We meet with organizations every week that tell us they have a “part-time” person that takes care of their I.T. and technology needs and that they feel like they do a decent job. What they normally mean by this, after asking a few more questions is they have a person that is tasked with maintaining their technology because they have a technical inclination but they also have other job responsibilities as well. Further-more, what the mean by “they do a decent job” is that they keep things up and running for the most part and deal with all the questions and problems that relate to I.T. As we start to ask some more detailed questions about their operations, it becomes clear there is a big misconception about what it means to fully cover I.T. needs and an even bigger misconception about what it means to do a decent job with this.
I’m here to tell you once and for all, – If you have more than a couple of employees that use technology and you only have someone looking after I.T. needs part time….. not only are they not able to do a decent job, but your organization is at SERIOUS risk.
Now that I have you on the defensive, let’s back up and understand what is really required for I.T. and technology management for any organization with more than just a few users.
What most organizations do when it comes to I.T. management
End-user support – Ok this is probably what everyone thinks of when asked about how they manage I.T. today. Obviously you have to provide some sort of support for technology problems and issues. Most of the time this is the one area that organizations will say they are OK at. This boils down to that if they have a person taking care of technical support, most likely they are at least agreeable enough to keep in that position and can communicate effectively. This is at the basic level what most organizations have come to associate I.T. with and unfortunately is where a lot of organizations stop when it comes to I.T. responsibilities. The majority of the time as well, there is no accountability or tracking of how many issues are occurring across the entire organization. So the end result is that when asked how often there are issues, the person responding typically can only speak the issues they personally have. The challenge here is that if the person responding only have 1-2 I.T. issues a week but there are 20 employees, that could actually equate to 40 issues a week across the entire organization.
Maintenance of I.T. related equipment and infrastructure – It’s a toss up on how much focus organizations put towards maintenance of technology equipment and infrastructure. At best most organizations just make sure the operating systems are patched on a semi regular basis and kept up to date.
Security – Arguably one of the biggest issues every organization now faces when it comes to I.T. and technology as a whole. What we find is that when there is a part-time or even full-time I.T. person that is tasked with trying to stay on top of security, the majority of organizations only really do a few things consistently;
- Antivirus – 10 years ago, getting everyone to buy-in to the necessity of antivirus software was the biggest challenge for most organizations. Unfortunately a large majority only rely on antivirus as their approach to security and even with that, there is no consistency in strategy, software, updates, policies and enforcement.
- Firewall – It is rare(but it still happens) to find an organization today that does not utilize a firewall to protect their internal network from the internet. However what we find quite often is that an inappropriate firewall is in place, meaning one that is meant for home-use or does not provide advanced firewall features needed to protect against today’s security vulnerabilities. Additionally most organizations do not apply any type of updates to their firewall on any type of scheduled or regular basis which means a large number of vulnerabilities could be getting through.
Here is what organizations need to be doing with I.T. and why a part-time person simply can’t keep up with it.
End-user support – Instead of simply being a firefighter so to speak when it comes to end-user support, the I.T. contact needs to be focusing on how to reduce the support issues in the first place. They need to analyzing what issues are occurring and how to ensure they don’t occur again… not just band-aid it for now. Additionally they need to tracking the number of issues and how much time it is taking away from the employee base. There is no way to gauge the effectiveness of I.T. without this.
Maintenance of I.T. related equipment and infrastructure – maintenance of the technology infrastructure goes way beyond updating the operating system and applying patches. That stuff can and should be automated. Maintenance should include a scheduled audit of the equipment, software, and infrastructure. Once that is completed, there should be a schedule of tasks that need to be completed on a weekly, monthly, and quarterly basis. These tasks include reviews of configurations, utilizations, any errors in the logs etc. Additionally battery backup units need to analyzed for loading and tested to ensure proper run-time and failover.
- Antivirus – While antivirus software and a firewall are a start to security, there are many additional items that need to be included and applied. First of all antivirus software needs to be more than just the old-fashioned variety that relies on a static list of definitions. Newer antivirus software can analyze behavior and in some instances can leverage artificial intelligence to predict what may be happening and take action. But the antivirus software has to be actively managed and be consistent which requires a scheduled and intentional approach.
