The Cybersecurity Crowd #6

Best Practices to Implement in IT

April 11, 2022

Anthony sits down with Jed to run through some best practices that, when properly implemented, can improve an organization’s technology experience.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or find us on your favorite podcast app.



Anthony DeGraw: Welcome to another episode of the Helpdesk Podcast hosted by Integris. I’m back with Jed this week. And he put together a phenomenal piece. That’s hosted on our blog. Called the Top 10 IT Best Practices to Adopt Right Now. So he wanted to walk me through those.

So Jed, first off, thanks for putting this together for our audience and I’ll have you kick it off here.

Jed Fearon: Great. Well, thank you for having me. I figured what we’re doing today is for all the people out there that aren’t the biggest readers.

Having an IT strategy

Jed Fearon: And what I wanted to do is start with number one: embrace strategy, and would love to get your input on why this is a best practice and perhaps why it’s best positioned at number one.

Anthony DeGraw: Absolutely. So to me you listed it here as the foundation for creating IT systems that align with your business goals. And you’re a hundred percent spot on with that. If you don’t have a strategy, it means to me that you don’t know where you even are today or where you’re trying to go tomorrow.

So I think it’s extremely important that you start with really defining where you currently are, and then where do you want to go, and having the entire leadership team on the same page. Some folks are more focused on like, a specific infrastructure goal. Like, we want to remove the physical infrastructure or server from our office. We want to have a more cloud approach to business. And that’s great.

You have other folks that may have a strategy that’s more around just getting better with cybersecurity. Hey, we haven’t taken this too seriously in the past. We, maybe haven’t invested as much as we should have. And we want to get more serious about this going forward. Great.

The final thing on strategy that you’ll see an angle on is around compliance and regulations. Hey, we’re a manufacturing firm that does work with the government and now we need to be CMMC compliant. Great.

A lot of times you’ll see the mixture of all three of those things though. You’ll see the infrastructure, the cybersecurity, and the compliance side, all come together and really be the basis of that strategy for an organization.

So strategy is the most important because you can’t really do any other the best practices or, where do we want to go? If you’re just all over the map.

I think it’s the most important thing, and I love that you put it as number one here.

Jed Fearon: I love that you mentioned compliance because that gives you a really important justification to get the team on board because they’re standards or blueprints that have regulatory teeth.

Making an IT budget

Jed Fearon: And I think that’s a great lead in to the second best practice, that’s establishing a budget. Gardner group talks a lot about it as a percentage of sales and has a 3.3% guideline, but it varies, but I’d love to know what your opinion is.

Anthony DeGraw: Yeah. The budget is obviously the next important piece, so that we’ve just laid out the strategy.

But I like to mention all the time, every business has a different budget. Some businesses have established an IT budget. Some businesses have not, and it’s no fault of their own. They just have never been given guidance.

If we lay out the strategy on a table for you, that’s perfect for your business. But we don’t give you any guidance on what it costs to execute on the pieces of that strategy. You’re most likely coming from outside the industry, you’re not going to know what it costs to get that done.

There’s a couple pieces that play into the budget as well. You have hardware costs, you have software costs, and you have labor costs to actually get it up and off the ground.

As an executive management team, you want to look at that and now say we didn’t define really an IT budget going into ’22, but now we just got the strategy and a budget from a team. What can we put forth to get this accomplished? If we’re looking at that strategy, what impacts our business the most. What can we knock out?

Let’s take the budget that you have established, or let’s look at the impact high items and start there and then plan what does Q2, Q3, Q4 look like? What does Q1 look like of next year? And then let’s stay on top of that strategy. Let’s stay on top of that budget, now knowing that we can make educated decisions.

Jed Fearon: Yeah, that’s a great point. And, while you were saying that, Anthony, I was thinking to myself that all of the subscription services you have in your IT stack. Those are very predictable, but the equipment part of it, the technology lifecycle. I think that’s where a trusted partner can really help you plot that out.

Anthony DeGraw: Yeah, a hundred percent correct. There’s so many things that need to be accounted for. And a lot of times, as we’ve mentioned in previous episodes, this responsibility is put on somebody that doesn’t truly understand it. And they need assistance.

