Whitepaper

Getting IT Right: A Small Business Guide

Getting IT right is about managing your organizations data in the most efficient and secure manner possible. This means making sure the right people (and only the right people) have optimized, secure access to your data when and where they need it--inside and outside the office; and making sure that data is protected from viruses, loss and malicious access. This guide will give you a concise overview of how to maximize access to and manage your data. It will also cover ways to mitigate the risks mentioned above. It will be obvious that this guide does not dive into the specific execution of each task we recommend. Our goal is to get you thinking around what a well-planned IT environment looks like. Inventory your data and devices It is not uncommon for data to be siloed on computers and devices across the organization in a variety of formats. This may be intentional because not everyone needs or should have access to all data, but often it is an unintended consequence of certain employees working with particular data over time. The first step is to find out who has what data. Look on: computers, servers, network attached storage (NAS), external hard drives, flash drives, mobile devices, etc. Once you know what data is where, categorize it and make a list of who should have read/write or no access to what data. Also document the various formats. If you have multiple servers, data can be contained in multiple proprietary formats dependent on the software used. Working with data Beyond categorization, identify what data is worked with daily, weekly, monthly, quarterly, and yearly. Knowing this is valuable for two reasons: 1) you can archive what you dont need ready access to, getting it out of regular rotation and thereby reducing backup
2012 My Tech Operative LLC. All rights reserved. | 1

Whitepaper
and storage costs; and 2) you reduce the chance of inadvertent or malicious deletion or modification. This is especially important if you are in an industry for which the government has mandated regulatory compliance with respect to data: e.g. FISMA, GLBA, HIPAA, PCI-DSS, Sarbanes-Oxley, etc. You can archive data formally using DVDs, external hard drives or tape--a static media is best. The data that is to remain active should be centralized on a NAS, your server(s), or Storage Area Network (SAN). This will simplify the access to, ongoing maintenance of, and backup of your data. Backup and Storage Backup refers to file/folder copies or block-level snapshots of data. Storage refers to data with pooled user access. We expand on these concepts below. The point of backup is being able to get your data back as quickly as possible should it be inadvertently or maliciously lost. During backup these copies or snapshots are transferred to a local device (server, NAS, or external hard drive), or to a cloud repository. We recommend using both. Local storage allows for quicker recovery of data should a restoration be necessary, but a cloud repository provides an additional layer of data security should your local storage device fail or be destroyed with all the other devices as in the instance of a natural disaster. Local backup can be accomplished using software built into server operating systems, but we recommend using a third-party software. What we like about solutions such as these is their ability to restore a single file or folder, an application or even restore an entire server to the same or dissimilar hardware from an image minimizing down and recovery time. Please note that some cloud backup solutions also have the capability to back-up to a local device. While this is not typically image-based backup it may be sufficient for your offices needs. Storage concerns ready access to local data or data in the cloud. The storage device could be shared folders on a NAS, server(s),
2012 My Tech Operative LLC. All rights reserved. | 2

Whitepaper
SAN or a cloud-based solution like Google Docs or Box.com please note that local storage is to be included in your backup. One of the advantages of using a cloud solution is that the responsibility of data backup and security rests on the vendor. For this reason make sure you choose a vendor with demonstrated high-availability and security. A quick note on cloud security, regardless the application type--backup, CRM, email, storage, etc.-make sure the vendor has/uses a datacenter audited at SAS 70 or higher standards and employs a minimum of 128-bit AES encryption for data at-rest and during transfer. Consider the cloud Cloud-based solutions which offer subscription-based access to applications and services are worth being excited over. Consider the old model. You wanted team members to have access to accounting software, CRM software and a CAD software. Although physically possible to install all these applications on a single server if the server went down you lost access to all of them. This necessitated having a separate server for each application, and understandably this led to vastly underutilized server capacity the world over. Enter virtualization. Virtualization allows you to install a hypervisor on a bare hard drive and then effectively create software versions of servers which function and interact with the network and users in exactly the same manner as physical servers. The beauty is that you can run more than one virtual server on each physical server leading to fewer servers being required to deliver the same amount of applications with server capacity going from 6-12% utilization to 70%+ utilization. Unless you have only one application shared among all your users, running one application per server is a thing of the past. Now, expand this concept to the datacenter and you have large corporations--think Amazon, Apple, Google, Microsoft, Rackspace, and Salesforce--utilizing the power of virtualization to deliver
2012 My Tech Operative LLC. All rights reserved. | 3

