In the final post of this series, I focus on the importance of maintaining, upgrading and protecting hardware; updating software regularly and protecting your data on multiple devices and in the cloud.
1. Are your computers and servers maintained and upgraded regularly?
One of the greatest hazards to network security is outdated and poorly maintained equipment. It might be more obvious to think about the risks to the overall environmental stability of your network posed by old and out of warranty equipment (servers and computers that wear out), but there are also risks of outside attacks.
It is not enough to only fix parts of your network when they start malfunctioning. The longer software is in use, the more common exploits become; hackers work continuously to find holes and vendors work just as hard to plug those holes. That said, most vendors only provide security patching for a limited time (often only a few years). Beyond productivity issues, updated hardware and software is essential for security.
You don’t have to buy the latest and greatest, but you should take into account the finite lifespan of hardware and software in your organization. It helps to build maintenance and replacement schedules as part of your security plan, and as a necessary part of your technology budget. Such upgrades are not a convenience, but rather an absolute necessity.
Consider working with IT professionals who can help you make good long term choices and plan your network. A skilled company will be able to help you work within your budget to meet both your productivity and security needs.
2. How are you protecting your computers, servers and devices?
My mantra is: If it is not physically secure, it isn’t secure. Remote users should have passwords on their laptops and be taught to lock up their machines. All users should lock their screens when not at their computer.
Phones should be required to have security as well. If someone can pick up a device and log in without a challenge, your network is not secure. Think also about the office itself: keep your server and networking equipment locked up tight.
Lastly, don’t forget about retired equipment. Make sure that hard drives are erased or destroyed before recycling. Be sure to destroy CD’s and DVD’s that might have sensitive data.
Many leaders are surprised that IT is not just something you can hand off to one person or outsource to one company. You can’t just pass this list to your IT people and say “fix it.” Much like financial planning, it is a business system that needs to be continually maintained and something that needs buy-in from leadership. The goal of this article is to help you start asking the right questions.
3. How are you handling data protection on BYOD (Bring Your Own Devices)?
More and more companies are allowing employees to use their personal equipment (including cell phones, tablets and laptop computers) in the workplace. This the type of technology is constantly changing. Think critically about:
4. Is your software updated regularly?
Great–you have a brand new server and new computers. Now what? Earlier I talked about building this into long term planning and budgeting, but here we need to make sure it actually gets done!
Vendors regularly release updates for software that address a myriad of issues, many relating to security. Keep it up-to-date with patching and proper management. Even if your organization is too small to have a dedicated IT person, make sure that someone is checking in on your computers.
At the least updates should be run quarterly. For Windows products, a monthly schedule would be even better. Microsoft releases major software updates on the second Tuesday of each month, and syncing updates a week or two after this day is a good practice.
5. How can you protect your data in the cloud?
As you move your data offsite and into the cloud, you must become an educated consumer. Because you lack physical control over the systems there are important questions you should be asking:
This is Part 3 of a blog series on IT Security Best Practices. Feel free to comment below to share your questions and ideas on the topic. Join us for the webinar on July 25 on IT Security Best Practices.
Join Matt Eshleman on Wednesday, April 19 at 3pm Eastern, Noon Pacific for a presentation and Q&A on real emerging threats and a practical approach for nonprofit cybersecurity.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.