Do you need J.D. Fox Exec if you have a good IT services provider or in-house department?

Introduction

If you're lucky, you love your IT guy. He set you up with good systems, responds quickly and competently to user requests for help, and keeps everything running smoothly.

IT guy helping a user
IT guy maintaining the network

Things are fine when they're fine, though, right? But if you have no Information Security program, the fact that you haven't had any significant incidents means you've been lucky so far. And if you've had incidents (such as malware infections, infiltration into your web server or e-mail system, or data loss), you might have thought you were okay anyway because your IT guy always seems to heroically jump in to fix problems. However, living on the edge like that, as opposed to implementing planned preventive security measures, could lead to significant financial loss and degradation of your company's reputation should sensitive information be exposed or deleted. Even if you are always able to recover from incidents, proper planning and prevention will be more cost-effective than paying your hero to clean things up every time.

And what about equipment failure or a spontaneous software crash? Or some other incident like a natural disaster that temporarily puts you out of business? Does your IT guy have the resources and capability to rebuild your database, your server-based applications, or your entire IT system from scratch? Just as importantly, does he have a plan to do this? If you have no Disaster Recovery or Information Technology Risk Management program, then, unless your IT guy took the initiative to develop these plans on his own and you approved all of his requests to purchase redundant systems and data backup equipment, you should for certain consider your business unprepared to face disaster. And we're not done—even if your IT guy has done as much preparation as he can on his own, if you haven't reviewed all of the resiliency and recovery capabilities of your IT system and ensured that they meet the requirements of your business in light of your risk tolerance, then his entire plan might be inadequate for your needs, or, at best, it covers what you need but is costlier to maintain than it should be.

Information Security

Let's talk a little bit more about the security of your IT system.

Information Security Triad

The discipline of Information Security involves ensuring confidential information is not exposed to unauthorized individuals; protecting data from intentional or accidental corruption; and ensuring that communications systems, applications, and data are available for use. Much of this, of course, depends upon the configuration of your information technology (IT) system.

A competent and trained IT services provider can and should implement a range of good security practices into your system even without direction from your company's management team. To assess your IT guy, consider the following indicators of poor security practice:

  • No inventory of hardware and software assets.
  • No documentation about your data—what files and databases are where, how they are backed up, etc.
  • No classification of data.
  • No process for assigning permissions to resources, or assigning users to permissions groups.
  • Poor password management, including any of the following:
    • Users know each other's computer and voicemail passwords.
    • Passwords are easily guessable.
    • Many applications are secured with a generic or shared password, or your systems tend to have passwords removed, for convenience, without much consideration of the risks.
    • Users know administrative passwords to the system (bad enough), and changing these passwords when an employee leaves the company isn't part of your standard procedure (even worse).
  • Your users have administrative privileges on their workstations.
  • Your company uses free anti-virus software, a hodgepodge of whatever came pre-installed with new computers you buy, or none at all.
  • You have no policies to manage and secure use of mobile devices or cloud services.
  • There is no plan to install software updates on a regular basis.
  • Users habitually bypass, disable, or ignore security warnings.
  • If you have a website, or a web-based application and a team of software developers, your site and application have some or all of the following characteristics:
    • Hosted on a shared web server.
    • Doesn't use SSL (encryption).
    • User passwords are stored unencrypted, or encrypted with outdated technology.
    • Server platform is running outdated software, or your developers are using outdated methods of preventing breaches.
    • Credit card information is saved without having gone through the rigorous process to ensure required compliance with card processing security standards (typically PCI DSS).
    • Built on a standard CMS platform (such as WordPress), but no hardening was done.
    • It's a custom-built, multi-tiered application on a cloud platform, and security wasn't integrated into the development process.

Do these apply to your company? If so, then this means your IT guy is not doing his job. Or does it? Maybe it's not him. Ask yourself this. Has your IT guy recommended investing time and money to mitigate some of the above, but you rejected his requests? Or did he make recommendations for procedural changes in the name of security, but you declined to implement them?

You had good reasons not to approve everything he asked for, of course—it was for sound budgeting and operational efficiency. However, if you made these decisions only looking at budget and simplicity, without investigating the potential risks of not investing properly in Information Security, you may be exposing your information assets to risks you would not accept if proper assessments were performed.

