IT security is no walk in the park, but the job can be particularly difficult for the part-time network manager in a small business. If you've recently inherited your company's IT administration chores, here are 10 security issues to consider.
1. Documentation: Brad Johnson, vice president with security consultant SystemExperts Corp., advised part-time IT staffers to write down important policies and procedures. The documentation should describe key procedures — such as scanning systems — and their frequency. The write-up may also include the company's acceptable-use policies. And you don't have to publish a formal manual to get the job done, noted Johnson, who said he's a fan of brevity.
Phil Cox, principal consultant at SystemExperts, suggested launching an internal wiki to deploy documentation. Contributions should come from across the company, not just from the IT manager.
"You can start writing the processes and procedures that probably weren't documented before," he said.
2. Patch management: IT managers should develop a comprehensive patch-management approach that includes all operating systems and vendors, according to Kevin Prince, chief security officer at Perimeter eSecurity. That means thinking beyond Microsoft.
"People just turn on automatic updates from Microsoft and think everything is going to be taken care of," Prince said. "A lot of people have this false sense of security. They need to think of patch management more holistically."
While the Microsoft update service covers the company's operating systems and applications, it won't help if a vulnerability surfaces in the widely used Adobe Acrobat Reader, Prince noted.
3. Compliance: Cox said that individuals new to the security world should find out what type of data the company has on hand — credit card, health care or financial information, for example — then determine the compliance requirements. PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act) are among the regulations and standards that may apply.
4. IT simplicity: Security managers pressed for time don't do themselves any favors if they're running a hodgepodge network.
"You can try to make your network as homogeneous as possible … to make life simpler," noted Cox.
That could mean limiting the number of operating systems or keeping tabs on the different types of Web services in use.
5. Virtualization: Virtualization offers another path to the simplified IT environment. This technology lets organizations partition a server to run multiple operating systems and applications as virtual machines. The move helps consolidate servers, and fewer servers ease the administrative burden — which includes security.
"It's just a practical way of deploying infrastructure that doesn't require as much hardware maintenance," Cox said.
6. UTM (Unified Threat Management): Security technology may be streamlined as well. A UTM appliance combines firewall , anti-virus , anti-spam and intrusion-detection features in a single box.
7. Managed security services: Instead of buying a new box, a technology manager may opt to go in the opposite direction and outsource IT security. Eric Nelson, director of Alteritech Inc., a subsidiary of business and technology consultant Acumen Solutions Inc., contends that security is not a part-time assignment. Outsourcing may be the answer for a small-business IT manager who lacks the time to devote to security.
A managed-services provider can cover security on a full-time basis, Nelson said, freeing staffers to reallocate resources to activities that add more value to the company.
8. Thin-client computing: A small business can scrap PCs in favor of thin clients, an approach that shifts applications and most processing activities to a server. Thin-client computing removes security issues from the desktop, noted Nelson, who has seen an increase in the practice. However, according to Nelson, a move to thin clients is typically driven by cost and ongoing support considerations rather than security.
"Improved security happens to be a really good by-product," he said.
9. Security-awareness training: Employees with at least some inkling of security principles can make an IT manager's job a lot easier. Prince said that the greatest security risk an organization faces is from its own employees. A security-awareness program can make employees less vulnerable to social-engineering techniques and improve security practices such as handling passwords .
10. The security culture: A rising awareness level offers the opportunity to create a security culture . The IT manager shouldn't be the only person worrying about security. An educated employee can not only avoid security gaffes but can contribute to the process of finding and identifying problems.
"Disperse the effort so other people are having to think about security along with you," advised Johnson.
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more