Recent Blog Posts
Employees who practice safe computing, and understand how to recognize the latest cyber threats, are key to keeping your business safe, and your data protected. It goes without saying that your business needs to employ all of the latest security technology available. But even with the best tools and systems, poor computing habits and lack of cybersecurity awareness will make your employees unwitting accomplices to hackers. They may wind up sharing passwords and other sensitive information too freely or over unsecured channels. They may fail to think twice before opening an email attachment or clicking on an unknown link. Maybe they’ll be tempted to download a certain app off the Internet, without your authorization. Setting up a training program for employees is a key way to cut down on cyberattacks that could expose your data or bring down your system, costing you money, time, and a loss of reputation. White Mountain can help, with ready to go, web-based, as well as classroom training. Employees will benefit from working off of concrete examples and knowing exactly what steps to take to either avoid a cybersecurity threat or respond to one. For example, if one of your employees detects a data breach, would they know who to turn to and what to next? Work off of specific policies and procedures, and use real-world exercises and drills as tests. A single short-term training program is useful, but businesses truly benefit from ongoing cybersecurity awareness. We can help you come up with policies that you periodically review, along with course updates for new threats. Invite your employees to speak about their cybersecurity concerns at meetings. Turn any mistakes you catch your employees making into learning opportunities and reminders. Making cybersecurity issues a part of your business culture is critical. To further discuss creating an effective cybersecurity training program for your employees, please contact us. Employees who are better informed can significantly reduce the chances that you’ll fall prey to a successful cyber attack. Professional IT Management Service and Support Management Project Management Standard Operating Procedures IT Policies Systems Documentation Technology Consulting Cyber Security Training Reporting and Metrics Co-Managed IT Services Engineering & Support Help Desk Services Onsite Services Server Support Network Management Data Backup Disaster Recovery System Engineering Network Operations Network Security Project Work Staff Augmentation Cloud Services Computer Consulting Planning & Consulting Virtual CIO Services Strategic Alignment Budgeting IT Road-Map Business Continuity Workflow Analysis
Let’s make sure that you have the right technology for your unique business and workflow needs. It doesn’t make too much sense to invest in professional IT management, SOPs, policies, procedures, and documentation, all based on systems that are NOT right for your business. Unless you have already been through the process, and are confident that you are on track, it may be worth conducting a basic evaluation of how well your technology is serving your business needs. Are your users getting the most out of the features and tools that you already have? Are your systems overly complicated and based on old technology that may be expensive to own and support? As we get to know each new client we perform a basic review of how your business uses technology and how well it seems to be addressing your needs (this info feeds into our documentation system). If it seems like your business may be better served with different or additional technology, we can make recommendations and help you with the needs analysis and vendor evaluation. Typical consulting projects include: Telecom and ISP cost analysis Current use of existing systems Web and online marketing systems Disaster Recovery needs analysis Mobile device usage Wireless network design and use Cloud services and readiness audit Compliance Audits Detailed security audits and reports For longer term or more extensive consulting projects, we may suggest engaging our consulting group to consider a Virtual CIO plan. Professional IT Management Service and Support Management Project Management Standard Operating Procedures IT Policies Systems Documentation Technology Consulting Cyber Security Training Reporting and Metrics Co-Managed IT Services Engineering & Support Help Desk Services Onsite Services Server Support Network Management Data Backup Disaster Recovery System Engineering Network Operations Network Security Project Work Staff Augmentation Cloud Services Computer Consulting Planning & Consulting Virtual CIO Services Strategic Alignment Budgeting IT Road-Map Business Continuity Workflow Analysis
