CJ on Tech

If it's worth doing more than twice, it's probably worth scripting

You have more tools than you think you do

Whether for a small design firm with offices in two countries, or a global manufacturer with people on 5 continents, the fact is that there are more resources available than you think.  That’s not ego stroking, or an attempt to sell anything, but a simple statement of fact.

Face it, as someone who manages some amount of technology assets for an organization, can you honestly say for certain that you are using as close to 100% of the ability of all the tools as possible?  If we are being honest, I bet you can’t.  Does your environment have a NAS?  If so, it likely has built-in tools to replicate its data to another device (ideally in another location).

The point is that often, sometimes too often, we, implement hardware and software to fit a specific need in the organization, but we don’t look beyond that.  In the NAS example, it fits the bill very quickly for storing large amounts of data.  The extension of that is the data stored on it, also needs to be backed up.  There are a variety of different ways to do that, but the easiest may be to simply use the built-in tools or mechanisms.

This also happens in the Cybersecurity space.  Software and solutions are used to fit a specific need or solve a specific problem.  Sometimes, those tools can do more than the reason they were implemented in the first place.  Let’s take a look at Active Directory.  More than 20 years old, often referred to as a relic, and definitely has some clear things that can compromise security.  Do you know Authentication Policies/Silos?  If your answer is no, I am not surprised.  Does your organization use ID tiering?  Do your high-privilege users have PAWs (Privileged Access Workstations)?  “We are a small design firm, why do I need those things?”  Great question…….

No matter the size, every organization can, and should, spend some time to think about their infrastructure and specifically about security.  What other tools are available in the infrastructure and technology they already have can improve security or lower risk?  Simple things like enabling MFA (see my article “Why is MFA so difficult to adopt?”, or using more tools in the products that they already have.  Limit the systems that high-privilege users can use to access critical data and systems.  It’s likely this only costs some effort.

No matter the size of the organization, have someone strong in technology (an IT consultant or IT support company is a great starting point) make a list of the technology assets in the organization (even if this work comes with a cost, it is minor compared to the cost of losing data or customer due to data loss).  Take that asset information and identify the things and areas creating risk.  Start with something simple, data integrity.  Is your critical business data backed up?  Is the process to access that backup documented, and can it be executed by multiple people?  Having a backup of your critical business data at your house is certainly better than nothing, but if the primary location is lost or destroyed, can the backup be used by someone other than yourself (what happens if you are travelling on vacation?).

Continue this exercise focused on security.  Look at how individual users are being protected.  Workstations should be monitored and managed (even in small organizations).  Users should be using 2FA/MFA, make this normal instead of just passwords.  Review the loss prevention policy.  If there isn’t one, sit down and write it, now.  Don’t keep data longer than necessary.  Record the administrative passwords (they were changed this year right?) in a password or secrets vault, off-site, and accessible outside the normal systems.  For any of these things, if they aren’t clear, ask someone.

Lather, rinse, repeat.  Do this on a regular basis.  It doesn’t need to interrupt business, or distract anyone.  It does need to be looked at on a routine basis as the organization changes, and grows, and the technology being used changes.  Talk to someone familiar with the technology that’s in-use and find out, specifically, what other tools and features it has that may not be getting used.  Having Anti-virus and malware solutions on workstations is good.  But if they are two separate products, and the anti-virus solution also has antimalware, but it’s not used, perhaps someone should figure out why.  If there is a good reason, then it might be time to rethink that approach or get a solution that does both.  It will probably be cheaper in the long run.

If we go back to the NAS example, many have built-in features to backup or replicate data to another device.  I have seen numerous examples or a third-party solution (and sometimes hardware) to do the same thing.

Before you buy the next tool, software, or hardware “solution”, make sure that what you already have doesn’t have the ability to do what you want.

CJ Ramseyer - Senior Solutions Architect, Security Champion, Automator's avatar

Posted by:

CJ Ramseyer – Senior Solutions Architect, Security Champion, Automator

If it’s worth doing more than twice, it’s probably worth scripting

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.