Information Technology should Embrace Marketing

Tags

One of the biggest challenges facing IT departments today, beyond that of the ever-changing technology itself, is their inability to effectively communicate with their end-users. These lapses in communication, whether they’re caused by not communicating frequently enough or a “language barrier” between the technical and non-technical staff, can lead to security risks, improper use of technology, and over-all dissatisfaction of services being provided by the department.

As we well know, the focus of IT delivery is to treat the end-users as consumers. Based on that methodology and the understanding that information technology departments are moving to an operational model where they act as a business providing services to customers rather than a department within an organization, marketing to the end-user is an essential component of ITaaS (IT as a Service).

In order to ensure effective, efficient communication, technology departments must start at the beginning and examine and revise their current end-user notification and education methods. Each year the workforce is reinvigorated with employees that are a bit younger than most of their colleagues and that are used to absorbing information and communicating in different ways. These employees are more used to a more social, less “corporate” means of communicating and are often quite adept at using social media platforms such as Twitter, Facebook, Instagram, and YouTube as primary communication method. Unfortunately, most IT departments are not equipped to effectively communicate in this manner.

As prime example of when marketing to end-users is important we can take a look at Cyber Security Awareness Month, which falls in October. For the most part IT departments will (if they do anything) send an email acknowledging that it is Cyber Security Awareness Month and highlighting the importance of taking proper cyber security measures. They may even go so far as to share video tutorials or PDFs containing step-by-step instructions on how to activate certain features or how to be more aware of suspicious attachments. In most cases, however, those methods are ineffective. Many people delete emails like that as soon as they see them or, if they’re arriving from their employer, will quickly scan them so that they can truthfully tell their employer they received and read it, and will then forget or ignore most of the content. In the majority of cases, though, emails like that just aren’t a high priority for many employees – they’ve get lost in the daily shuffle of emails coming in from clients and coworkers and no one really remembers to go back and check them.

In an effort to get your messages out to your employees, you may consider utilizing social and digital marketing tactics and communicating via mediums that they’re familiar with and readily checking. Create a Facebook Group for your employees where you post daily tips and security information. (Fun Fact: when you add someone to a group, the initial settings are that they will receive notifications when you post to the group in addition to seeing it appear in their newsfeed). Similarly, including infographics and images into newsletters – as opposed to blocks of text – will increase the likelihood that your employees will focus on and absorb the information provided to them. Creating learning activities and challenges will also provide ways to make security awareness training social and dynamic.

In order to effectively implement marketing strategies and tactics in your end-user education programs, it’s helpful to understand the seven fundamental elements of marketing in general. These elements are:

·      Distribution: The method employed of getting your message to your consumer (in this case, your end-users). There are a variety of methods, both traditional (printed brochures and flyers) as well as digital/multi-media (email, social media, video, text messaging, etc.)

·      Financing: Every marketing campaign has a cost, even if it’s an internal campaign, and in order to demonstrate the effectiveness of the campaign you must examine the ROI (return on investment). However, with campaigns directed at the end-user, it’s important to consider the offsetting cost. That is to say, the amount of money that would be saved by the success of the campaign. For example, your organization may find after an internal audit that it “spends” (after applying an hourly rate to employees and evaluating the cost of equipment purchases) roughly $15,000 per year troubleshooting and remediating issues and replacing workstations. Comparatively, a 100 person company may elect to dedicate $25 per employee ($2,500 total) to security awareness training. When you consider the value of simply avoiding the problem in the first place, the cost the campaign is minimal and well worth the spend.

·      Market Research: Understanding your work forces is key, just like understanding the target customer.  You’ll want to consider what methods of communication might be most effective across your workforce as a whole as well as across various segments.

o  Younger employees may be more apt to watch a YouTube video or read an infographic, whereas your older employees may benefit more from in-person training.

·      Pricing: As you will be marketing to your own end-users, assigning the “price” of your endeavors differs a bit from the usual sense. Typically when assigning the price of an item the company will examine the cost to manufacture the item, the cost to ship the item, their desired profit margin, and a host of other factors and come up with a per-piece price. When marketing to your own end-user, you’ll instead want to examine what the most effective and reasonable method of communication is and determine which option has the highest value, regardless of the actual cost of the campaign.

o  For example, it may – at first glance – be more cost effective to spend $25 per person creating training videos versus deploying a web-based training program that costs $35 per person. However, if the effectiveness rate of the $25/person program is 30% and the effectiveness rate of the $35/person program is 75% then it becomes obvious that in the long run the more expensive program is the most cost-effective.

