The coronavirus pandemic has no doubt put your business’s IT infrastructure into sharp focus. You will have found your network and security systems put to the test. Some may have passed with flying colours, others less so. Whether you’ve noticed flaws in your infrastructure or believe you’ve got IT security sorted, it’s always worth regularly reviewing your IT infrastructure.
As businesses begin to open their doors once more, it’s time to start planning for “the new normal”. Now is the perfect opportunity to review your IT infrastructure and cyber security measures. With more and more businesses promoting remote and flexible working, IT departments across the country will be faced with more challenges than ever before.
But how can businesses set up a robust infrastructure with adequate cyber security measures that suits both office workers and those working from home?
Setting up your system correctly
Your business must have suitable hardware in order to function at its best capacity. However, all hardware will need to be set up correctly by an IT professional and upgraded when required. A business’s IT network may be particularly complex, and thus all pieces of hardware connecting to this network must be set up properly and accurately. Once a piece of hardware reaches end of life and is no longer suitable for business use, make sure it is disposed of by a registered company with proof of disposal given.
You must also consider the software your business uses. Does it perform effectively? Are all tools and technologies absolutely safe and secure? Regularly do your research to ensure the software your business uses is fit for purpose. Technology and software moves at a fast pace and new ways of working are always just round the corner. Keep your eye out for new tools or tech that could transform your business.
Software must be regularly updated and upgraded on a regular basis. This not only fixes bugs and adds new features, but may also ensure applications work alongside other software.
Keeping your equipment secure
Most businesses know the drill. Make sure computers are locked when not in use. Ensure staff understand the importance of strong passwords. Never leave a device (such as a laptop) unattended whilst unlocked or in a public area. Staff should be aware of the risks and know what precautions they need to mitigate this and perform due diligence.
Two-factor authentication is an excellent method of ensuring that the person accessing your data is the correct person. This is a security process in which a user provides two different authentication factors to identify themselves. These factors could include passwords, a mobile number/email address, fingerprint, or voice / facial recognition. This second login authentication factor provides an extra layer of security. Basically, the user is more likely to be able to prove that they are who they say they are.
Your business’s IT Department should be monitoring all equipment and be able to run audits on this equipment too. If something does go wrong, such as a device is lost or a password hacked, IT professionals will be able to act quickly to minimise business disruption.
Cyber security
There are two main elements to cyber security: technological and human.
From a technological viewpoint, every business must ensure all hardware and software is correctly configured and regularly patched with security updates. The IT department must be able to monitor and audit all traffic. Spam and antivirus software must be in place too.
If staff members are using their own equipment, all devices must be current and vetted by an IT professional to ensure adequate security measures are in place.
Now we move on to the higher risk stuff: human error. Social engineering is one of the greatest cyber security risks. The biggest threat to any business is its people. Poor password security, clicking dangerous links, falling for phishing scams, losing USB sticks or other devices, stealing data… it’s a minefield to try and circumnavigate the many ways your employees could bring down your business.
You must ensure all staff have secure passwords. The best way to do this is to set rules (such as a certain character count and difficulty score) and enforce employees to change their password on a regular basis.
Realistically, though, the best way to protect your business against social engineering is through adequately educating your employees (more on this below).
It’s also recommended to purchase comprehensive Cyber & Crime Insurance. This will cover your business for any financial losses or economic damages caused by a cyber-attack. Online fraud is on the rise, and cyber criminals are just as likely to target your business as they are anyone else’s. You are not immune.
Training your team
It’s true – your employees have the power to bring down your organisation. One click on a dodgy link and your whole system could suffer. Your business could lose thousands of pounds, if not millions. Business should also consider the impact of loss of reputation. Customers expect and deserve good levels of consistent service. Disruption to this service (not to mention more disastrous scenarios such as data breaches) could cause businesses much greater long-term problems.
Your staff should be trained to use secure passwords, recognise unwanted emails, spam links and scam phone calls. It’s not good enough to have a PowerPoint presentation saved somewhere on a shared system. Businesses must be more productive than that. Print out key security tips and make sure these are displayed around your offices. Your IT Department should also regularly share insights and articles that may enhance the rest of your team’s knowledge.
Good cyber security knowledge should be embedded in your company culture. Make sure this is covered as part of your staff induction, with refresher courses throughout the year. You can never be too OTT when it comes to the safety and security of your business.
Putting a Business Continuity Plan in place
Business Continuity Plans (BCP) are vital. They are there to make sure a business can continue operating with minimal disruption / downtime – whatever happens.
It covers physical disasters such as a flood or fire, staff illnesses, and IT issues. Business Continuity Plans are typically comprehensive documents detailing any risks that could impact the business. They include checklists, key personnel, guides, and contact lists.
The first question any company should be asking is “where are my backups, how often are they taken, and when was the last time they were tested?” The IT department should be the first port of call for this information. An area of weakness often found in IT departments is one person often withholding important information such as passwords, access codes, and documentation. Whilst confidential information should never be common knowledge, it should be available to at least one other member of key personnel in case a disaster does happen.
