Are you Reasonable About IT and CyberSecurity?
If you’re in business, chances are you need to meet some compliance standard with a bunch of letters or numbers in it. Think HIPAA, PCI, NIST 171 etc. We could discuss each in depth, but you wouldn’t make it to the end of this article without getting sleeeeepy . . . so let’s not.
Instead, what if we define what it means to be reasonable about IT and cybersecurity? Do you fit the definition of “reasonable?”
Being reasonable doesn’t sound too bad, right?
For example, you use deadbolts, alarms and cameras to protect your office. This is entirely reasonable. Securing your physical office is just a good idea.
As an MSP (Managed Service Provider) we think there are some IT things that you, as a business-person, should know to be considered “reasonable.” We’re not talking technical skills. But, we’re talking about conversational knowledge and an awareness of current standards.
Let’s start with a common buzzword: Firewall.
You have a network of computers connected to the internet. You need a firewall to separate your business network from the rest of the internet. A good one does all kinds of other stuff like making sure your employees don’t use your computers to mine crypto-currency all day long! Additionally, there are many super-helpful business functions that a well-configured firewall can provide – more on that another day.
Patch management and antivirus
Patch Management involves keeping all devices up-to-date with the latest security updates, patches etc. No device is immune. For the most part, if it runs on electricity, it needs to be updated regularly. Same with antivirus. You need updated antivirus software on your devices. All of them. And those devices need to be monitored to be sure antivirus stays up-to-date. If you have 100 PCs, it’s not reasonable that once you install antivirus, all PCs will update automatically without fail. Monitoring tells you which ones need help.
Mobile Device Management (MDM).
MDM is used to secure company data on mobile devices (phones, tablets, etc.). The data on your phone should be encrypted so it can’t be read by someone other than you. MDM does that. If you lose your phone, what would it take for someone to access the data stored on it? MDM helps you contain that sensitive data and wipe it, if it should fall into the wrong hands.
This one’s easy. WiFi needs to be encrypted to be considered secure. Encryption is improved from time to time so it’s good to know what encryption level you’re at and what the current most secure level is. Update your devices to match the current standards.
Reliable data backup.
You need to back up your data. All of it. It’s not optional. And you need to test it. It’s reasonable to ask YOU to test it. Delete a non-important file and restore it from backup. Often. Even cloud servers need to be backed up.
Data Destruction. Where do the hard drives go when you replace a PC? That data needs to be destroyed. You should know who’s doing it and how it’s being done.
Continuity of Operations (CoOp) / Disaster Recovery (DR).
You need a plan to keep your business running when your technology isn’t running. It WILL happen. At some point, on an inconvenient day, you’re going to deal with a technology outage. What’s your plan to deal with it? You don’t need to write the plan yourself, but you should understand the basic functions of it and TEST IT.
Written Information Security Protocol (WISP).
A WISP describes the security of your company. It puts into writing how often you change your passwords, who’s responsible for your IT security, what data is most vulnerable to a breach etc. Often, it includes an Acceptable Use Policy (AUP) which lets your employees know that they’re using a business PC and it should be used for business purposes only.
Equipment Life Cycle.
OK, no one likes to throw good stuff away, but keeping to a 3 – 5 year equipment life cycle is pretty reasonable. If you spend $650 on a PC, you should expect to use it for 5 years then replace it. I promise, the older your technology equipment is, the more likely it is to break, and it will break on the worst day.
Penetration Testing / IT Auditing.
A Pen Test is a planned attempt to “poke holes” in your network from the outside. In simple terms, you’re paying someone to tell you what your network looks like from the internet. How easy would it be to penetrate your firewall? How close to your data could someone on the internet get with minimal effort?
Sometimes the best we can do is take reasonable precautions to be secure. Like locking the deadbolt. We know a determined criminal can still get in, but locking the deadbolt is a reasonable step towards feeling secure. When it comes to IT, if you’ve addressed the items discussed above, you’re on the right path to feeling secure about your technology.