Join 3,377 readers in helping fund MetaFilter (Hide)


Help me understand what a proper business IT system looks like.
February 11, 2014 2:41 PM   Subscribe

I've only worked in a small business (15-20 employees) since I got out of school, and I've handled the technological necessities since I started because nobody else could. I've handled things on an as-needed basis: troubleshooting problems, setting up new computers, maintaining an iron grip on software installations, setting up the network and administering simple network devices, etc. However, I'm completely self-taught, and I have no idea if my hacked-together system looks anything like a properly-implemented corporate IT system. So I want to know what one looks like. Specifically, I'd like to know if there are any resources I can check out on my own that paint the picture of what I should be trying to achieve. NOTE: I'm NOT averse to hiring an outside IT firm or consultant to help with specification and implementation. However, I don't want to be at the mercy of a firm's "knowledge" and my own ignorance; you can waste a lot of money that way, regardless of scenario.

I'm really looking for a hypothetical book or resource called "how to set up your business IT systems." Here are things that come to mind that I could use help with:

1. Centralized secure file storage and access restrictions. Granular, flexible permissions preferred as opposed to top-down permission management.
2. Centralized management of the various workstations, so I don't have to go to each computer to perform updates, install software, do maintenance and such.
3. Proper anti-virus/malware/trojan/etc solutions.
4. Secure, remote access options for computers.
5. Learning how to use group policy to restrict what people can do to their computers. Somehow stuff (including viruses) sometimes gets installed without me having to use my Administrator rights to install it even if the person only has User status. I'd really like to restrict people's access in Windows, but I'm not even sure what are the most important things to restrict, honestly.
6. Internet restrictions and firewall setup. I really don't know the level of rigor I need to go into here.
7. Restrictions on or at least logging of any information that is removed from computers. This is important for the sake of protecting trade secrets and confidential information since we do a lot of interesting, new stuff we’d like competitors to not get access to when we let an employee go.
8. Passwords: Do I let people set their own passwords or give them passwords? Can I set restrictions on what they can use as a password in Windows? Is it better to have a good, difficult password or to have people change their passwords frequently? What if I need to log into someone's account to make account-specific settings changes but I only know my Admin password? Right now, I know everyone’s password, because I assign it to them, but I highly doubt that’s typical.
9. General IT security standard operating practices. Yeah, I know this is general, but I’m sure it encompasses a lot of specific things I need to be aware of.
10. Email security and management. Right now, we do not run our own email server, but use our webhost for email. We have a ton of information stored in email. I don’t know if this is an acceptable setup or not, but it’s probably one of our most effective information storage mechanisms right now. I don’t know if I should be backing up all these emails on to my own physical media, and if so, what would be the best way to do it.

11. BACKUPS. I was going to write a whole post on AskMeFi just asking about backup philosophy, because I think it's so important. Right now, I do occasional, non-automated, backup images of peoples' entire HDDs because I don't want to miss any files they or their software might save in a squirrelly location deep within Windows. Some, not all, people save their work to our central NAS device, which is set up in RAID 1 at least for some basic hardware safety. Still, it needs its own regular backups. I don't know what the best options are. Preferably, I'd like to do incremental backups of people's changed files instead of whole backups, but I'm not sure the best way to easily do this. Also, where do I physically keep my multiple backups of the information? Presumably, spread out and not in the same building. They'd need to be synchronized, though. Backups, in general, are something I know I'm dropping the ball on, and I need to know how I should approach this.

-----

I'm not expecting anyone to go answer these questions number-by-number. These are just some things that I could come up with right now in my head. I am surely missing many other important things. I can research individual aspects or ask additional specific questions later either here or on other, more tech-oriented websites you might recommend for getting answers. I just don't have the experience to know what a standard system SHOULD look like. I don't know if I'll need to hire a full-time dedicated IT professional (seems unlikely for my company size) or if I can automate and secure things where I can split the load between me and my secretary or if I need contract an outside firm. In any case, I need to be completely aware of what's going on since I'm the number two in the company and am keenly aware of the pitfalls, legal and otherwise, of lackadaisical information and software management.

One more thing. If you've read any of my other questions, you'll have seen that I'm exploring ways to move the file and project management aspects (and maybe other aspects) of my company to the cloud. There's a huge amount of information generated in this small company ranging from tasks and discussions to quotes from vendors to technical data and everything in between. I talked to a technology/IP lawyer recently who cautioned that the cloud is an uncertain setup if you're trying to protect sensitive information. Paraphrasing his words: "Even if the data is encrypted on their server, as long as they possess the encryption key, they can expose your data if necessary if compelled."

