

Second in line to expiring agreements is dated hardware or software.  Let’s start with hardware.  In general, my greatest concerns about hardware reliability occurs right after new equipment is deployed and after 3-4 years of its useful life.  The graph below provides an illustration of the typical lifecycle of a piece of equipment.  During the first 90 days or so, there’s a risk of premature failure.  ANP will “burn-in” new equipment for a series of days to try to catch this potential risk.  Once through the first 3-6 months, failure rates become quite infrequent.  As equipment ages beyond 3-4 years, the risk of a component failure dramatically increases.  This risk can be mitigated through effective business continuity planning.  We’ll typically leverage redundant components and systems in our designs and discuss the cost/benefit relationship to insure the client is making the most prudent business decision.

 


lifecycle management

The last aspect of technology lifecycle planning is driven by the manufacturers and software developers.   It’s referred to as End of Life and End of Support.  Many of the major manufacturers publish End of Life documents.  I’ve included a few common manufacturer links to their lifecycle web pages.  One of the most notable, near term events, is the pending Microsoft Windows XP SP3 End of Support date, April 8, 2014.  This means that as of April 8th, Microsoft will no longer provide automatic fixes, updates, online technical assistance or, most importantly, security patches, potentially leaving your business vulnerable to virus attacks or security breaches.

Technology Management Guidelines

Although every businesses situation is different, the following guidelines provide a good rule of thumb:

  • Upgrade desktops every 5-6 years, including upgrading operating systems and the Office suite.  For the next upgrade, evaluate the feasibility of thin clients or virtual desktops

  • Upgrade key physical servers every 4 years.

  • If you’ve begin to virtualize servers:

    • Upgrade virtual guest servers based upon the application vendor’s guidelines

    • Configure the virtual host servers “N+1” so you can function if one server fails; stagger purchase dates; monitor performance, then replace upon failure of a host unless performance dictates.

  • Storage systems should be evaluated at the 5-year mark
  • Network switches:  At end of support, usually 5 years
  • Routers, Firewalls: At the end of software maintenence

In summary, it doesn’t matter whether you’re large or small, driven by technology, or just consider it a necessary evil; you need to have a Technology Lifecycle Management strategy.  I’ll leave you with a few guidelines and resources.  As always, drop me a note if you’d like to discuss lifecycle strategies, or request a free network assessment to determine where your IT equipment is on the lifecycle graph.

 

Request A Free Network Assessment

Resources

Topics: Business IT, IT Assessment, Business technology, Managed Service Provider, IT Technology, Lifecycle management

What is an IT audit and when do you need one?

Posted by Michael Silverman on Tue, Nov 19, 2013

IT Audit

There are many forces that may drive a business to conduct an IT audit. Compliance agencies, prospects, or even software developers may require one. Or you, as a business owner, may be proactively seeking ways to improve or better leverage your existing IT investments. Let’s expand on each of these briefly:

● Compliance agencies:  A growing number of sources—including HIPAA (healthcare), PCI (payment card/transaction), Sarbanes-Oxley (internal financial controls), and state privacy acts—have generated an increase in audits by accounting firms and related agencies.

● Prospects:  Increasingly, customers or prospects will request documented confirmation of the quality of your infrastructure, policies, and procedures, especially if you are doing business with larger corporations and leveraging EDI (Electronic Data Interchange).

●Software developers: Small businesses aren’t usually targeted, but it is not uncommon for a disgruntled employee to raise a flag triggering a software licensing audit, whether warranted or not.

● You, the business owner: IT can be something of an unknown entity. A proper IT audit will answer questions such as: Do I need to expand? Or, conversely, have I invested in unnecessary, inefficient, or outdated IT resources? Might outsourcing my IT be a better solution?  

What’s in an IT audit? 

All IT audits are focused on identifying risks of one type or another.  An IT audit could be strictly financial, more broadly focused on policies and procedures, or narrowly targeted toward the physical IT infrastructure itself. 

Financially-oriented IT audits are usually internally driven.  Management may be questioning the ROI (Return on Investment) of existing labor investments.  Are IT staff workloads increasing, while total employee headcount or sales remain static?  Are equipment upgrades being requested that budgets can’t support?  Are you experiencing project budget overruns, or have past projects not met expectations?  The IT audit process can answer these financially-oriented questions.

