After the system has crashed is not the best time to establish IT procedures and policies

It worked just fine — until it didn’t

By Bahar Sharifan

There is one commonality among all information technology (IT) systems that stop working: Before they stopped working, they were, at least to some extent, working.

Prioritizing the time and money for creating an updated and comprehensive IT system can often take a back seat to seemingly more pressing issues. Many companies believe a system that is currently running “just fine” means there is no need to allocate funds to improving either the actual system or the policies surrounding its use. Companies are often forced to reevaluate their decisions after having been hit with a virus or various other network and system failures.

So, whether you have been forced to change your IT approach, finally have been given funding or have entered into a new organization that needs some overhaul, you likely are facing a daunting task! While the “to-do” list is long, here are three places to start in order to get the ball rolling and start taking steps towards a healthier IT system.

Reactive or Proactive

You must decide if you want to be proactive or simply reactive when it comes to your IT needs. A reactive system merely addresses issues as they arise whereas a proactive system should involve more monitoring of the current hardware, software and network to protect and run more smoothly. If you choose the reactive approach, it is important to weigh the costs in case anything goes wrong. Many networks contain data that is very sensitive – for example, client or student personal and financial information. A virus, leak or loss of any of this material may go beyond the organization and may require the response from various legal, insurance and even PR agencies.

If you choose to be proactive, it is important to implement, through in-house means or an internal or external IT professional, policies designed to regularly analyze and monitor systems. This includes everything from monitoring hard drive space to patch management, data backup, layered security, etc. It is also important to keep a detailed inventory of technology used and owned by a company. This will help assist with any loss issues, as well as monitor the aging of the equipment and better prepare for upcoming upgrade or replacement costs. This can also help provide a triage list of what issues must be dealt with first — helping take steps towards a more optimal IT system.

Policies

Whether the main concern is wasted time or security, many leaders need the ability to review what users are doing while on the network. Ensuring that the proper policies are in place to monitor this information, as well as warning individuals about their guidelines while using a network, are important steps to keep a system running effectively and efficiently. These policies assist in both proactive and reactive situations.

It is important to be proactive with ensuring that employees know how they are to use systems and the repercussions if they violate these polices. Additionally, should a problem arise from either time waste or through a virus, it is helpful to have the right to access all necessary information without any concerns for the legality of such data review. While the specific needs for each company should be discussed with an IT or legal professional, the key policies may include, but are not limited to, the following:

• Acceptable-Use Policy (AUP), also known as a fair-use policy, is an integral component of a company’s monitoring procedure. An AUP is designed by the owner of a network or website governing how the platform should and should not be used, explaining various monitoring strategies used to enforce such behaviors and the consequences for policy violations. One purpose of the AUP is to reduce legal action by creating standards of behavior by individuals using these platforms and providing notice to users of monitoring activities aimed to ensure adherence to the guidelines. It is here that a company can define what behaviors are unacceptable, such as excessive use of resources or time-wasting activities, distribution of confidential information, distribution of indecent or offensive data and other security measures surrounding virus transmission or dissemination.

• Internet Access Policy involves the use or restricted use of various websites by an individual. Internet usage should be reviewed as the Internet connects to various assets such as the company server. Further, an Internet access policy can be designed to support the AUP by blocking various sites that are not central to the purpose of company.

• Bring Your Own Device Policy covers the requirements governing an individual’s personal device being used on a network. Companies must strive to ensure such devices are accessing sensitive information in ways to avoid unauthorized dissemination of information or the introduction of vulnerabilities entering the network. This policy may include automatic lockout requirements, anti-virus and encryption requirements, synchronization prohibitions and rights held by the company to review the device to ensure compliance.

Education

Even if you have the most ideal IT system, you cannot remove the human error associated with use of such networks. Most people would prefer not to infect an entire network with a virus — especially if the virus results from something avoidable. The best way to mitigate these problems is to educate all users. Knowing what to watch out for and what to avoid is crucial in the ability to avoid such traps.

The majority of computer users have heard of ransomware or at least have an awareness of recent virus attacks; however, the ever-changing methods to infect systems are continually evolving. Whether through self-study or an IT professional, keeping updated on ever-changing trends and educating others are essential ways to help reduce the chances of falling victim to ransomware attacks.

Technology users must be trained to understand that all devices are at risk: computers (both Macs and PCs), tablets, smartphones, servers, etc., and the various means of attack. It is important for users to understand how these viruses can spread. It may not only impact their own device, but may spread across the entire network and compromise all files and systems on that network. Attack methods may exist even on legitimate websites. Free apps or those from unregulated third parties are at a higher risk of containing viruses. Spam emails masquerading as energy bills, tax returns, delivery notices, etc., are also common. These seemingly legitimate emails often have email attachments or contain a link to call, unsubscribe, fill out a form or obtain more information that lead to triggering the virus. It is important to keep current, inform others of the email scam trends and to reiterate the necessity to avoid opening suspicious emails.

It is also important to be aware of the various psychological trickery often used to pressure victims into paying or not contacting the appropriate IT staff members to help resolve the issue. One example is ransomware attacks ties to one’s fear of ridicule or submission to law. Certain attacks will allege a user was acting unlawfully online and threaten arrest if the penalty is not immediately paid. The user may be blinded by fear of the law and pay to avoid the threatened repercussions or potential ridicule.

Lastly, it is important to communicate the policies in place for reporting any suspicious emails, advertisements, etc., as well as the required response procedure should any virus be triggered. A known and structured plan for communication of suspicious items will help alert others to these trends as well as serve as a means to determine whether or not the suspected email or link is, in fact, problematic. Timely relay of information is important to begin ensuring the resolution is properly executed.

While revamping your IT system may seem like a daunting task, getting started is key in the turnaround. These three points are by no means comprehensive, but aim to help start the line of thinking and create an attack plan for a healthier network.

Bahar Sharifan is president of Wasatch I.T. in Murray, a provider of outsourced I.T. services for small and medium-sized businesses.