Dear Bob …
I’m the first line of defense when it comes to information technology here, here being a 30-person non-profit. I know you normally advise companies a hundred times our size or bigger, but I’m still hoping you can help me out.
What I’m looking for are … I know, not best practices, I’ve been paying attention … but some tested, reliable practices I can put into place here to keep the joint running, to coin a phrase.
Any suggestions?
– Stretched thin
Stretch …
Not a comprehensive list by any means. These should get you started:
- Anti-virus/anti-malware: Choose one. Not a free one either. Install on every machine. Uninstalling to improve performance is a firing offense, because really, no business needs employees that stupid.
- License management: In my admittedly limited experience, employees in small offices tend to be more cavalier about license legitimacy than those in large enterprises, those who work in non-profits even more so.
Impress on everyone that being smaller, or an organization that does good works won’t help a bit if there’s an audit. And besides, for many software categories non-profits qualify for very large discounts, so if someone needs a piece of software there’s rarely even a financial case for using an illegitimate copy of something.
- Password reset: Set passwords to expire after no more than 60 days. Passwords should cover the basics — at least 8 characters long with at least two alphas and two numeric.
Yes, everyone will complain. Empathize, but hold your ground.
And while you’re talking to everyone about passwords, you might as well suggest they have a few different ones for different types of on-line life. The experts say they’re supposed to have a different password for every website they log into, but since that isn’t going to happen, having (for example) one for financial sites, a second for social media and a third for news will provide at least a layer of additional protection.
- Phishing attacks: Educate everyone to recognize these, and in particular to avoid clicking on links within emails if they aren’t certain of the source.
Phishing attacks are the single most common way passwords are stolen, so this is critical.
And don’t be shy. Most people like to learn a few things so they feel more sophisticated about a topic, so long as you don’t overdo it.
So show them how to find out what’s in a link, and how to spot a URL that looks legitimate but isn’t (example: www.yourbankname.phonyphisher.com/lotsanonsensetohidethings).
They’ll feel good about knowing a bit more, and you’ll be a bit safer.
- Installing free software: In a small office like yours I’m guessing you don’t lock down everyone’s system, and that’s okay. The best advice I have here is to caution everyone to be careful about what sites and software they download. Remind them to Google the name of any software they’re thinking of downloading — to do some research first to see if there are reports that a particular program isn’t safe.
In particular (and I’m carrying a grudge here), if a site offering free software tries to install a downloader first “to make installing software more convenient,” never (sorry, NEVER) trust that site. It’s easy to get fooled, by the way. I ended up with Mezaa a couple of months ago by missing that this was happening. It’s a nasty piece of malware I ended up with just by trying to upgrade a program I’d been using for some time.
Mezaa is what you might call flashmob software: When it comes in it immediately invites all of its friends to join it.
Don’t get me wrong. I’ve downloaded and used plenty of free software over the years that I’ve found immensely valuable and helpful. What you’re trying to do is to help everyone tell the difference between safe and unsafe free.
- Protecting sensitive information: If it’s sensitive and someone is copying it to a jump drive, they should encrypt/protect it first.
MS Office has this as a built-in option; everyone should learn how to use it. Or, most jump drives now come with on-board encryption — all you have to do is enable it.
One complicating factor is that some countries have made it illegal to bring encrypted files through customs. Travelers should check the rules.
- Last one: If a user becomes frustrated with their computer, it is not okay to throw it out the window. There might be an innocent pedestrian below — always check before hurling something heavy.
That’s what occurs to me. KJR subscribers … what did I miss?
It would be better to replace the Windows system that is used for the non-profit’s online banking with either Linux (if you wish to save money and just replace the OS) or an Apple desktop. The reason is two-fold:
1. Most banking malware is tested against existing AV systems before it is deployed, so use another operating system besides Windows.
2. Companies and non-profits are not reimbursed by banks for losses incurred due to computer fraud/malware.
Since most online banking software is browser based, the OS is generally not important. You may also want to consider having two people approve wire transfers and payroll to further protect your firm from banking malware and fraud.
Ticketing system — most are licensed by help desk admin, which means Stretch should have a bunch of free or inexpensive options. Email, post-it notes and carrier pigeons will mean way too much time switching focus or dropping “not so urgent” tasks on the floor.
Version Control — I’m very happy with Assembla, which provides 1GB storage in your choice of SVN or Git (or Perforce, but why?) repositories. Great for stashing config files, documentation– anything you want to do version control on, which means anything.
Wiki– I’m using DokuWiki in-house and loving it. The more you document, the more you can point users to the documentation; the more users can handle their own issues (or understand why they need you to handle it) the less time you spend being interrupt-driven and the better the chance you can get some cool projects done.
The 60 day password change is not ideal. There is a balance between changing passwords often enough and so often that people can’t come up with and remember new ones. In that case they simply make one up quickly and put it on a Post-it stuck to the computer monitor. Three months is the minimum time between password changes and 4 months is better still.
I would agree that 60 day password change is pretty fast. I’d go for 90.
Here’s something to have: a simple spreadsheet that contains your hardware inventory. Device make and model, asset tag, when it was bought, who it’s assigned to. Don’t make it complex, just make it accurate.
I strongly suggest that computers that have internet access be powered down overnight and during weekends. A computer that is off is very difficult to be broken into.
Backups, and even better, tested and verified backups. A friend of mine is still consulting for small businesses, he’s had two different cases of CryptoLocker zapping a client’s network filesystems. A big hassle because the offsite backup has to be used – not a total disaster with an attempt to pay ransom. Perimeter and endpoint security can’t stop everything.