Getting IT standards in place

Jed Fearon: That is a perfect lead in to number three, adopt standards.

Anthony DeGraw: Along with your strategy, you want to get standards in place. This could be for servers, cloud solutions, workstations, access points, different applications, right? The more we can standardize our strategy, the better prepared we’re going to be for when something goes awry, meaning our service team is going to be able to respond to an issue.

Our onsite team is going to be able to understand exactly what they’re walking into. Your employees are going to get all familiar with the same type of equipment, right? They’re all working hopefully off of the same business laptops or desktops. And when one person runs into an issue, somebody else may have already seen that and stopped it.

And you just get this better experience overall with standardizing. The other thing is budgeting. And we talked about that in number two. I know every time I onboard an employee, exactly the standard that we’re going to set them up with to work.

We know exactly what’s that – approximately exactly what that’s going to cost, without all the supply chain issues going on right now. But it just really helps from the budgeting perspective.

Jed Fearon: Yeah. When I think about when standards are lacking in the IT environments that I’ve evaluated over the past 20 years, it’s a lot like having pieces of different jigsaw puzzles that you’re trying to put together. I can’t imagine doing one where it’s parts from, different pictures you’re trying to assemble. I agree with you a hundred percent on that.

Single points of failure

Jed Fearon: Now number four is eliminate single points of failure. And there’s probably a lot of latitude here for you to go off and give some examples and you better start before I do, because this is a hot button for me.

Anthony DeGraw: Yeah. You can define this in a lot of different ways, single points of failures.

This could be credentials to your network, your overall network, right? Usernames and passwords, the different systems. If a one person is responsible for that. They’re defined as a single point of failure. If one organization is responsible for that, they could be defined as a single point of failure.

Another angle you can take on this, which we’ve seen is internal IT. Hey, we have this one person that does everything for IT. And it’s very cost-effective. But what happens when that individual gets sick? We literally had two in 2021. We had to bail out a, I think it was a 50 to 65 user organization.

Because their main person went to the hospital. And it wasn’t planned and basically Integris had to come in and hack into that environment because there was no access to anything, no credentials, no nothing. So that’s a single point of failure.

Another angle on this is even with, if you do engage with a managed services provider making sure that you still have the credentials to your network. We call it being held hostage.

There’s a lot of times where the organization is ready to make a move, and they’re being held hostage by that provider or that internal employee per se. There’s a lot of different things around single points of failure that you want to think through.

And a lot of it has to do with where, how, and who has access to the network, documentation and credentials.

Making a framework for cybersecurity

Jed Fearon: All right. Our fifth best practice for today, and you hinted towards it when we were talking about establishing a strategy, but it’s master cybersecurity frameworks, which fits right into your passion for compliance.

Anthony DeGraw: Yeah, so a cybersecurity framework. Sometimes they come out of nowhere and all of a sudden your organization has to adhere to them.

A lot of times though, we’re seeing this apply to a lot of customers now is, they don’t have a specific framework that they have to comply with. However, the customers that they service do, and therefore them as a downstream vendor needs to also then either comply or make their best effort towards that framework.

I personally believe that COVID over the last two years, put a hold on your customers asking you for what are called third-party vendor risk assessments. And I believe right before COVID they were really gearing up where they used to just ask, if you had something in place, then they would send you a questionnaire and you would answer the questions. And then they started validating those questionnaires that you were sending in.

And then they started going a step further and actually asking for permission to come in and make sure that those controls are in place. And then it wiped itself out with the focus on COVID. I believe you will start to see those third party vendor risk assessments come more frequently and get more and more significant.

You’ll also see them go smaller and smaller in terms of the organizations that they’re going to be looking for these from. So those frameworks, those questionnaires they’re all coming and you can use them to help guide your strategy.

Jed Fearon: Well, absolutely. We were speaking with a consulting firm a couple of years ago that worked with the Coca-Cola Company. And, they had maybe 50 people, but they were absolutely following a NIST framework and a few others because the Coca-Cola Company wants verification that they’re dealing with suppliers who have the proper security safeguards in place.

