What is an IT plan?

Progress, Secure and Recover

One of our Facebook followers asked, “What exactly is an IT plan?”. This is a great question and often overlooked by business owners.

It is a collection of important IT processes and components that are put in place or planned to ensure optimal operational efficiency and safeguarding valuable assets. This ensures that a business can progress, secure what it has, and recover from any situation affecting its technology and business systems. Giving them a strategic advantage over competitors.

What are these components, and can we expand a bit on them? Certainly. It is also worth keeping in mind that these are not the only components – and some may be a bit more important than others in certain circumstances and business verticals.

PROGRESS

When customers come to us for the first time, falling behind must be one of the most common scenarios we encounter. They have managed to ignore their IT infrastructure processes and security to such an extent that it has now failed them in some way and they need urgent help. In most cases, contentment with their current managed services company or in-house IT staff is to blame. The main reason for this comes down to a lack of knowledge. This means that they are unaware that they are not being serviced adequately. Frustration has caused them to reach out and ask for assistance.

Getting a customer in this predicament back on track requires various expensive upgrades, migrations, licensing fees, and man-hours. If the customer does not change the way they manage, plan and strategise technology, the cycle is bound to repeat itself.

ENSURE PROGRESS

Make sure your current service provider has a progression plan for you. Is your business in a growth phase or a mature phase? Is your business technology moving from a premise’s solution to a cloud solution or a hybrid of the two? Your technology provider needs to be close to business decision-makers to ensure the technology can support the trends of the business. This will also mean you are not caught off-guard when certain decisions are made and then need to react to align. The budget and projects for the year, including all equipment replacement, licensing, and upgrade costs, are realised and presented to the customer ensuring no surprises or unexpected costs arise during the year.

Frequent strategy and operational meetings should be arranged to ensure everyone is on the same page and has a common goal. Reporting and evaluation of progress should be constantly done to ensure the plan is being executed correctly.

SECURE

Securing your environment is one of the most important factors of business strategy today.

When customers come to us for the first time, falling behind must be one of the most common scenarios we encounter. They have managed to ignore their IT infrastructure processes and security to such an extent that it has now failed them in some way and they need urgent help. In most cases, contentment with their current managed services company or in-house IT staff is to blame. The main reason for this comes down to a lack of knowledge. This means that they are unaware that they are not being serviced adequately. Frustration has caused them to reach out and ask for assistance.

Getting a customer in this predicament back on track requires various expensive upgrades, migrations, licensing fees, and man-hours. If the customer does not change the way they manage, plan and strategise technology, the cycle is bound to repeat itself.

Security starts at home.

With the number of staff working from home, new strategies and processes need to be adopted quickly. Securing the endpoint and maintaining that security across the internet and into your business systems on-site or into the cloud need to be followed. 

Who has access to your data? Do they need access? By removing access to your users that do not need access, even if you are happy the information is not confidential, simply closes one of the attack points into that data store. 

Adopt a zero-trust and verify environment. This includes user training, strong passwords, and multi-factor authentication to initialise connectivity. Secure endpoints and secure data paths between these endpoints. Ensure no interception of data occurs as it traverses the public internet. Data encryption from endpoint to endpoint enforces the security of the individual pieces of data should other security measures break down.

Where is your data sitting at rest and on the move? Is there customer personal information data stored on mobile devices? This could be in the form of contact details, emails, or documents. If customer data is stored on a device like a tablet or a phone, that device needs to be secure as per your internal business policy even if the device is owned by the employee. Adopt a ‘secure it or don’t use it’ policy for BYOD.

ENSURE SECURITY

Implementing a strict data protection policy for all devices and data at rest and on the move is of vital importance. Secure storage and protected endpoints. Protect your gateways to public domains like the internet. Use firewalls to inspect and facilitate secure pathways into your environments. Use personal firewalls for endpoints that leave the security of your private infrastructure. 

Educate your users on the importance of security and the possible implications for the business by not following these. These are just some of the many options which make it a little more difficult for data thieves to get to you and your information. 

Ensure your IT provider is up to speed with current attack surfaces. Are you updating and patching your technology frequently? Hackers and data thieves are watching companies like Microsoft as they release critical updates to the public. These releases pinpoint the vulnerability in the OS and the thief immediately works on a plan to utilise this hole to attack those that are not quick off the mark to patch the hole in time.

Create and map out your security plan to include all facets of your business and ensure you are covered. Then check it again!

RECOVER

“There are two types of companies, those that have been breached and those that will be breached in the future” – Author unknown.