A Business Continuity Plan is always a work-in-progress, and therefore a live document. That’s why it should be put to the test at least annually and updated. Businesses should consider a full building loss (fire/flood) when testing, as well as more specific scenarios (such as a malware infection impacting your system).
To perform a test, your company will need a Business Continuity Plan team which is made up of key personnel from within the business. This includes representatives from each different department. This team is responsible for making quick decisions should the worst-case scenario happen and your business does need to put this into action. The team will use the Business Continuity Plan documents to outline what action should be taken and how.
The difference between a Disaster Resilience Plan and a Business Continuity Plan
A Disaster Resilience Plan refers specifically to technology and focusses on how a business will recover from an incident. For example, how a business may recover data from a backup system.
A Business Continuity Plan looks at the entire scope of business operations, essentially a fully comprehensive plan of action. This will ensure that no matter what the incident or disruption, a business can continue “as normal” as far as reasonably practicable, for the longest period of time.
Both are fully applicable to IT departments. Your business will need to respond both to technology-related incidents, and wider business disruption (such as a pandemic causing the vast majority of employees needing to work remotely). Businesses must ensure their IT infrastructure is strong enough to weather most storms but if not, a back-up plan must be in place to make sure the system does not collapse under pressure.
Dealing with downtime
Whilst downtime is sometimes unavoidable, there are steps that businesses can take to avoid this happening.
Most businesses have (should have!) backups of data but have you considered backups of your infrastructure. This includes secondary internet lines, back-up batteries (UPCs), hot swap parts, and additional servers or equipment that can be used as backup if needed.
As with a Business Continuity Plan, these backup systems should be tested thoroughly so it is a smooth implementation process should something go wrong.
How to facilitate remote working
There are many practical considerations to factor into any business’s working from home strategy. All home workers need equipment, good internet, and the ability to access the tools they need to complete their work effectively.
Employees should use work equipment rather than their own personal devices. This ensures the equipment is updated and security software installed. It’s simply not sensible for employees to work with outdated hardware.
You can also make alterations and modifications to your hardware that will further protect your business. Make sure hardware is locked down so that USB and CD drives are not available, and the hard drives not accessible to the user. This ensures that data cannot be copied or removed.
All equipment should be part of an inventory, detailing who has taken home each asset. IT staff should monitor this inventory and make sure equipment is being looked after and not tampered with in any way. Where applicable, monitor these assets.
Obviously home workers need an internet line capable of supporting their work. Good internet speeds is a must-have. Before deciding if an employee is able to work from home on a long-term basis, businesses should carry out a home working assessment to ascertain these facts. Businesses should also make sure that their own internet line is capable of supporting incoming traffic from home workers.
Make sure your network infrastructure uses modern technology to ensure your business can operate effectively and securely. Regularly refresh your network so you are certain your business is kept up to date with new technology.
Consider configuring your infrastructure so equipment has zero software installed, allowing users to access your system via a secure portal instead. This limits risk that occurs through unattended / stolen devices or malicious malware.
Supporting your IT department
Flexible working will impact your IT staff. It opens up ways for colleagues to adjust their hours which means requests might come in late in the evening when most of the team are back at home. Whilst no-one is suggesting your IT staff work around the clock, it’s important that the team is able to be flexible in order to service the business and respond to users working outside of the traditional 9-5. Either offer flexible working to your IT team (so if a problem is dealt with late at night, they are able to take that time back), or provide an on-call incentive or shift rota to make sure your business needs are met.
IT departments will also need to adapt to remote members of staff working in different circumstances and even different countries. Support your IT staff and make sure they have the training they need to feel comfortable dealing with new requests remotely.
Communicating with the rest of the team
Your IT department should not be siloed away from the rest of your team. IT professionals are an integral part of every business and in fact, probably communicate with a wider array of departments and individuals than others.
That said, often IT departments communicate reactively rather than proactively. Your business should encourage IT experts within the team to share knowledge and insights. Promote cyber security tips and engage with the rest of your employees.
Your IT team should be the go-to professionals to assist users. The most efficient way to do this is by operating a helpdesk facility that is accessible for all staff to use. This means a request goes through to all members of IT staff. It means workload is shared evenly, requests are handled quicker, and there is better capacity for auditing these requests. It also enables IT staff to learn from one another and share knowledge.
Practicing what we preach
Here at the Romero Group, we’re lucky to work with a group of passionate and talented IT professionals. They work tirelessly to make sure your infrastructure is as safe, secure and robust as possible.
Here are just a few things our team does to keep our business safe…
- Regularly sends out test spam emails to make sure our employees are on the ball when it comes to identifying potential threats
- Runs training sessions at induction and at regular intervals throughout the year
- Sends out updates to the team informing them of any system changes or potential downtime
- Keeps an inventory of hardware, making sure this is looked after by remote workers
- Ensures all hardware and software is updated
- Operates a helpdesk system so a member of the team picks up on requests quickly and efficiently, with all requests monitored and easily accessible to all members of IT staff
- Works flexibly to ensure remote workers and flexible workers are supported
For further information about improving your IT infrastructure, or for a full risk management consultation, get in touch with the Romero team.