IT audits related to privacy policy may originate from either the Human Resources department or the IT department itself.  Issues of privacy are in the news almost daily.  Do you have a written privacy policy detailing how you manage and maintain employee and client data?  What controls are you leveraging to manage and mitigate a potential breach of your systems and potential loss of data considered private?  Do you have both a written policy and the necessary associated controls to manage your employees’ use of email and the internet? An IT audit can be used to review and update, or to create these policies.

Change management is not just an IT or Human Resources process, but a company management process. As employees come and go, is your IT department aware of all staff changes?  Are procedures in place to insure that terminated employees or interns no longer have access to your technology?  Do active employees have access only to the data and systems needed to perform their jobs?  What is your process for upgrading your primary line of business applications?  Is it as controlled as it should be?  Do you have an adequate “fall back” position in the event the upgrade goes south? An IT audit can be used to tighten up these change management procedures.     

Technical IT audits evaluate physical infrastructures: security systems; infrastructure design and configuration; equipment age and supportability; licensing compliance… The list can go on and on. Even if the physical components of your IT infrastructure make the grade, auditors will also want to understand your IT processes and procedures.  The absence of processes and procedures, or inconsistency in executing them, will draw the attention of auditors, but even more importantly, will increase your risk of business system outages.  At its core, an IT audit, however granular it may become, should be focused on understanding security vulnerabilities, capacity and end-of-life equipment risk, and disaster recovery / business continuity metrics.   

Should you be considering an IT audit?

If you’ve found that you yourself, your internal IT team, or your outsourced provider are unable to answer many of the above questions, or if you’re just not satisfied with the answers you receive, now is the time to begin planning an IT audit or Network Assessment of your systems, processes, and procedures.  The insights you will gain from this effort, whether you perform it yourself, or outsource it, will empower you to act from a position of greater strength.  The net result will be a clear picture of your operations, with discrete action items that will improve your business.

Request A Free Network Assessment

Topics: Business IT, IT Outsourcing, IT Audit

Avoiding “Surprises” in IT – A Case for a Network Assesment

Posted by Michael Silverman on Thu, Oct 31, 2013

 

Avoid IT Surprises

Last week, we discussed some of the common surprises resulting in unplanned business disruptions and/or IT expenses?  If you missed last week’s blog, we discussed four categories of unplanned IT surprises.  First was hardware and whether you’ve ever discussed age and end of life timelines for your servers, desktops, switches, routers, and firewalls.  Second, we recommended frequent communication—with your IT team or managed service provider—about equipment capacity and the current status and future plans for your business.  We then focused on whether or not recurring agreements of varied types are actively managed: domain names; SSL certificates; and hardware/software maintenance agreements.  The fourth category of “surprises” was unexpected labor expenses and upgrades driven by external audits.

Not every business is confronted with all of these surprises, but as you’ll see in this week’s blog, an understanding of their root causes will help any company, large or small, develop practical strategies to avoid them. 

The variables can all feel and seem overwhelming to manage, but they don’t have to be.  The root causes lie in two broad areas: the inherent conflict of proactive and reactive IT services provided by the same individuals; and secondly, the inability to step back and look at the big picture.  For most businesses, user issues trump anything else occurring in IT.  Without some type of consistent proactive maintenance strategies, user issues, unexpected outages and investments, become the norm.  IT professionals become limited in their ability to step back and look at the big picture.  Without ever stepping back to assess your IT systems and processes, surprises will absolutely be out there. And they will multiply and then trip you up at the most inconvenient moments.

As I work with small and mid-size businesses, my message regarding IT is that it’s all about expectations.  If expectations of an IT environment are clearly defined, then the surprise of “What just happened, and why?” is replaced by the planned procedure for “What steps do we take when this documented issue arises?” So how does one get to this point?  It’s a two-step process. Quantify, then plan.

Quantify

First off, IT should be driven by business objectives and strategies.  It’s understood that many business innovations originate within IT, but your business strategy must be clear.  Business strategy drives IT priorities and investments.  Is your strategy in writing?  Have you shared it with your IT staff? Has your provider ever asked you for it?

