Top 10 mistakes IT people in SMBs make 18 November, 2008 By David Vella

PromoPipeline Exclusive Channel Promotions Find Out How You Can Make Money Today! ENROLL FREE! >> SaaS Trumps Social Media Mike Dubrall - Gilwell Group How to Evaluate Training William Vanderbilt - Innovative Learning Channels Please join me at the Vendor Channel Management Summit in San Francisco Robert M. Cohen - Integrated mar.com Discount or Payment for Services? William Vanderbilt - Innovative Learning Channels Goal Setting William Vanderbilt - Innovative Learning Channels

While 99 percent of the time end-user error is the cause for a security breach, there are occasions when an accusatory finger has to be pointed in the direction of the IT administrator's office.

Yes, even IT administrators can make mistakes and they do, especially in small and medium sized businesses (SMBs). They are human beings after all. Unlike end-users who usually cause problems because they are not IT savvy or they just cannot understand the logic behind computer security (try asking them to leave the door to their house open) IT administrators are expected to be infallible where technology is concerned.

Unfortunately, in today's hectic and demanding world of technology, IT administrators in SMBs are 'forced' to do more than just sit down and monitor the network. They are responsible for nearly every piece of hardware in the company, yes, even the electric kettle; as many have become the de facto handymen in the building, and if that were not enough they also have to deal with end-user issues (I don't have Internet connectivity& --'cable not plugged in' stories).

Too heavy a workload, little time and the pressure to meet deadlines and keep the bosses happy inevitably leads to the IT people making errors of judgment& at times serious ones too.

Here are the top 10 mistakes that IT people in SMBs make and some guidelines on how they can be prevented.

Connecting systems to the Internet before hardening them. Classic mistake. Computers are not designed to be connected to the Internet straight out of the box. Before a phone line, Ethernet cable, or wireless card is anywhere near a new computer, install at least virus protection and spyware scanners, and a program to prevent malicious software from being installed.

Connecting test systems to the Internet with default accounts/passwords. A hacker's dream. Leaving the default accounts/passwords makes it all the more easy for a hacker to gain access to your network. Change passwords and delete/rename default accounts immediately.

Failing to update systems. Security holes exist in your operating system and no software is perfect. Once a vulnerability is found, it's usually exploited within a very short period of time. Therefore, it is imperative to install security patches as soon as possible even if it takes time to check them out in a test environment before updating.

Failure to properly authenticate callers. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated may be the easiest way to reduce the support call tickets, but it is a joy for those involved in social engineering efforts. Enforce proper authentication at all times, even if the voice is familiar.

Failing to maintain and test backups. Laziness is one of the biggest security threats, but creating proper backups is much easier than recreating the data from scratch. Backups should be made often and copies kept offsite (not in the boss's safe).

Failure to confirm that your disaster recovery plan actually works. Okay, so you have your backups now. But do they work? Have you verified the backups are good? Do you have a disaster recovery plan? Three 'no's'? You're in trouble.

Failing to implement or update virus detection software. What is the use of having virus and spyware scanners if they're not updated? Up-to-date scanners ensure that the latest malicious software is detected immediately.

Failing to educate users. Users need to know exactly what kinds of threats are out there. Uneducated computer users are often those who fall victim to viruses, spyware, and phishing attacks, all of which are designed to corrupt systems or leak personal information to a third party without the user's consent. Don't take users for granted or trust them too much.

Trying to do it all yourself. Large companies have IT departments but small business administrators should ask for advice and help if they have problems setting up their network. External help, though costly at times, ensures you've done the job right, first time round.

Failing to recognize 'insider threats'. Too much trust can kill your network. Disgruntled employees and others can cause enormous problems if they're not properly monitored. IT people should monitor network activity, especially the use of portable devices such as iPods, memory sticks and others. You do not want the company's confidential data sold by an irate employee to the competition.

David Vella is Director of Product Management at GFI.