GFISecurityLabs’ David Kelleher Talks about SMB IT Mistakes

There are common mistakes that every company makes when it comes to IT, and unfortunately big or small this can cost money. David Kelleher, communications and research analyst at GFI’s GFISecurityLabs, talks about these mistakes and offers tips so that they don’t happen.

Bright Hub: What are some of the most common mistakes made by IT people in a SMB setting?

David Kelleher: Whenever a security breach occurs or something goes wrong on the network, it is most always the end-users' fault - as most employees, despite receiving lengthy lectures, dozens of emails and verbal warnings, continue to ignore even the most basic of security recommendations - such as not leaving their passwords on a sticky note stuck to their workstation.

While 99% of the time this would be the case, there are occasions when an accusatory finger has to be pointed in the direction you would least expect: the IT administrator's office. Yes, even IT administrators can make mistakes and they do, especially in small and medium sized businesses. Too heavy a workload, little time and the pressure to meet deadlines and keep the bosses happy inevitably leads to the IT people making errors of judgment... at times serious ones too.

1) Connecting systems to the Internet before hardening them. Classic mistake. Computers are not designed to be connected to the Internet straight out of the box. Before a phone line, Ethernet cable, or wireless card is anywhere near a new computer, install at least virus protection and spyware scanners, and a program to prevent malicious software from being installed.

2) Connecting test systems to the Internet with default accounts/passwords. A hacker's dream. Leaving the default accounts/passwords makes it all the more easy for a hacker to gain access to your network. Change passwords and delete/rename default accounts immediately.

3) Failing to update systems. Security holes exist in your operating system and no software is perfect. Once a vulnerability is found, it's usually exploited within a very short period of time. Therefore, it is imperative to install security patches as soon as possible even if it takes time to check them out in a test environment before updating.

4) Failure to properly authenticate callers. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated may be the easiest way to reduce the support call tickets but it is a joy for those involved in social engineering efforts. Enforce proper authentication at all times, even if the voice is familiar.

5) Failing to maintain and test backups. Laziness is one of the biggest security threats, but creating proper backups is much easier than recreating the data from scratch. Backups should be made often and copies kept offsite (not in the boss's safe).

6) Failure to confirm that your disaster recovery plan actually works. Okay, so you have your backups now. But do they work? Have you verified the backups are good? Do you have a disaster recovery plan? Three 'no's'? You're in trouble.

7) Failing to implement or update virus detection software. What is the use of having virus and spyware scanners if they're not updated? Up-to-date scanners ensure that the latest malicious software is detected immediately.

8) Failing to educate users. Users need to know exactly what kinds of threats are out there. Uneducated computer users are often those who fall victim to viruses, spyware, and phishing attacks, all of which are designed to corrupt systems or leak personal information to a third party without the user's consent. Don't take users for granted or trust them too much.

9) Trying to do it all yourself. Large companies have IT departments but small business administrators should ask for advice and help if they have problems setting up their network. External help, though costly at times, ensures you've done the job right, first time round.

10) Failing to recognize 'insider threats'. Too much trust can kill your network. Disgruntled employees and others can cause enormous problems if they're not properly monitored. IT people should monitor network activity, especially the use of portable devices such as iPods, memory sticks and others. You do not want the company's confidential data sold by an irate employee to the competition.

Bright Hub: Is having multiple operator systems a bad idea? And does this present more problems for an IT person, or does making a slow move to a new system such as Vista solve some problems?

David Kelleher: Although using multiple operating systems can be problematic, it is not so much the systems in themselves that create problems but the technical abilities of the person implementing the technology. Sticking to one operating system, especially in an SMB, makes it much easier for the IT administrator to manage, upgrade and troubleshoot. Not all SMBs have more than one administrator and more often than not that person would be versed in one, and maybe familiar with another operating system at the most. Unless IT staff are confident managing different OS, an SMB faces a high risk of downtime as issues crop up that may take longer than normal to troubleshoot.

The key to a successful network deployment is to prepare and carefully analyze the needs of the organization. Without a proper plan that takes into consideration not only the hardware requirements of the organization but even the staff and technical ability to manage the network, an SMB will be asking for trouble or a very steep learning curve.

In terms of OS upgrades, to Vista for example, the decision will depend on whether it is a must or not. If a company is managing fine with Windows XP and Windows Server 2003, upgrading to Vista and Server 2008 will not be important or necessary (there are cost issues to look into as well). Migration to a new OS should only take place if it will solve recurring problems and will lead to an overall improvement in how the company operates in terms of networking and security.

Bright Hub: Do you think that it is better for an SMB to have a full-time IT person or would it be better to hire an outside contractor?

David Kelleher: There are advantages and disadvantages in both situations. The primary concern is cost. Can a company afford to employ a full-time IT manager and is the volume of work such that it requires his or her services on a daily basis? If yes, then it makes sense to have an in-house IT administrator. On the other hand, if the company is small enough to only require occasional troubleshooting and maintenance it may be more cost effective to outsource their IT needs and purchase a maintenance agreement. Most contractors will respond to support calls within a couple of hours. The second option makes sense if the contractor was responsible for setting up the network.