·      Products and Services Management: Once we understanding the other foundational elements of the campaign, it’s important to consider how the campaign is managed and – specifically – how the end-user training is deployed and followed-up on. This goes back to understanding your users and their needs. You’ll want to develop a method of measuring the success rate (i.e.: comparing the number of IT support tickets created month over month) as well as a method of soliciting feedback and providing additional resources or explanations. Your campaign will never be effective if there is no way for your end-users to tell you whether or not it makes sense or to get clarification on issues.

·      Promotion: This is simple, IT should be promoted in a positive manner and the training and campaign should be framed as being a big-picture solution. You don’t want to frame it as “the IT department has dropped the ball in the past and now we’re catching up.” You’ll also want to use your campaign to create a positive identity for IT. In far too many organizations the over-worked, under-staffed IT department employees are often seen as people who are short-fused and grumpy. This is usually because they simply don’t have the time for idle chit-chat when their primary communication with their colleagues is people complaining that things aren’t working. They also have the responsibility of prioritizing the order in which tickets are worked, which often will leave their co-workers feeling miffed if their issue isn’t deemed the highest priority. Take that into consideration and use your campaign as a means of explaining these issues to the larger employee pool and highlighting all of the great things the department does for the organization.

·      Selling: In this case you’ll want to focus on getting your employees to buy into the program. Get your message out, evaluate its success, make changes where needed, and continue to improve upon what you’ve already implemented.

Marketing can affect an IT department in a very positive manner as long as your organization is willing to commit to a long term relationship with your marketers. One and done does not work, this is an ongoing process. Once you’ve begun to implement awareness and training campaigns you have to be prepared to continue – simply sending out one campaign and calling it a day won’t work. Continuously pushing your message in new and innovative ways that your audience responds to, however, will.

Ransomware; another way for vendors to make money

As we see more and more news stories about ransomware, security vendors are jumping on the bandwagon with their solutions. Most of these are incomplete and only offer a small part of the overall solution.  Few vendors offer a complete solution and for those that do, configuration and deployment is a nightmare for the average IT guy.  Most SMBs rely on endpoint protection (aka AV), UTM, etc., and vendors are taking advantage of that; rebranding and marketing to the ransomware hype.

The first line of defense is user education. What I am seeing when a company gets infected is that an end user opens an email and clicks on a link, or opens an attachment.  When discussed after the fact, most end-users say something like, “I did not read the email, just clicked on the link,” or “The attachment said resume, so I opened it.”  In these cases, endpoint protection (more on this in a minute) would not have protected the end user; education would have.

Speaking of end point protection, most vendors will say that they protect against zero day threats as well as ransomware, this may be true if you use the most restrictive settings on the product, however that comes at a cost and in most cases it’s the end-user’s ability to do their daily job.  The key is a balance between education and configuration.

A strong security program that includes multiple levels of protection decreases your chances of being infected.  An ideal solution would include web filtering (cloud based), Unified Threat Management at the firewall, endpoint protection on the desktop and lastly email filtering that offers URL scanning and attachment scanning. Let’s not forget end-user training, the human factor.  A single vendor solution does not provide the defense in depth model that multiple vendors can provide (belt and suspenders).

Lastly when you do get infected – and you will – your last line of defense is solid backups.  Bottom line, when all else fails, you have your backups (make sure you do test them, don’t assume).  When thinking about backups think about recovery point objective (RPO).  I will discuss in greater detail later (another post).  Most SMBs backup once per day (most likely at night).  Let’s say you back up Tuesday night at 8 pm and Wednesday afternoon at 2 pm you get ransomware, you can restore from the night prior and lose a day’s worth of work.  Is that sufficient?

Something to think about.

Everything as a Service (XaaS): Microsoft changing the face of information technology

Microsoft Azure cloud services is growing at a rate of 100 percent a year for a good reason.  Today, any small to medium size business starting up does not need a traditional infrastructure such as domain controllers, file servers, backup etc – just look to Microsoft.

A startup can utilize the cloud for all of its computing needs.  Email, collaboration and telephone can be provided by Office 365 for as little as $47.00 per month per user which includes everything from email to dial tone and everything in-between.  Add in Azure AD and you can authenticate your Windows 10 workstations eliminating the need for domain controllers. End points such as workstations and mobile devices, can be managed via Intune which can distribute software, patching workstations and in the case of a lost or stolen devices wipe corporate data.  File server can be replaced with SharePoint and most line of business applicationa offer a SaaS version such as CRM online, Salesforce, etc.

The benefit to business is the ability to be dynamic and scale on demand; lower cost of ownership as no hardware is required; and pay for what you use model is very attractive to most.  Add increased security, lower support cost, higher reliability and the ability to work any time any place, the cloud is an easy choice.