Whitepaper
massive amounts of computing power and applications over the web. Most of these services are offered in subscription format and allow you to scale up or down at will. You can securely create servers, access applications, use storage space and collaborate without needing to purchase a server or a software package. This is the power of the cloud. One IT service executive recently noted that out of 25 acquaintances with multi-million dollar businesses only one had a physical server onsite, the rest manage their businesses exclusively in the cloud. From a value standpoint, cloud-computing and services are impossible to ignore. Email Microsoft Exchange or Lotus Notes users understand the value that comes from shared contacts, calendars and centralized management of users. However, implementing traditional, enterprise email solutions are expensive are require expertise, purchasing hardware and software and ongoing maintenance. If you are going to be renewing software licenses or replacing hardware which houses these solutions, we recommend looking at cloud email solution. As with other cloud applications there is no hardware investment required and you can purchase user accounts at a low annual or monthly subscription rate and scale up or down as needed. As mentioned above, some vertical markets are subject to government compliance, and employing encryption and message continuity is sometimes required in order to become/remain compliant. Be aware of what your industrys compliance mandates are with respect to email exchanges with clients. Maintain your computers There is nothing more frustrating or detrimental to productivity than computers that are slow, throwing-up errors or riddled with spyware. The same is true of servers--virtual or otherwise. If your computers are old and slow, replace them. If your computers are
2012 My Tech Operative LLC. All rights reserved. | 4

Whitepaper
newer (under 2 years-old), reformat them. The point is, computers that have performance issues lower productivity. Maintenance can be simplified to keep the operating system and all software up to date. In many environments this is largely ignored or left to the operating systems automatic processes, and as a consequence there are machines in varied states of vulnerability. IT service firms use software to automate these processes and can typically render this service at under 50% of what it would cost to have an employee manage this task. Automating maintenance ensures your machines stay-up to date thereby enhancing productivity and security. Establish a security mindset Every team member needs to be accountable for the data they interact with. This can be achieved through explicit policies and training. Talk about security often and keep your team apprised of threats. Make sure they procedurally know what to do if they think data is at risk or if they think a breach has occurred. Securing your computers Security is achieved in part through keeping your computer and server software updated, but it is also critical to maintain current antivirus. Many companies we speak with think antivirus is a onetime purchase, but it actually needs to be renewed annually. This can be incorporated into and automated through the same software which keeps your machines updated so be sure and ask your IT service provider about this. Otherwise, install the antivirus management software on your server so you can centrally maintain and monitor each machines antivirus state. Keep the software firewall which comes with the antivirus software or the operating system turned on. If you have servers or computers that are not constantly kept in a locked area with limited accessibility or you have laptops that are in and out of the office, use whole-disk encryption. If configured

2012 My Tech Operative LLC. All rights reserved. | 5

Whitepaper
correctly, your data will be effectively unrecoverable by someone who buys or takes your device(s). Secure your network A good firewall is a critical component of every network as it mitigates the risk of breach. Buy one that supports the level of traffic you expect your network to achieve over the next couple years and can support the type of policies you want enabled. Also, buy one that has some form of unified threat management built-in. Configure it with settings and ongoing monitoring which are consistent with your security policy. Also, perform periodic audits to determine whether there have been attempts to access your networkthis is another task which can be outsourced and managed by your IT service provider. Remember to renew your service and update package annually as this expires just like antivirus. With respect to intermittent access have a guest policy in place which specifies who can access the network and what they will be able to do once connected. Do not have unused active wall ports distributed throughout the office which anyone could simply plug into and be on the network. To summarize Weippl and Klemen (2006) describe the competitive advantage of small and medium firms as their intimate knowledge of their customers needs and requirements and often a highly specialized know-how in a very focused area.1 This specialized knowledge is contained in data and consistent, fast, secure access to this data is critical to your organizations ongoing success. If you would like to discuss any of these topics further with one of our consultants, please call 866-456-1876 or email service@mytechop.com.

Rayford B. Vaughn, ed., Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues (Hershey: Idea Group Pub (E), 2006), page 114.

2012 My Tech Operative LLC. All rights reserved. | 6

Whitepaper

References
Childs, Donna R., and Stefan Dietrich. Contingency Planning and Disaster Recovery: A Small Business Guide. Hoboken, NJ: John Wiley, 2002. Gallagher, Michael. Business Continuity Management: How to protect your company from danger. London: Prentice Hall/Financial Times, 2003. p. 91-105. Health & Human Services, U.S. Department of. Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices. http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&ca ched=true&objID=1173, accessed October November 23, 2011. National Security Agency. Defense in Depth: A practical strategy for achieving Information Assurance in todays highly networked environments. http://www.nsa.gov/ia/_files/support/defenseindepth.pdf, accessed November 23, 2011 Northcutt, Stephen, Judy Novak, Donald MacLachlan, and Loenzien De David. Network Intrusion Detection: An Analysts Handbook. Paris: CampusPress, 2001. Power up Your Small-medium Business a Guide to Enabling Network Technologies. Indianapolis, Ind: Cisco Press, 2004. Vaughn, Rayford B., ed. Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues. Hershey: Idea Group Pub (E), 2006. p. 112-130.

2012 My Tech Operative LLC. All rights reserved. | 7