So my question would be, are there any cloud services that ARE secure enough to use for a business by his standard or is his standard overly strict? I've looked at Dropbox (explicitly told not use DB by the lawyer), Box, and Egnyte for file management. I'm testing Smartsheet and have also been recommended Wrike for project management. And I've diddled with Trello, Workflowy, and Asana for to-do lists (see my very first question.) I like the idea of centralizing data in the cloud for easy collaboration and as a sort of backup. It seems much simpler than creating and running my own in-house servers and systems, and I like that. But I don't want to be accused of not doing what I can to protect company information if we ever have to sue someone for disclosing what we deem confidential information. I'd appreciate any thoughts on the cloud's role in a small, technical business setup and specific suggestions if you've got any.

Thanks for sticking with me until the end. Again, in my role I have to consider all aspects of the business simultaneously, so I need to be very knowledgeable about all of them. If someone else implements an IT solution for us, I need to be able to competently oversee what they're doing and manage it myself if the need arises. Right now, though, I just want to make sure I can see the whole picture and make sure I have all the puzzle pieces I need.
posted by KinoAndHermes to Computers & Internet (16 answers total) 12 users marked this as a favorite
 
where I can split the load between me and my secretary

Yeah... Assuming you own the company, your job is to run it (and not worry about this level of detail), and your secretary's job is secretarial work. This isn't a place to save money: you're going to lose any savings the first time you make a mistake.

In a big firm you have teams of people assigned to specialise in different areas of IT. For a smaller firm you have a dedicated IT guy who is on call, or you outsource. I'd suggest you talk to a local IT company, they'll talk you through what you need.
posted by devnull at 3:41 PM on February 11 [1 favorite]


I was trying to figure out how to craft a response when devnull basically beat me to it. I'd only add that contracting with an IT company doesn't mean you throw in the towel on knowing anything about your own network. What happens when you get sick and the server throws a rod on the same day? Regardless of any one person's competence, it's a recipe for disaster.

As for your specific questions, a lot of it sounds like Microsoft Exchange to me, although there are of course other solutions. There are hosted exchange solutions which provide about all the same functions as if you had a server in your own closet; since I don't run one of those I don't know as much about them as I should. In my under-educated opinion a really robust, full-featured cloud-based server setup isn't hugely less expensive than running our own, and as long as you have PCs in your own building that you own you'll still have IT problems above, beyond (and below) the magic server in the sky. And the point about confidentiality is a point taken, although, you know, if it comes to that you can be compelled to hand over a computer you own, too.

Lastly, touching on backups - I'd say even with competent tech support back-ups are the most difficult thing to make sure is getting done. My own approach with my tech support is to specifically, and in painful detail, peel through the layers and ASK THEM TO SHOW YOU where and how the backups are getting done. It's all too easy to hand-wave this area, because it's tedious to go through and list every damn thing in your network that needs to be backed up, but more than once I've had the tech support guys say "oh, you wanted THAT backed up, too?"
posted by randomkeystrike at 3:55 PM on February 11


8. Passwords: Do I let people set their own passwords or give them passwords? ... Right now, I know everyone’s password, because I assign it to them, but I highly doubt that’s typical.

If you know everyone's password, it defeats the purpose of other security measures. Let's say an employee copies your most valuable trade secret to a flash drive. You fire them and file a suit against them. They come back and threaten to sue you, claiming that you logged in with their credentials and copied the file yourself in order to fire them. It's a potential mess.

Employees should set their own password (with length & complexity requirements), be required to change them on a regular basis, and should have the fear of god put into them about sharing their password with anyone ever.
posted by Blue Jello Elf at 3:56 PM on February 11


For reference, I don't own the company. My dad does. I'm the jack of all trades second-in-command who's managed to keep the company from grinding to a halt with technology problems my dad doesn't understand. And my secretary and I split the IT duties right now, with me supervising her. It's not my ideal solution, obviously, especially considering that my focus should be in other places now. I just want to know more before I go out vendor hunting, so I don't waste my time.
posted by KinoAndHermes at 3:56 PM on February 11


It sounds to me like you need a full-time dedicated IT professional. At least for awhile. Especially with the questions that you have about security and the fact that you know everyone's passwords. I recommend meeting with a well-regarded IT Security consultant in your area who could tailor answers to your specific situation.
posted by Roger Dodger at 3:57 PM on February 11


re: backups...unless a restore is physically demonstrated, I assume a backup plan is aspirational - and probably fictional.
posted by j_curiouser at 4:12 PM on February 11


Blue Jello Elf: I had not thought of it that way, and that makes a lot of sense. Again, just been doing this out of expediency, but I always had a funny feeling about it. I just found out how to set password policies via this link in the Group Policy Editor. I think I will start to make people choose their own tough passwords instead of assigning them tough passwords. I'll have to figure out how to set similar minimum password requirements for email and other things they need to log in to like email as well, it seems.