I have been the “network guy” for small companies myself with limited budgets. The best advice I can give you is to check the log files for whatever network devices you may have – servers, firewalls, etc. Even if it doesn’t mean much to you, if you check them regularly you’ll get to know what’s normal – and what’s not. And then you can follow up on what’s not normal, hopefully before it causes downtime. An ounce of prevention is worth a pound of cure, or in our profession, an hour of prevention is worth two nights and a weekend of trouble-shooting and recovery. Good luck!
Having done small shop IT for 20 years, my big things are:
1. Back up regularly and make sure people understand the backup schedules, and what the estimated time to restore is likely to be should they need something back.
2. Remember the three rules of running a network in a cost efficient manner: Standardize, standardize, standardize. Know when to make an exception and sacrifice cost efficiency for other goals.
3. Remember that your users are your coworkers, and are entitled to your respect and cooperation on that basis alone. You are providing a tool they use to accomplish their work, and you should expect them to concentrate on doing their work rather than wanting to be an expert in your field.
Basic performance monitoring. Something like Cacti or PRTG is extremely valuable when you’re trying to see trends to plan for future needs (and explain to the finance guy why you need it), catch stuff that is out of the ordinary (Whoa! What happened last week to make the disk almost full on Friday?), and even collect some basic details when you’re troubleshooting a hot issue (Why is the internet so slow?!).
I would also add some kind of calendar or list that helps you keep track of contracts and their expiration dates as well as other routine tasks you choose to perform that might otherwise be forgotten (updates, restore testing, etc.).
Some things occur to me immediately:
1. Have a backup strategy in place and test it. Either make sure that individual PCs are backed up or have a policy that all company data needs to be on managed storage.
2. Use utilities to check the health of your server storage drives, and replace those that are showing degradation.
3. Have a policy for disposing of computer equipment that has reached end of life. In the best case, work with a vendor who will ensure that any data on disks is permanently destroyed, and that the equipment is recycled in an environmentally safe way (not shipped overseas to be handled at the lowest cost).
Small businesses shouldn’t use Microsoft Windows for online banking. http://krebsonsecurity.com/online-banking-best-practices-for-businesses/
Bob,I presume this wasn’t your focus in the article, but It’s where my mind went first. When I supported a small office, I spent significant time developing relationships, and it matters. I especially tried to make technology work for each individual, and with that I listened, didn’t get mad at their rants about technology, asked about their kids and achy knees, etc. On the flip side, a friend manages a small IT operation about the size of our writer’s. His help desk guy is brilliant- everything runs, is documented, gets fixed promptly, and with minimal supervision. And he has a terrible reputation in the company, because he doesn’t build relationships. In a small company this is poison.
Nelson
Bob, I presume this wasn’t your focus in the article, but It’s where my mind went first. When I supported a small office, I spent significant time developing relationships, and it matters. I especially tried to make technology work for each individual, and with that I listened, didn’t get mad at their rants about technology, asked about their kids and achy knees, etc. On the flip side, a friend manages a small IT operation in a company about the size of our writer’s. His help desk guy is brilliant- everything runs, is documented, gets fixed promptly, and with minimal supervision. And he has a terrible reputation in the company, because he doesn’t build relationships. In a small company this is poison.
Please do NOT tell users there’s an 8-character minimum size for passwords with alphas and numerics. That’s trivially easy to crack today. Make them long and easy to remember — say, several words separated by numbers, or a familiar phrase with a twist. Any 8-character password is toast under attack. while asknot4whomthebelltollsittollsforIT is 35 characters of not-worth-any-cyberthief’s-time.
According to the guru I rely on for these things (Roger Grimes in InfoWorld), just about all password penetrations are the result of phishing attacks and Trojan horses, not password cracking, which is why I decided not to suggest going the long password route in my recommendations.
Bob, I’ll accept Roger’s judgment that for corporate user accounts, size doesn’t matter. But for most users in a small office, the office IT person is the only IT support in their lives. It may not matter in the office, but if a user’s encrypted password is stolen from a retailer, a short one gets cracked and a long ones doesn’t. It’s just good practice to teach users to go long. (Of course, if users give away the password to a phisher, “abc123” or “password” works as well as anything else…)
Good point, and I confess I was thinking of internal passwords when I wrote the advice, not the external ones.
One more that comes to mind, and it’ll cost time but save you grief: Encourage all your users to ask you for help. As BBJ said, always with respect. But if you’re helping them download software, you’ll have a chance to spot any danger signs (and you’ll know what they’ve downloaded). If they get in the habit of asking about anything that looks a little off, you’ll head off phishing and malware. And every time you help them succeed, they’ll get it more firmly in their heads that you’re not just there representing the Department of No.
Good rules for everyone. I wish I could get the folks in my company to use the rules. Same rules I use at home as well- since home is basically a non-profit (insert chuckle). Thank you for sharing that information.
To mitigate many of the potential issues from a minimum password length/complexity policy, I strongly recommend using a password manager (I like Lastpass) so that you can have really complex passwords without having them written down on notes and without having to remember (or even type) them. Lastpass has Enterprise features, if you pay for them, which allow you to share with others and revoke access when desired, for instance, allowing you to work with temps more effectively. But my main point is, the “balance” between complexity and ease of use, for passwords, should not be a choice you have to make, given the modest (even zero) cost of a reasonable password manager.