Should SMBs in CT be concerned about IT Standards & Policies?

If your company doesn’t have security policies and technology standards, you’re not alone.

The truth is that most small- and medium-sized businesses (SMBs) have never entertained the idea of creating standards and policies related to IT. If you don’t have IT standards and policies, you’re exposing your company to security risks and likely wasting time and money as well.

If your SMB doesn’t have IT security policies and standards in place, it’s never too late to start.

We’ll explain what having IT security policies and standards entail and why they are so critical to company health. We’ll also take a look at the hardware and software you need to inventory along with what information you should know about them.

What Are IT Security Policies and Standards, and Why Are They So Critical to Your Company?

If you’re one of the companies that doesn’t have security standards yet, you may be surprised to learn that there are entities and programs that have already created IT security benchmarks you can use.

You can find useful examples through the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and the Cybersecurity Maturity Model Certification (CMMC).

Many people think that since NIST is connected to the federal government that they must only do business with governmental companies or companies with some connection to the Department of Defense. But the truth is that NIST and CMMC have baseline standards that any business can apply to themselves.

IT security standards should relate to various facets of your company. For example, do you have policies about having IT approval for any company technology purchases? You should. Nobody in the company should be buying tech and software without vetting it with the IT department first. This sort of thing happens more often in smaller companies where everything is more casual, but it shouldn’t.

Having security policies and standards forces you to pause and think about how your business's practices might relate to IT.

In the ideal company, you would have fully-defined IT standards that you use across the board in your company. Any action or purchase anyone in the company makes related to IT should be well-documented. And the executives should be on board and urging this level of standardization.



What Role Does a Well-Defined Inventory Control System for Hardware and Software Assets Play?

Having IT policies helps you standardize your hardware and software assets.

Having a well-defined inventory control system for your hardware and software makes your data more secure, makes sharing files easier within the company, makes troubleshooting problems easier, and improves communication. When all the technology in your company looks the same, you can support more users with fewer people.

An inventory will allow you to determine what types of hardware and software people are using across the company and where you might need to make some changes now or in the future. For example, one department shouldn’t have HP laptops while the other department has Lenovo laptops. If the home office is using SonicWALL's firewalls, the other locations shouldn’t be using Fortinet. Half of the company shouldn’t be using Word and Excel while the other uses Google Docs and Sheets.

If you haven’t standardized in the past, you need to create a clear roadmap for the future that outlines the priorities and deadlines for standardization. Maybe everyone isn’t going to have the same type of laptop right away, but all future laptops can be the same brand. However, you could easily make a deadline by which everyone in the company should be using the same software.

Hardware Requirements

Your inventory of hardware isn't limited to your computer type. It’s essential to look at various types of equipment that employees are using across the company, including:

  • Desktops
  • Laptops
  • Tablets
  • Phones
  • Servers
  • Routers
  • Switches
  • Printers
Not only should you be recording the brands and specifications, but you should note when the warranties lapse on each piece of equipment. 

Software Requirements

Creating standards for software requirements is a little more complicated. The software standards should go beyond knowing what type of software everyone has. Here are some questions you should ask about the software you’re using in the company:

  • Which types of software do you own?
  • Do you have enough licenses for the number of users?
  • Which types of software are you paying monthly or yearly memberships to use?
  • Are people still using all the subscription-based software programs?
  • What versions is everyone using, and is updating necessary to maintain security or to duplicate results on joint projects?
  • When does the software subscription expire, and when is it up for renewal?
  • Are you paying for software support? If so, is anyone using this service?
  • Are multiple people or departments paying for individual access to the same software when a group rate would be more cost effective and provide more user options?

Continuous Vulnerability Management

Continuous vulnerability management is key. Most people know that if they don’t keep their software up-to-date and patched, they’re leaving their company open and vulnerable to cyber security threats. But do you have a plan to ensure everyone remembers to look for and accept updates?

Some software offers the option to accept patches and software updates automatically, but is everyone’s software set to accept them? Is everyone subscribed to alert updates?

What about software that is notorious for breaking computers with bad updates? Do you have a policy in place that ensures employees are only accepting those updates when the IT department is sure it’s safe to do so?

(CIS 18 Video Series) CIS 7- Continuous Vulnerability Management

Controlled Use of Administrative Privileges

Another aspect of IT security that people often overlook is knowing who has administrative privileges over software and systems.

You want to ensure that only people who should have access to information actually have access. At the most basic level of limiting administrative privileges, you should remove high-risk permissions if they’re not necessary and immediately remove access for people no longer connected to the company.

If someone was taken off a project or left the company, they shouldn’t still have access to sensitive data or have the ability to make changes to certain documents. Third-party vendors who obtained temporary access to the system shouldn’t still have access. 

Uncovering Your IT Vulnerabilities Is Easier Than You Thought   

You have plenty of issues to attend to every day. So, it can be easy to ignore IT vulnerabilities you might have or to put IT standardization on the back burner. Of course, it’s possible you may have just not considered that these were issues you should address, especially if you’re a small business. However, IT standards and policies are essential for every organization.

Even if you already have an IT support provider or an internal IT person, they may not have considered or had the time to institute IT standards or policies. It’s easy to skip the basics sometimes.

NSI offers a free service to help you see where your vulnerabilities are. We’ll let you know what weaknesses we find. If you become one of our clients, we can help you set up a plan to address those weaknesses and help you enforce the plan regularly and as a part of our annual strategic business review.

Schedule a strategy session today to find out how your technology standards compare to other Connecticut organizations.


Request a One-on-One Tech Strategy Call with Amoeba

About The Author

President of NSI, Tom has been helping small and medium businesses succeed in Connecticut for over 25 years.