I'm going to mark you as a best answer already, but everyone else feel free to keep the suggestions coming. I don't mind if you just address one part of my rather long write up, either.
posted by KinoAndHermes at 4:16 PM on February 11


Really good questions here and it's great that you're trying to improve things yourself. My suggestion is to bring in some small business-focused IT companies to interview. They'll come in for free and sell you on their services. Smaller companies would be happy to back you up and answer these questions, even if you only call them once in a while. You don't have to hire them full time.

It would be helpful to network with professionals in your field. There may be local computer, user or Meetup groups available to you. These folks can talk to you about what you're doing now.

I'll jump in on a couple, but there are really too many to answer completely in a comment. Note that these are opinions, and if you put three systems people in the same room, you'll get four different answers. I'm assuming you have Windows because you mentioned group policy and malware.


1. Centralized secure file storage and access restrictions. Granular, flexible permissions preferred as opposed to top-down permission management.


Use groups for permissions on centralized files. Do not assign permissions to individuals or your permissions will become a mess. Avoid changing permissions twenty levels deep in a folder hierarchy if you can. Create new root-level folders (\\server\Marketing\campaigns when you change permissions.)

2. Centralized management of the various workstations, so I don't have to go to each computer to perform updates, install software, do maintenance and such.

There are various ways to go about this, but the cost+labor benefit isn't great at your size when implementing something like System Center. Look at Chocolatey for software deployment/updates, which is the biggest/most important system management issue in small biz.

3. Proper anti-virus/malware/trojan/etc solutions.

The major players are effectively all the same, and none are very good at detection/removal. If you're buying something you can centrally administer, buy mostly on price and simplicity of administration. You'll need to supplement this with third-party tools like Malwarebytes when you get infections.

Use WSUS for updating Windows.

5. Somehow stuff (including viruses) sometimes gets installed without me having to use my Administrator rights to install it even if the person only has User status. I'd really like to restrict people's access in Windows, but I'm not even sure what are the most important things to restrict, honestly.


Some apps (Google Chrome) don't require Admin rights to install. Others are portable apps that basically run inside a folder. You're not going to be able to 100% stop people from running stuff on their machines.

As far as malware goes, two things.

1. Don't let people run as local Admin. In most cases, the malware is limited to their user profile, so you delete the profile and recreate it to get rid of the malware. (This is not foolproof, and you must have some way to store/backup their documents.)

2. Update Flash, Adobe Reader, Java and Quicktime. This jibes with #2 above. If price is an issue (which I'm betting it is in smallbiz) look at Ninite Pro in addition to the above.

6. Internet restrictions and firewall setup. I really don't know the level of rigor I need to go into here.


Almost everywhere uses the default firewall settings. If you're in a high-security business, hire outside help.

7. Restrictions on or at least logging of any information that is removed from computers.

There are some really sophisticated, complex, expensive solutions for managing files in this way that, for example, the NSA wasn't using. Just about any of those systems can be defeated with a smartphone by anyone with access to the documents. No specific advice here, other than really calculate effort vs. effectiveness when doing this.

You can turn up some of the audit settings in Windows logs so file access is audited. Be aware that you'll generate a lot of logs.

8. Passwords: Do I let people set their own passwords or give them passwords?

You let them set the passwords. You do not and should not know the passwords. If you need something in that user account, you change the password and login. Then the user knows you've been in. They reset the password when they return.

9. General IT security standard operating practices. Yeah, I know this is general, but I’m sure it encompasses a lot of specific things I need to be aware of.


Outside IT consulting firm.

10. Email security and management. Right now, we do not run our own email server, but use our webhost for email.

This sounds really risky. I'd centralize on a cloud-based e-mail suite that offers backup/restore, etc. Not necessarily local backup and restore, but guarantees around cloud backup/restore/multiple versions, etc. Microsoft and Google have solutions in this area. Microsoft's solution is more integrated in my opinion, but I use Google personally.

11. BACKUPS. Right now, I do occasional, non-automated, backup images of peoples' entire HDDs

This is bad. You don't have all of the company's information backed up because it's spread everywhere. You don't know when the last time you backed up a specific file so if it goes missing you'll lose a good part of or all the work. Every desktop PC is a single point of failure. You're backing up the same files in Windows and program directories over and over again wasting backup space.