And I know that if I were to start my own business, although I probably couldn’t afford all the bells and whistles, I’d probably do a loose approximation of a NIST framework. Even if I couldn’t afford it, I would have it sketched out and have an aspirational state that I was reaching for.

Anthony DeGraw: Absolutely. We were trying to turn the conversation around this from a negative scare tactic conversation, which I really don’t like. And it played into a lot of the work I used to do in insurance, to a revenue generation opportunity where if you do, if you are proactive in these frameworks or in your strategy around technology and cybersecurity, you can utilize that to your advantage.

I call it operational maturity. You can show that against your peers, I’m more operationally mature around tech and cybersecurity, and I can charge higher prices or premiums or be more expensive than my competitors, because I’ve invested to have this partnership with my client. The secure on both sides of the equation.

Optimize your technology’s lifecycle plan

Jed Fearon: That sounds great. Number six: optimize the technology lifecycle.

Anthony DeGraw: Yeah. So this typically comes up in our assessment process around hardware and infrastructure and endpoints that are out there, specific things like laptops, workstations, servers, wireless access points, firewalls, switches even cabling to a certain extent. Everything gets old, right? We all know we all get the newest phones after two to three years because they start to slow down, there’s new technology out there, whatever the case may be. And you really want to think about this technology life cycle, the same way. A lot of times we walk into organizations and their people are working on six year old devices. Think about the technology that was there six years ago, where it is today is so much different.

There’s a financial piece of this conversation. As some people may like, Hey, I want to get the most use out of it. But what does that lifespan compared to the productivity that’s coming out of that device? We like to say we don’t make any money really on hardware. It is a commodity type of business. And what we typically find is that organizations will wait too long 5, 6, 7 years. And all of a sudden what happens is everything starts dying at the same time.

Let’s use a basic example of a smaller shop, 15 employees. A standard business laptop right now is probably going to run you about 1200 to 1500 bucks depending on supply chain issues and things like that.

Even if you just for simple math, boil that to a thousand dollars, that’s a $15,000 check that you need to write tomorrow to replace all of those laptops. And that’s just one aspect of it, right? So what you really want to do, and this finding that Jed put in here speaks to is that you want to have these things on a lifecycle management program.

And let me tell you the CFOs, the finance people out there, they love that. They love when there’s a plan. The last thing they want is to get surprised. With a 15, 20, $30,000 check they need to right. Cause nobody knew about it. Or it wasn’t built into the plan.

Jed Fearon: I think you want to do things like this before there are major fails or pain. One analogy I like to look to, I run and walk a lot. So if I have a pair of shoes, If I don’t replace them every six months like clockwork, at month six, my hips and knees start to hurt.

So who wants to go through that? And I think the same analogy applies to your network. Do it before you have to. All right. That was well stated my friend.

Using the cloud to your best advantage

Jed Fearon: Now, number seven, leverage the cloud. What do you have to say about that?

Anthony DeGraw: Yeah. So leveraging the cloud. The first thing I’ll say about it is, pre-pandemic, cloud adoption was definitely increasing and it was increasing aggressively.

Two years later, I can’t tell you how many phone calls we got from organizations that said I’m giving up my commercial real estate and I want to move my systems fully to the cloud. I want my team to work fully remotely. One, because they’re not coming in any way.

Two, because they can. And three, because most folks actually like working remotely they’re getting benefit out of it, right? So that’s one angle on why you should be considering the cloud and the benefits of it. You can work from anywhere. You can work from a browser, you can work from any device. The list goes on and on.

You can manage your costs, right? You get out of the hardware business, you don’t have to buy servers anymore. You get an extreme flexibility and the ability to pay for the resources that you’re actually using. So what do I mean by that? Let’s expand on that.

When you buy a server to host locally or in a data center, you have to purchase the full server and normally people purchase additional resources in case that application or the data set expands, where it’s going to potentially expand in three to five years. The cool thing about the cloud is you only buy what you need right now. And then as you need to expand, now, I slowly tick up those resources. So you’re truly paying as you go.

Jen and I did talk about a session earlier that went live, that we do have a saying inside our organization that the cloud isn’t heaven. So you also need to consider the facts of why we say that. The reason we say that is not because we’re cloud haters, we actually love the cloud. There’s great use cases of private clouds, public clouds, hybrid clouds. We do it all.