By engaging J.D. Fox Exec to develop an Information Security program, you will go through the process of performing Risk Management for your information assets, which will create a clear picture of what needs protection, and how much you should invest in this protection. Investments don't only mean equipment and software; it includes investing the time to develop updated procedures and training guidance that will have a net positive return in value.

In theory and practice, Information Security goes beyond just your IT system, and it's bigger than your IT guy's scope of responsibility. This is because Information Security must involve all departments providing input on the value of their data, providing feedback on the results of proposed changes to operational procedures, and understanding their role in protecting confidentiality and integrity of your information. So, if this article has inspired you to action, keep in mind that directing your IT guy or IT department to implement an Information Security program generally cannot be expected to result in an adequate solution. You need executive-level involvement.

Disaster Recovery

Disaster Recovery planning

The discipline of Disaster Recovery involves planning and preparation to enable your business to continue operations following a failure within your IT system that would otherwise bring your business to a halt. This is distinct from Information Security, which involves routine defensive protection against breaches of confidentiality and integrity, yet it's related in that many of the threats and mitigation strategies are the same.

To assess your readiness for Disaster Recovery, you should consider these questions:

  • What will happen if there is a power outage? What is protected from shutting down, and what isn't? For how long? If equipment will shut down, could there be any data loss? Do we know for sure everything will boot back up? What is your IT guy's plan to recover?
  • Pick any device you have, such as a server, storage, network switch, or Internet router. Or pick a database-driven application on your system, if you have one. If that device or application fails, what will be the impact on operations? Does IT have a plan to recover? How long will it take? Has the plan been tested, or assumptions validated?
  • Sometimes when a database is recovered after a failure, recently entered data will have to be re-entered, unless resilience technology is implemented to enable always being able to recover the database right up to the time of failure. If your database crashes, do you know much will have been lost after it is recovered?
  • What equipment is under warranty and what isn't? What needs to be under warranty, and what can do without?
  • Are all the files on all workstations protected? That is, if a user loses a laptop, or the hard drive fails, can he get those files back?
  • If one day the files from your local storage or cloud services provider were wiped out, does your IT guy have a plan to get them back?

Now, read this next sentence carefully; it's not a mistake: If you need to go to your IT guy to get answers to these questions, your Disaster Recovery capability is most likely inadequate, even if he gives thorough and proficient answers to all of them.

Why? Isn't this all related to IT? It is, but you must understand that while IT can give you the answers about your systems' capability for recovery, this does not address whether the recovery capabilities are adequate. For example, your IT guy might have expertly configured backup systems to be able to restore your servers by the next day following a crash, and felt he had done his job. But he didn't know that being down for four hours could be so costly that your company would have gladly paid for more resilient servers. And he won't know unless your company performs Disaster Recovery planning at the business management level.

Of course, if your IT guy doesn't know the answers to the above or doesn't have a plan (or you're scared to ask), you already know you're in bad shape. Even if he does, you then need to ask the following:

  • Do your department heads and data owners know what your recovery capabilities are? If so, are they acceptable? Do you even have designated data owners?
  • Does top management have visibility on the recovery time and recovery point targets? Did management designate these in alignment with operational objectives and risk tolerance, or did your IT guy just do his best with what resources he had?
  • Are third-party warranties and service contracts appropriate? That is, do you have coverage on equipment that needs it? Do you have expensive service contracts you might not need? For example, if you implemented redundancy to ensure availability in case of hardware failure, you may be able to reduce the manufacturer response time on your service contract to save on recurring costs.
  • Do you have your communication and escalation plans in place? Particularly, who does your IT guy call when a major IT system failure occurs, and what will you or your company's management do to support the recovery process? Even more importantly, what will you do if the planned disaster recovery procedures fail?

You will only have good answers to these questions if you have a properly developed Disaster Recovery plan.

Epilogue

Only executive-level planning can drive the people, processes, and technology standards and procedures to ensure confidentiality, integrity, and availability of your information and IT systems, and to ensure your IT system can recover from a major outage in a timely manner. This planning process doesn't have to be complicated, long-winded, or anything beyond what is needed to get you from where you are to where you should be. But without top-down direction and input, even the best and most highly trained IT professional can't do this for you.

To get started, contact J.D. Fox Exec today.