For those companies that have a more traditional environment with onsite infrastructure, the phased in approach or hybrid approach is ideal. Plan out your cloud migration starting with the simple things like email and personal files (One Drive). Once completed, focus on the more time consuming things like file server migration and line of business applications (LOB).  In cases where the LOB vendor does not have a SaaS version, think about moving the server to Azure.  If the LOB runson a terminal server, it will run in Azure.

As users become consumers of information, XaaS is a natural progression for technology, delivery on demand, subscription based services that are scalable and dynamic.

Protecting your Azure deployment against Cyber Threats

Microsoft does a fantastic job of protecting their infrastructure from threats and attacks using state-oIf-the-art defenses.  What do you do?  Infrastructure as a Service (IaaS) is nothing more than moving your on-premise servers to the cloud.  You’re still responsible for the security and integrity of your networking environment.  The responsibility is solely yours and not Microsoft.  Would you accept deploying a firewall with nothing more than an access control list (ACL) in your data center?  Then why would expect anything different in the cloud?

Microsoft’s firewall is a good start; however, if you have a publicly facing service (RDP, CRM,ERP, etc) you need to take additional precautions such as deploying IDS, UTM as well as multi-factor authentication and IP restrictions.  Unlike traditional on-premise solutions, these types of security measures can be easily deployed- thanks to the Azure marketplace.

Vendors, such as Checkpoint, Barracuda, Cisco and Fortigate, all offer next- generation firewalls to enhance overall security of your infrastructure.  Trend Micro, Alert logic both provide intrustion detection system (IDS) to monitor against malicios actvity.  Sophos XG Firewall will be forthcoming to the Azure Marketplace offering a compressive security solution including UTM and IDS.

Unlike traditional infrastructure these solutions can be deployed dynamically and within minutes vs hours.  Like all security measures,  knowledge is key.  Deploying a firewall or IDS system without a comprehensive knowledge of the service and functionality can expose a firm to risk.  Search engines, such as Shodan, focus on network vulnerabilities and misconfigurations.  Most data breaches are a result of misconfiguration of firewalls and related services.

When evaluating your security needs, start with a high-level risk assessment and keep it simple.  This will help you better understand if you need to dig deeper.

  •  If the service being hosted was to be compromised what would the impact to the business be?  For example, a static web site would have minimal risk to the business and Microsofts basic firewall should be sufficent for most businesses.
  •  Remote Desktop access provides a greater risk than a static web site.  Think about deploying two-factor authentication with a next- generation firewall at minimum.
  •  CRM systems, if compromised, puts the business at a significant risk. To reduce overall risk, utilize two-factor, next generation firewall and and IDS system.  If possible, implement IP restrictions.

Microsoft security model is about protecting the platform to ensure availability.  This does not extend to your data and enviroment.  Thankfully, there’s a host of solutions to secure your network and protect your data.

SMB’s:Securing The Perimeter

For many medium sized business, meeting IT compliance and securing their network infrastructure is becoming more of a challenge as investments in IT decrease while state compliance rules become stricter & network attacks increase. One of the general principles of IT security is defense in depth; the principle that states that only a layer of security measures in a company would provide the highest layer of security. There is no single device that can magically secure a company.

At the lowest level, policies and procedures regarding use of technology resources should be defined in a transparent manner. This is done so that users know the policies of the company, and sometimes this predefined knowledge that was given to them prevents from the company from data loss and virus/malware issues.

Secondly, being a consultant working with medium sized businesses, I know from experience although the client values their data and has a robust security infrastructure, they fail to ensure physical security to servers and other data-sensitive resources. Simply, having the server room locked can prevent security breaches. A lesser known fact is that the highest vulnerability of attacks actually is executed internally.

Thirdly, protecting hosts or computers in a business is very important. The threat of malware, viruses, that exist on the internet as well as on removable devices such as thumb drives needs to be addressed. Having an antivirus solution with firewall capabilities are one of the ways of protecting hosts on a network. I’ve noticed that system administrators usually disable the windows firewall so that other applications can work seamlesssly (pushing out software). This leaves a huge hole in security. So instead of disabling the firewall, certain features such as ICMP ping/reply should be enabled while majority of the other pots should be blocked. THe fact is, not everything is filtered by the network firewall. Packets can be fragmented and come through the fireall using open ports, and then reassembled to make a connection with common ports on local hosts.

Lastly, protecting the network with a firewall is important. At the same time, just putting this device on the network will not prevent attacks. THe device firmware should be updated regularly, and access lists should be updated depending on the company needs. Also, any servers facing the internet should be puton the DMZ which essentially separates the servers from the local area network. So if a server is compromised, the attacker cannot also exploit the resources on the LAN. These internet facing servers should not have any critical business data but rather handle requests being received from the internet.

Protecting a network is not a magical process that guarantees security by placing a single device such as a firewall. Security should be layered and protect servers, computers, users using various schemes.