Maintaining accurate, complete, and detailed documentation, is a core component of Professional IT Management. We maintain a secure database that allows us to track ALL key data required to support your infrastructure, critical business systems, and everyday user support issues. Let’s admit it, we all hate it when we call into a company that we have contracted with for support, and the tech doesn’t seem to know anything about us, or our systems. Well, if the company doesn’t commit to professional IT management, then they don’t maintain the documentation, they don’t provide the training, they don’t follow the SOPs, in my book that’s called just “winging it”. With a Managed IT Service agreement from White Mountain, we create and maintain the documentation about your business that is needed to keep things up and running and to provide exceptional customer service. Examples of content that we maintain updated documentation on: Complete asset list, all hardware, software, and subscriptions Expiration dates for warranties, domains, certificates, hosting plans, etc. Domain names and hosting information Security configurations and procedures Network, WiFi, and server configurations ISP and telecom info Employee census and user IT profiles Workflow and key application profiles Knowledgebase of all requests and work done, searchable by device or user Profile of all key vendors, contracts and agreements Data retention and backup plan Disaster Recovery and Business Continuity Plan Change Management logs and reports Incident Response reports for all critical incidents and outages Remote access configuration and policies Written Information Security Plan Encryption requirements and configuration Failover plans for key systems Regulatory compliance requirements and audits IT Budget and Road-map Client-specific SOPs Client-specific IT Policies Professional IT Management Service and Support Management Project Management Standard Operating Procedures IT Policies Systems Documentation Technology Consulting Cyber Security Training Reporting and Metrics Co-Managed IT Services Engineering & Support Help Desk Services Onsite Services Server Support Network Management Data Backup Disaster Recovery System Engineering Network Operations Network Security Project Work Staff Augmentation Cloud Services Computer Consulting Planning & Consulting Virtual CIO Services Strategic Alignment Budgeting IT Road-Map Business Continuity Workflow Analysis
Every Organization Needs IT Policies Keeping a business’s data secure requires not only good technology but good policies. User carelessness is the biggest cause of breaches, and technical measures can’t stop people from making dangerous mistakes. A set of policies that employees and contractors understand, together with training in how to apply them, should be a basic part of the strategy of any organization that has important data which it needs to protect. A well-written policy is clear and specific, but not so loaded with unnecessary detail that it takes a lawyer to decipher it. If it’s too hard to read, people will just skim over it without understanding. The essentials in a policy need to include what it requires, whom it applies to, and a broad overview of how to carry it out, as well as possible penalties for non-compliance. How strict the policies have to depend on the kind of organization. Offices that hold personal health information, handle credit cards or do classified work need especially tight policies. Any organization that handles money or personal information needs reasonably strict policies, though. There’s no such thing as an organization that is too small for attackers to pay attention to it; in fact, some criminals specialize in small organizations on the assumption that they have lax security. We can broadly divide policies into those which apply to all users and those which concern only IT personnel. Let’s look at a few in the first category, as examples. Email policy. The policy should state to what extent it allows personal communication using company email, if at all. It should explain retention requirements, indicate what kind of language and commentary it prohibits, and spell out what use of third-party email services it allows or doesn’t. It should notify users that their mail may be monitored and they have no expectation of privacy. Password protection policy. This has to place specific requirements on the formation of strong passwords, prohibit password sharing and reuse, and list specific practices (writing down passwords or hints, giving them over the telephone, etc.) that users have to refrain from. If the company does any password guessing to test compliance, the policy needs to let the users know. Remote access policy. Instructions on how users may access the organization’s systems from outside go here. Requirements may include coming in only through the VPN, protecting their VPN passwords, not simultaneously connecting to other networks, and having antivirus software. Other policies are specific to management and IT personnel. Let’s look at a few examples. Disaster recovery plan policy. This doesn’t specify the contents of the plan but states what kinds of contingency plans the staff has to create. It places requirements for reviewing the plan periodically and conducting tests. Server security policy. The requirements of this policy should include registering all servers, designating the primary person responsible for each one, specifying requirements for generating and retaining logs, maintaining access control (including physical access), keeping the software up to date, and reporting security incidents. Equipment disposal policy. This policy has to cover such issues as wiping disk drives before disposal, tracking and identifying equipment that has been cleared for disposal, and recycling. It needs to identify the kinds of equipment which it covers. The SANS Institute’s website offers a broad range […]
