Ensure that your business has a secure IT network
DO YOU trust your tech guy?
If you’re a business owner or director, do you ever stop to consider the trustworthiness of your IT provider? Whether he or she is a full-time employee or a subcontracted external party, the issues of trust, capability and confidentiality are paramount.
I’ve made a career of fixing IT disasters, and in doing so discovered thousands of ways that things can go wrong. Everyone has a tech horror story to relate, yet when it comes to IT-related decisions, I still find the focus is overwhelmingly on price and little else.
Too often, there’s no formal oversight, and sourcing of IT equipment or services is left to a weary office manager who merely calls around to local suppliers. After a few quotes, a stranger arrives to set up the new gear, and easily obtains access to passwords, e-mail servers, accounts, payroll, customer databases … you name it. A lot of power concentrated in one person, and frequently that person is someone you hardly know. By letting them work on your network, you may be giving away the keys to your castle.
Here are some tips I’ve found handy when it comes to choosing and managing IT staff and contractors:
Develop an interview process for your IT providers, as you would with any position of responsibility. Investigate and find out about their business. How long has it been running? What references are available? What partnerships or certifications does it hold?
Once you’ve chosen a company, monitor them. This may include keeping records of physical access to your office, the computer room, even remote access. There are several firewall products available that can monitor such access; work with your IT provider to implement these and review access permissions regularly.
Develop an “acceptable use policy” that clearly defines the role of your IT support staff, and stick to it. Include non-disclosure agreements, etc as advised by an attorney. Draft a similar document to use with any contractor to protect your business information, confidentiality and systems in writing.
Insist on a password management policy that changes all-important passwords whenever an IT service provider or employee leaves.
Rename the generic Windows “Administrator” account to something else, and insist that your IT staff use individual named accounts, never sharing user names or passwords among themselves. If you don’t do this, you’re allowing your administrators anonymous access across your entire network. Even if you find something suspicious in a log, you’ll know only that a user called “Administrator” changed something, not who actually did the work.
When your IT team or users are not doing administrative tasks, ensure they log in with a standard user account. Many security breaches and virus threats would be stopped in their tracks if the users worked with standard (limited access) user accounts. It is not necessary (and not secure) to have access to everything enabled all the time.
Think about IT security and regularly review your policies and procedures with your suppliers and staff. It’s as important as sales targets or budgets.
Most people are good people. Reward your IT team when they get it right, and show them that you value their support. There isn’t much to worry about when your administrators feel genuinely appreciated. Any true IT professional will value policies and best practices that ensure their networks and systems are kept safe, but it’s up to the company’s leaders to put these in place and keep them relevant.