This proves that even after implementing the most secure plan, zero-day attacks or internal breaches can still punch holes in your security barriers. When this happens, you need to have a plan to recover as quickly as possible. Imagine your company without its billing, inventory, orders, or ERP system, even for a day. This could be very detrimental to cash flow, as well as your reputation.

A recovery plan starts with the backup plan which takes into account the frequency of backups, i.e. how much current data you are prepared to lose and the time it takes to recover (ultimately, how long your business can be offline). Backing up data daily could see you lose a day’s worth of transactions or documents, whereas replication could result in no loss at all. 

The cost to implement and run the various solutions based on requirement is vastly different in both the setup and particularly the cost. Risk analysis on the business needs to be performed to realise if the cost is warranted or not. In most cases, a company would look at an insurance policy of some sort – one that covers their business losses due to an attack and one that would cover the financial loss of lost time for the period of the outage. However, reputational risk could still be a major concern as no insurance policy can cover this. Other companies may insist on very minimal downtime and may look at a solution that provides replication and failover. Either way, a plan that works for your company needs to be discussed. 

A disaster recovery plan should not only include IT aspects, but also the various internal processes required to follow for various situations. These could come in many forms like an evacuation plan in case of fire, first aid givers, or a process of reporting data breaches to authorities. The assumption that disaster recovery is only an IT function is certainly far from reality. 

The DR plan should also be updated frequently to ensure relevance. Before the COVID pandemic, I am certain many DR plans had not included an event on this scale and many businesses were caught on the back foot. 

ENSURE RECOVERY

The effectiveness of a plan can only be realised after it has been executed. This is ironic since the hope is that you will never have to execute the plan. However, like the life vests under your chair on any flight and the safety instructions from the airplane assistants, a plan is in place in the rare occasion of there being a disaster. In the IT scope, a disaster recovery plan should be tested at least once a year. As systems and processors change from time to time, this plan may also change slightly and will also need to be tested at this point. Things do not always go as planned and, by frequent testing, you ensure that potential issues and abnormal situations are added to your plan to help with its accuracy.

Plans are best tested using various procedures from a complete site outage to various components of your IT infrastructure failing. It should cover the actions if a breach is discovered. Appoint key role-players in implementing the plan. Results should be measured and any delays or unforeseen issues documented – and mitigation should be introduced and updated. Any changes to the business’s risk and recovery criteria need to be documented and amended accordingly.

A disaster recovery plan should be bulletproof, with high confidence in success. Your business depends on it – so test, test, and test again.

THE COST OF HAVING AN IT PLAN

IT is one of the most critical functions of any business, yet it is the one that is seen as a grudge spend. Businesses hold on to old technology until it fails and lets them down. The cost of replacing infrastructure is seen as expensive. Like a car or other depreciating asset, your technology had a useful lifespan. At a certain point, it becomes a risk item due to its imminent failure. Before this point, a succession plan should already be in place.

IT Hardware

Knowing where the critical point is can be determined by various factors in estimating the longevity of your hardware. It also follows a path of ‘what you pay for is what you get.’ 

Here are some guidelines we recommend. This is always dependent on what your company can afford at the time but, with planning, these are more achievable.

Only buy business-grade hardware for your business

Cheap hardware from home retail sellers is likely to not keep up with your business demands. Business-grade machines are built tough and usually come with a next business day warranty or at least this can be purchased as an additional extra, which is highly advised. This ensures you are back up and running without serious delays. 

Budget for this hardware to be changed every four years

Do not hold on to it longer than this in a production environment.

Budget for this hardware to be changed every four years

Do not hold on to it longer than this in a production environment.

IT Software

Ensure your software is not outdated. In addition to enhanced functionality, software updates ensure security and compatibility with newer operating systems. Mixing newer and older versions of the software can cause user frustration. Where possible, the best method is to subscribe to software as a service. This ensures uniformity across the board and moves software to an operational cost rather than a depreciating asset.

In addition to better user acceptance, managing subscription-based licensing is much less of a headache than license or key-based software and the flexibility is usually better when your company user count is constantly changing. Paying only for what you are using can save costs.

FINAL NOTE

In conclusion, the above is a very general overview of an IT plan. Every company is different but, by thinking through how these concepts affect you or what role they play in your business, you can formulate a customised plan that works for you.

Coltek has devised many of these plans with our customers and is there to help. Contact us today to help with yours and get you on track.

Coltek is a Technology consulting and solution provider for businesses of all sizes. We look at all aspects of Technology and recommend solutions, improvements as well as maintenance within the business.  We are concerned with your overall Technology footprint as well as your roadmap going into the future, so you are not left in the past. Contact us at info@coltek.co.za | www.coltek.co.za