It is usually the case that IT departments have not only become strategically important company departments in the course of the last few years. And in the age of digitization, this fact is becoming even more pronounced. However, many small and medium-sized companies are still stuck in this maturing process, where a constantly growing IT always presents employees with new challenges.
At the top of the list of concerns for companies and IT and security managers is the issue of IT and cyber security: Protection against “cyber attacks” from the evil Internet or protection against “RansomWare”, i.e. the encryption of company data and the ransom demand that usually follows.
Something like goose bumps should now develop in most IT managers. Especially when they imagine the scenario in their own company. And for many, now would be the time to start a trial run of a data restore to make sure you’re prepared for an emergency.
As the almost daily news from the Internet and also experiences show, not so few companies are not sufficiently protected against this. And often despite a well-staffed IT department. What is the reason for the failure?
Where do the dangers come from?
Of course, at first glance you can blame everything on the Internet. After all, the network of networks is the source of all the problems you can imagine. The days when viruses spread via floppy disks or USB sticks are over. Today it’s faster. And above all, it’s more convenient, because the friendly hacker from the neighborhood is sitting somewhere far away watching TV. Or he goes shopping with the extorted ransom money while waiting for the latest successes of his botnet.
Programs are infiltrated that either encrypt all tangible data or search for gaps in the systems in order to gain administrative rights and thus access to other internal systems. This opens the door to data theft.
Now it would be nice if we could simply place a device, for example a firewall, between the internal and external network and thus avert all dangers. This actually worked relatively well for some companies a few years ago. They simply closed off virtually all communication to the outside world in a restrictive manner. Today, however, this approach is practically unthinkable.
The role of the IT department
Basically, an IT department has enough on its plate just to handle day-to-day tasks and system support. However, IT managers have to pass on significantly more information to superiors than was previously the case. Today, “Have we…” or “That’s fine…” is no longer sufficient as a response to a request from management.
Because if a problem arises for data protection reasons, the person in charge takes the heat for it. And in most cases, this is the managing director of the company.
Now, in very small companies, it is certainly not entirely unusual for the boss personally to also act in the role of an IT officer. With increasing size, however, these tasks are shifted to other people, who then have to take care of the processing of the information to be passed on.
Just having an overview is not everything
Let’s get to the heart of the matter. Taking care of an IT network means, among other things, taking care of IT and data security. In order to ensure this security, you have to know in detail which devices and software are used in your network and on the systems, but also which user rights are assigned in the network.
Determining this very quickly becomes a rather involved story. This is because, on the one hand, various tools, admin accesses and software products are usually required for use, and on the other hand, the results are hardly ever provided in a coherent list. This is where real “manpower” is needed. Results from a wide variety of exports are brought into a clear form, and then forwarded by mail to the right place in the company.
This effort, namely to draw up a more or less complete inventory, to determine the devices and software used and also to take into account the changes from the last time, is also very prone to error. And all too often, the list from the last quarter is simply given a new date, because nothing has changed from memory anyway.
This has nothing to do with professionalism
An art dealer has the possibility to estimate. The better this art dealer is and the more experience he has, the better the determined value will do justice to the work of art. For an IT administrator or an IT manager, however, estimates are not the means to an end.
They may be able to estimate that there are around 60 workstations in the company and that Windows, for example, is in use, but the exact number, details about each device such as age, operating systems or software status (patches applied) are certainly not part of this “collected” data. In many cases, the version status of an operating system or software determines whether the IT network is secure or at risk.
A step towards professionalism
Basically, it must be said that without the knowledge of the exact current state of the IT network, one cannot speak of complete professionalism. Even if many aspects such as the level of knowledge, training and technology are already at a very high level. If there is insufficient documentation, in many cases the failure of a single central person is enough for problems to become unmanageable.
First of all, it must be determined what is actually in the IT network. We are not only thinking of the hard-wired devices (printers, computers, servers, switches, etc.), but also the devices that have connected wirelessly to the network. Because today, in most companies there are devices that use the W-LAN.
Whether it’s the personal smartphone or the company tablet, it’s imperative that this is also taken into account and included.
Basically, this is a kind of inventory, but one in which not only the number but also the condition (software version, firmware version, etc.) should be included. And there are basically two approaches to this.
Procedure A
With enough people and tools for documentation, you let your colleagues jump from workstation to workstation, crawl under tables, note down all software products and their installed versions, check every printer in the network and hope to have included all switches in the company in the list.
When the lists have been completed after a very time-consuming journey through the company, you correct the inventory for the forgotten W-LAN access points, the old switch in the accounting department under the table that was provisionally placed there (congratulations, by the way, if you actually thought of this) and other devices that are gradually added to the list.
If, after this inventory, you really have the good feeling that you have done a professional job and think that you have really recorded everything without gaps, reality will usually catch up with you quickly. But let’s just leave the thought that everything was actually recorded cleanly and documented impeccably manually. Let’s take the opportunity to ask ourselves how long this data will remain current.
Computers and printers – yes, you get that when they are replaced. It is easier for smaller companies to keep track of this than for a company with 100 or more workstations. And how long will the software remain at this level? Has an important patch been rolled out from yesterday to today?
Just to make one thing clear. These are not hypothetical mind games to scare anyone. Microsoft alone provides several critical security patches every year, some of which close serious gaps in systems that exist by the millions. And on the other hand, it is often incomprehensible that many of these critical patches cannot be applied to the systems in the companies because there are such outdated versions on the production servers that installation is refused. Professional? Hardly.
Procedure B
Use a professional solution for the entire inventory. All devices connected to the IT network are automatically recorded in a database. All software versions as well as the firmware versions of the hardware devices are also documented. All collected data is centrally recorded in a single database and can be evaluated from there at any time.
And now let’s contrast the professional solution with the previous one. After the setup, the personnel effort is practically zero (in numbers 0, nada, nothing). All devices that are active or switched on are recorded. Even the small switch under the table in the development department, which, due to the lack of network sockets there, was set up by an employee of the department with (or without) the permission of the IT department (oh yes, there was something else).
The recording of all this data happens not just once, but at regular intervals. Thus, even the devices that were not turned on at the time of a straight scan (vacation, sick leave, etc.) are included.
And because of the regular execution, the software status in the database is always kept up to date. If the software then also provides a number of reports that enable a wide variety of evaluations and can also be adapted to your needs, then you are a big step closer to becoming a professional IT department.