It’s that for some reason when people hear the cloud, they think security and backup and disaster recovery is taking care of. And that’s what we mean when the cloud is not heaven.

The second piece of it is when you’re relying fully on the cloud, you have to make sure your internet is really good. And some folks just don’t have that ability, whether it’s at their houses, even at their business offices. You have to take that into consideration as well.

And as we all say, we start with a strategy.

Don’t just say, I want to flip on a switch and go to the cloud. Work with somebody to design a strategy around what do we have locally and what can we do with the cloud in this case?

Jed Fearon: That’s a great point, Anthony. Cause you wouldn’t want people just going to Dropbox. You decide, okay. We’re in the cloud.

Anthony DeGraw: And that’s what happens. They do exactly what you just said. They run out and get Dropbox. They run out and get Box. They buy this CRM system over here, but then they’re also using this one over here. And all of a sudden you have a firm like us come in and we’re starting to assess the environment and there’s just stuff everywhere.

Yeah, you don’t want to just start running off and buying things and doing things. You want to start with that strategy.

Jed Fearon: Yeah, I think you refer to that as the split brain syndrome. I think I heard you say that recently.

Anthony DeGraw: You’re getting good, Jed. You’re picking up all my language now.

Elevate your Backup & Disaster Recovery

Jed Fearon: That’s right. The next one on our list is number eight and that’s elevate backup and disaster recovery.

Anthony DeGraw: Absolutely. So Jed, in your blog post here you mentioned some stats that are pretty interesting from Helpnet Security, and they stated 20% backup monthly and the worst of all offenders, 10% are not backing up at all.

There’s another concept in here. Yeah. Those folks are ripe for going out of business due to a ransomware attack if that is the case. I can’t believe it’s still the case. But my gut says it does still exist out there.

So when Jared puts in here elevate backup and disaster recovery, Hey, if you’re at monthly, get to weekly. If you’re at weekly, get to daily, if you’re at daily, get to hourly. Try to improve on where you’re at. It can only help your business. The technology is well sophisticated. It’s not that expensive to do. Our standard, I believe right now is hourly snapshots and daily offsite backups. That’s just the baseline.

First off, fully understand what it actually is. Talk to your IT team, talk to your provider, and get full documentation on what, how, and when are we actually backing up, then ask them to prove it. Get me a screenshot that shows me the last backups or the last week of backups that they’ve actually run. And then the next steps are to test the backups. Meaning actually make sure that the data that’s saying it’s getting backed up is the correct data. And then the final step there is actually try and restore from that backup to make sure the company can run in case the disaster happens.

The last thing you want to happen is you go down. You’ve gotten all the green check marks and that they look like they’re running, but then you go to restore and realize that you can’t for whatever reason. Definitely take that into consideration. And I love the language there of elevate your backup strategy.

Maximize business continuity

Jed Fearon: Now, that’s a perfect lead in to number nine, which is maximize business continuity because it’s a bigger concept than just back up and I know you can outline the nuances.

Anthony DeGraw: Yeah, exactly. Exactly. And Jen and I went deep on this topic a couple of weeks ago. So just scroll back through the episodes and look at that a specific one where we break down disaster recovery and business continuity.

In my head it’s like disaster means I’m down and out and it’s a true disaster. Business continuity to me is like more the blimps on the radar.

And a lot of this comes down to planning. I’m going to, cause we just talked about backup. I’m going to go actually the other way. It’s really planning and processes of, if these situations happen, how do we react and who is responsible and even who should be at the table and for the people that should be at the table to decide on that or make the next steps, do we have all their contact information?

Non-work-related contact information, so there’s a lot of times it’s all, we only know John’s business email address. Well, email went down. Can we call them? Nope. Or we only have his business phone number and it gets forwarded to his cell phone. Business phones are down. So we do we have a cell phone number? Nope. So really you want to start to determine almost like a little action team, we call it Incident Response, but almost an incident team in your business of the key stakeholders make sure all their contact information is known.