If people have desktops, they need to store their files in a central location. Period. If they have laptops, you need to find a way to replicate their data to the server while they're in the office. You need to have scheduled backups of all data, rotating backup media and take backups off-site.

There are apps that will help with this - CommVault and BackupExec are commonly used, though I'm not sure of small biz pricing.

I talked to a technology/IP lawyer recently who cautioned that the cloud is an uncertain setup if you're trying to protect sensitive information. Paraphrasing his words: "Even if the data is encrypted on their server, as long as they possess the encryption key, they can expose your data if necessary if compelled."

IANAL, but I will say that Google's (or whoever) security is better than yours and mine.

It's a start. Again, I'd find someone to come in and help you out. Sanity check everything I've said here (and whatever else you're told).

You're on the right track. Good luck!

Edit - on preview - if you use Active Directory in house (which isn't clear from your post) you can often sync those passwords with a cloud provider, meaning that your users have one password instead of multiple passwords.
posted by cnc at 4:41 PM on February 11 [3 favorites]


Even if the data is encrypted on their server, as long as they possess the encryption key, they can expose your data if necessary if compelled.

This is true, and this is why SpiderOak is the best solution for you. From their FAQ:

Q: What if I forget my SpiderOak password?

A: [some stuff elided]...However, if can't reset your password from another machine and the hint has still not helped you remember your password, then I'm afraid your only option is to open a new account. Here at SpiderOak we take our zero-knowledge privacy policy very seriously, so we never have any knowledge of your password and no way to retrieve or reset it, even in emergencies.


They're not cheap, but they are serious about data protection, even from themselves.
posted by number9dream at 6:21 PM on February 11


2. Centralized management of the various workstations, so I don't have to go to each computer to perform updates, install software, do maintenance and such.

Group policy can deliver applications to workstations without the need for a full blown application deployment system. Its not foolproof (test it out as vendor based installers often don't work as expected) but it does work.

Windows hotfix updates, as mentioned above, use WSUS.

4. Secure, remote access options for computers.

Look into getting a SSL VPN device in a network DMZ to handle that. Basically it would look like this:

Internet -> Internet facing firewall -> SSL VPN Device -> Internal network firewall -> Internal Network

The SSL VPN device will be the endpoint for traffic from the internet, tunnel it over SSL and let you talk to internal devices.

I'd suggest get an IT consultancy firm to help you out. There are various products that run the gamut of price ranges. Other things to think about, how would you authenticate external users at the SSL VPN? Is username/password enough or would you require 2 factor authentication (like RSA or Vasco). What kind of access would people get once in (full access to the internal network, or access only to certain web apps/servers/their computer over rdp?) Many many other things to consider.

7. Restrictions on or at least logging of any information that is removed from computers

Look into DRM products. If you chose McAfee for antivirus, they have a DRM product that can help protect sensitive data.

If that is out of scope you can set up auditing of the file system for deletions and forward that from every workstation to a central log server.

Other general IT advice - do you use any kind of change management and incident tracking? If you are starting to expose your internal network to the internet via firewalls and SSL VPNs, then managing changes on those (even if its just you doing all the changes) is critical. I'd have some system for recording the changes done (even if its just an email list or a file somewhere) so 6 months later you can have a look and see what was done, by whom, and when it was done.

Encourage users to save files to network shares that are backed up and protected properly. You can do this either by education, by changing policies that automatically change office/application save locations to network drives, redirecting mydocuments etc to network locations etc.
posted by Admira at 6:41 PM on February 11


Also, if possible, have a strategy. Where are you now IT wise? Where would you like to be?
So that could be:

Where are we now: Assets: 30 Windows blah workstations, 12 blah servers etc. Capabilities: delivering x, y and Z capabilities. Capability gaps are remote access, protection of sensitive material, centralised file repository, managed security of file systems, automated application deployment, automated patching etc. Risks are lack of cohesive backup and BCP/DR plan, no monitoring of loss of sensitive information, lack of standardisation through automated software deployment/patching etc etc.

And the capability gaps and risks would drive the strategy.
posted by Admira at 6:51 PM on February 11


IT security is a hard nut to crack for a small business. You need to try to balance security, usability, and budget.

I'd start with "what sensitive data do I have that can get me into legal trouble?" SSNs? PHI? Payment card? PII?

I'd figure out what my maximum legal exposure is. Will that bankrupt your company?

If so, consider: you need to get everything right on the security front with every dollar you spend to prevent business failure. You're not a security pro. You aren't going to get it all right.

So what to do? Only concern yourself will security that makes sense within your operation -- things like "permissions should be set up so only the owner can see employee files." Things like "we should run antivirus so our systems don't run slow." Things like "we should not run an open relay mail server so our hosting doesn't get turned off." Don't spend a minute on any "best practice" that doesn't support operational goals.