- Firewall – Again this is another area where the old approach of buying a firewall, configuring it during install and not touching it again until it is time to replace it will be ineffective in today’s riskier environment. A modern firewall will be one that actively adapts to threats on a daily basis. This means it needs to be a more advanced(and most times a little more costly) solution. It needs to be actively managed as well, meaning is it being updated on a weekly basis, is it being monitored for alerts, does it have automation setup to handle threats as they occur and does it also talk to the endpoint protection(antivirus software) so that it knows when there is a issue occurring on the inside of the network.
- End-user training – The biggest security threat to any organization is their internal users. In fact over 95% of ransomware is spread by users internal to the organization. Without ongoing and consistent training, end-users cannot recognize obvious indicators of threats and inevitably will click on, visit, or act on the mechanism designed to do the damage.
- Security Policies and Procedure – Second to end-user training, the next biggest threat is poor security policy and procedure. Most users use the same password across multiple sites and platforms. If there is not a formalized way to regularly rotate passwords, enforce complexity, and ideally utilize more advanced security approaches like multi-factor authentication, organizations are at a huge risk of being compromised by valid and legitimate user credentials. All Cloud based services and applications(especially Office 365) should also be included in this to insure proper security is enabled.
- Auditing – At least on a monthly basis there should be an audit of the environment. This involves scanning the internal network for vulnerabilities, scanning the firewall externally for vulnerabilities and open ports, and reviewing security logs for any anomalies and/or security events. If your organization takes credit card payments, or is subject to HIPAA regulations you should be conducting specific audits for those areas as well.
- Monitoring – Once all security measures are in place and are regularly reviewed and updated, the next step is that there needs to be an actively practice of monitoring all elements. What this means is there needs to be a process to monitor all security devices, services, and components for potential security events on active basis. This needs to be consistent and monitored 24/7/365.
Documentation – While this seems obvious and even mundane, it is extremely rare that we get brought in to a client environment where there is anywhere close to complete documentation. Most organizational owners/managers assume this is being done. However in the event that documentation is needed, if there is a single person that has the keys to the kingdom so to speak, it puts the organization at severe risk if that person leaves under less than ideal circumstances. All too often we see organizations that think they have everything documented completely only to find out when something is down, there is a problem that critical information is not readily available.
Strategy and budgeting – 20 years ago when I got started in this industry it was an accepted practice that the I.T department was a questionable necessity and there certainly wasn’t a focus on the I.T. budget other than to plan a base amount each year for replacement when items failed. Today organizations need to think of I.T. as a functional area of the business just like they do for H.R. or Accounting. In order to be competitive, reduce risk and liability, and increase efficiencies, I.T. needs to be involved with the business planning and an associated budget developed to help the organization meet the operational objectives. Organizations that do this effectively will have at a minimum a 2 year forward looking budget as it related to I.T. so there are no surprises and so that I.T. can help a business meet objectives instead of hampering it.
Data Analytics – This is an area that will soon become a necessity to compete in the business climate. While once relegated to large corporate entities, the ability to tap into data inside of their operations to develop Key Performance Indicators(KPIs) and report on and display those in real time is going to become more and more of a necessity. After-all, wouldn’t it be better to be able to make decisions on actual data and do that in near real time?
Most small businesses and small organizations think they are too small to need a structured focus on technology and I.T. In fact, many of the organizations we meet with tell us that they are “too small to really have any need for I.T.” and thus in many cases tell us that they have someone that takes care of the I.T. needs as just part of their other job responsibilities. As you can see from the list above, the needs to cover from and I.T. perspective have grown exponentially over the past few years and it is only going to get worse as security threats become more common and more impactful to operations. Even larger organizations that have multiple dedicated I.T. staff are having trouble keeping up with all the demands to secure I.T. and increase efficiency. So it is highly unlikely that a part-time person can effectively handle I.T. needs even in the best of circumstances.
Organizations that do not take this seriously are at the biggest risk of data loss, security breach, and operations to be impacted negatively. In fact it is not out of the question to say that unless there is a dedicated approach to addressing these concerns there is a very high likelihood that it is not a matter of IF an issue is going to occur, but a matter of WHEN and HOW BAD WILL IT BE?