Make sure they understand their roles and responsibilities. If an incident does happen that we need to bring this team together, this is how and where we’re going to do it. And then here’s the action items out of that meeting to make sure that our businesses back up and running so that can be used for business continuity. It can be used for disaster recovery.

A lot of organizations should know and understand that simple things, just like the alarm codes, physical things like the keys and who has access, like those types of things you really want to consider. Because that time you spend planning upfront is going to lower the amount of time needed for you to respond. I’ll leave it there for you, Jed.

Trust your advisor/provider

Jed Fearon: Yeah, that was well-stated. So number 10 is prosper with a trusted advisor and where I’m going with that is be careful who you partner with. And I think you have more than a few opinions on this particular topic.

Anthony DeGraw: Yeah, absolutely. So my favorite book is actually called Trusted Advisor, The Trusted Advisor by David Maister and Robert Galford. I highly recommend people read it. I’ve read it from both a new business perspective and also a current customer perspective. Our marketing team led by Adel and Jed’s is on that team, they’re reading it from a marketing perspective. Even internally I utilize that information a lot, so I highly recommend it.

Jed and I were going back and forth on a conversation yesterday. And we were talking through like a lot of the folks that are knocking on our doors right now. They’re not necessarily like, upset with service or, they expect almost some pieces are going to be going wrong. Like it’s okay. But that’s not enough for them to change. What’s really making them change is they don’t know where they’re going. Or they need help figuring out where they’re going and they’re just not getting it.

So if I’m anybody out there in the marketplace, I’m looking for that. Show me how you deliver being a trusted advisor through your processes, through the people that I’m going to engage with. And then also you want to understand the capability, the overall capabilities of the firm you’re engaging with.

There are small shops out there. There’s larger shops out there and there’s a middle of the road shops out there. I’m not going to say any one of them is the wrong answer. Obviously they have their strengths and weaknesses.

Where I would go with Integris overall, if I’m going to give us a couple of bullet points here is what I like about the approach we’re bringing to the marketplace right now is we do have this national footprint with national skillsets that we have full access to. The backend financial systems and reporting and all this other stuff, we can centralize it, make it more efficient and a better overall experience for our end customers.

And then finally, we still lead with that local approach, which is your support is coming from a local team, depending on where your office is located, probably it’s usually going to be within 20 to 30 minutes of your office. They’re in your community. Their kids go to school with your kids. They’re in the associations that you’re a part of, they truly care about that region. To me, you get the best of both worlds.

Jed Fearon: That was very well said.

And why don’t I do a quick review here of every one of the best practices. But number one, embrace strategy. Number two, establish a budget. Number three, adopt standards. Number four eliminate single points of failure. Number five, master cybersecurity frameworks.

Optimize the technology lifecycle for number six. Number seven, leverage the cloud number eight, elevate backup and disaster recovery. Number nine, maximize business continuity and number 10 prosper with a trusted advisor.

Anthony DeGraw: That’s all of them. Jed, thank you so much for putting this together and I’ll see you again on The Helpdesk.

Jed Fearon: I look forward to it. Have a great weekend.

Anthony DeGraw: See you, man.

Jed Fearon: See you buddy.

Keep reading

AI (ChatGPT) and the Cybersecurity Implications for Your Business

AI (ChatGPT) and the Cybersecurity Implications for Your Business

With AI set to revolutionize how we work in the coming years, two of our Virtual Chief Information Security Officers, Darrin Maggy and Nick McCourt, and our CIO, Tony Miller decided to weigh in on the subject. The drumbeat to adopt AI in your workplace is loud right...

“Knowledge, You Can Teach”

“Knowledge, You Can Teach”

Scott sits down (in person!) with George Hall. George is the President of LINQ, a managed mobility services provider, and There Goes My Hero, a nonprofit dedicated to those impacted by blood cancer, both headquartered in Baltimore. George talks about his very eventful...

Multifactor Authentication Breakdown

Multifactor Authentication Breakdown

Nick and Susan's monthly episode is joined by Lexie Nelson, a vCISO at Integris. Today's topic is multifactor authentication. We're going through a full breakdown into MFA: how much it really protects you and your organization, the things to look out for when...