Bruce Schneier, security guru, has said he wouldn't spend a single dollar on security in a small business. It just isn't worth it. I don't entirely agree, but it's a rare case where you can make that work, and normally involves scoring a security pro as your IT manager.

Consider that cloud providers actually evaluate their risk, something that you don't have the skill to accurately do. Most cloud providers have more skin in the game in terms of millions of dollars of profit than you do. They have incentive to be secure. Yes, law enforcement can request access to your data through a cloud host, and yes that key can be hacked. Far more likely that someone will guess the admin password for your account, though.

I haven't personally vetted box, but a former coworker is their security architect, and I trust him to know what he's talking about. I don't know if Box's management lets him do what he wants, though.

But again, while the details are fun, in a small business ops are king. Availability, availability, availability. Then you get to worry about everything else.

If I were consulting on your network, and you told me you were a small business, I'd be looking at:

- Is there an active directory domain
- Is every system joined to the domain
- Is there a sane default GPO applied to every system
- Do most settings for a new system get configured automagically via network settings (printers, mail, etc)
- Are groups in use? Are they role based?
- What data is of value on the network?
- Is that stored in one place?
- Is that place stupid (read: email)?
- Is that place backed up?
- Do the backups work?
- Is that place segregated (permissions and network) from the rest of the network?
- Does that stuff even need to be on the network? (personnel files are much better under lock and key in small business)
- How do people work remotely?
- Is that method stupid (e.g., over the public internet without encryption)
- Do you repeatedly get the same help desk calls or random tasks?
- Is it because of something stupid (i.e., should that be automated)?
- Are things slow?
- Is that because of something stupid (insufficient capacity, non-scalable architecture)?
- Do people only have access to the things they're supposed to?
- Are you sure?
- Really?

If you work through that list, know the answers, and are confident you aren't doing something stupid, you're in a good place for a small business. Until then, keep reading, keep plugging, and drop more specific questions.
posted by bfranklin at 6:58 PM on February 11 [1 favorite]


And, you know, I left out an important one based on your question about viruses getting installed:

- Do you know what software is installed on everyone's machine?
- Are you licensed for all of that?
- Is everyone running the most recent, fully patched version of every piece of software out there? (p.s.: If you say yes, you're lying).
- How are we going to get there?
- How long are we lagging behind the patches?
- Is patching automated?

There are probably some others I'm forgetting. But you really need to start with these basic things before you worry about your potential risk exposure with, e.g., cloud providers or some outsourced service.
posted by bfranklin at 7:03 PM on February 11 [1 favorite]


I take it you're on a domain already.

Are your servers virtualized?

We recently overhauled our network with help from a small-business focused consultancy. We now have two physical vmWare ESXi 5.5 hosts, splitting the load of Windows Server VMs. We replicate the VMs across the machines and also do a VM-level external backup. This has all been a huge win for a small business shop without a real IT department (which we used to have, kind of, before our former firm split up.)

Office365 for email etc. on site Exchange is a huge cost driver and generates other requirements.

Remote access can be anything from LogMeIn to a full blown Citrix/RDS (Terminal Services) setup. What are your needs?

No McAfee please. I've had good luck with GFI and ESET/NOD lately. You may also want to look at a security gateway with UTM features.

I could bend your ear about this stuff, I'm in your position, dual-hatted at a law firm with a similarly technophobic Dad/boss (and grew up in this role on and off). Feel free to memail me for more details and/or referrals to the companies I work with.
posted by snuffleupagus at 2:13 AM on February 12 [1 favorite]


The one thing that stands out to me that I would start fixing right away is to get everyone saving their work on the shared network drive. We do this in my firm and I explain firmly to everyone that this is the only place that gets backed up. It is hard enough to do backup and continuity, you don't need to have data files spread across 20 workstations as well.

I have a 40 person firm and I contract with an outside IT support group to handle some of the more technically challenging tasks. It also makes it possible for me to take a vacation day and have some backup support. It is well worth it and many of the pains you are experiencing are the norm if you are doing it on your own.
posted by dgran at 7:05 AM on February 12


Quick, easy answers that will cost you some money:

Get CrashPlan for people's drives, or at least for the central NAS. Try for a more human-oriented solution to get people to save their work on there.

Get Google Apps for Business for Gmail and document sharing. $5/user/month and far better security than your webhost.
posted by Aizkolari at 10:42 AM on February 12


« Older I feel like if I knew more abo...   |  I am starting a music/lifestyl... Newer »

You are not logged in, either login or create an account to post comments