Then you need to quantify your technical infrastructure.  Do you have your inventory documented?  How old is it?  Are there end of life issues looming in the near term?  Are software licenses documented?  Are you in compliance with software license agreements?  What’s your strategy for upgrading key line-of-business applications?  Do you know when your domain name registrations expire?

Finally, don’t overlook your IT operational practices.  What activities consistently occur daily, weekly, and monthly?  Are these activities auditable? Do you ever leverage a second set of eyes to insure that what’s expected actually occurs?  When was the last time server backups were tested or a disaster recovery test occurred? 

If you haven’t been asking any of these questions of yourselves, expect to be asked by potential clients or an auditor—maybe even your accountant.

Planning

Once you’ve quantified your “IT world,” planning becomes easy.  I typically leverage three types of planning tools: an IT Risk Assessment; a 3 year budget; and, based on the specific client need, a summary of IT objectives.  The Risk Assessment is primarily the lead document that summarizes all of the quantified information about your IT environment, documents open questions, quantifies the level of risk, and identities short and longer term remediation activities. 

The Risk/Network Assessment then blends with your business strategy to result in prioritized activities and the associated budget.  It’s a living set of documents that becomes the ongoing roadmap for you, your management team, and your IT staff and outsourced partners.

 

Request A Free Network Assessment

Topics: IT Support, Budget, IT capacity, IT spending, risks

Avoiding IT Surprises – Part One

Posted by Michael Silverman on Mon, Oct 21, 2013

IT SurprisesWhen was the last time you were surprised by a major, not to mention unplanned, business disruption or IT expense?  If you’re like most small and mid-size businesses, it was probably in the last six months, and wasn’t the first time you were surprised either.  Misery loves company, and unfortunately you’re not alone.  Unplanned IT downtime and unexpected capital investments are unnecessary business issues to contend with.  This blog reviews the most common surprises you and your peers have probably experienced.  Part two, following next will outline root cause, but more importantly outline some strategies to avoid them in the future. 

So what are the most typical IT surprises that if you’re not discussing with your staff or your outsourced managed services provider, you should?  Let’s start with hardware; servers, workstations, switches, routers, and firewalls.  Hardware manufacturers typically publish “mean time between failure” data.  It’s a straightforward statistic that says after so many hours, the likelihood of a failure dramatically increases.  For a server it’s usually about 4 years.  For switches and other network appliances, it can be even longer.  When was the last time you had a discussion about the age of these critical IT infrastructure components?

Next on the hit parade are capacity issues.  Is your business in a growth mode?  Are you adding employees?  Expanding into new remote offices?  Are you doing more and more with internal systems that interface with your customers?  Here are a few potential capacity issues to be alert for: disk space is relatively inexpensive, but randomly adding storage over time introduced unneeded organizational complexity and increases the risk that critical data isn’t backed up.  As Internet bandwidth capacity increases, and cloud based resources are more readily adopted, network components frequently overlooked can quickly become “choke points.”  The growth of server virtualization removes the capital expense of new physical servers, but doesn’t make the need go away. All too frequently, “server sprawl,” the unnoticed growth of virtual servers, results in a condition where the business continuity redundancies inherent in a virtualized infrastructure become diminished and an unplanned outage can be on the horizon.    

The third category of potential surprises centers around domain name registrations, maintenance agreements, and licensing.  If domain names and SSL certificates, associated with your web sites, email, and e-commerce expire, you’ll be exposed to complete service outages.  It continually amazes me how often a new client has expirations (leading to unnecessary business disruptions) on the horizon that was unknown to those responsible.  Maintenance agreements and licensing are recurring cash flow items that easily become lost in the shuffle of daily business activities.  More and more of the manufacturers provide reminders, but these costs can quickly add up, not to mention reinstatement charges if expiration dates pass.

Last, but not least, is the increasing frequency of network and systems upgrades resulting from regulatory audits.  Audits generally result in requirements to perform unplanned equipment upgrades and make changes to IT operational practices; some of which can necessitate tapping external resources on an ongoing basis. Stay tuned for my next blog for IT root cause and IT strategies.

Request A Free Network Assessment

Topics: IT capacity, IT spending, avoiding IT surprises, IT disruptions, Server Virtualization, bandwidth, Cloud issues, disk space, unplanned IT expenses, Internet access

Subscribe By Entering Your Email

Follow ANP



Latest ANP Blogs

Browse by Category