loading...

Setting up a company's IT

lietux profile image Janne "Lietu" Enberg ・1 min read

Preface

This is a set of tips, guidelines, etc. that you should follow to make sure your IT operations run smoothly, securely, and cost-efficiently. You should go through the list and pick the low hanging fruits first, and then see which ones you should implement later.

If you're just starting a new company, most things should be easy to set up right from the start and doing so will help you ensure that things continue to are done right in the future as well, as you need to always accommodate for those decisions.

Data storage and access

This is how you keep and access your email, company's shared documents, and handle authentication to various services.

Password storage (EXTREMELY important)

First and foremost, how you store your passwords, both for a single user and how you share e.g. login information to bought services, is a crucial first step to ensuring both smooth and secure operation.

We've all heard about how Sony and other even big companies with clearly the necessary budget to do things properly, have managed their passwords on Excel sheets that then get put on low security environments for easy access.

There is really no excuse to not invest in a password manager, that both:

  1. Ensures the passwords you use, are unique and strong.
  2. Allows secure sharing of your passwords, among team members.

Some excellent options for password managers are (in alphabetical order):

They all have their own pros and cons, and you need to evaluate them for your own purposes, however Buttercup is slightly more different from the others as it leaves the storage of the passwords for you to decide. With the others, you will always use their cloud storage (not certain of all of these, but typically zero knowledge encrypted) to store the database in, but with Buttercup you can use whatever you like (Google Drive, Dropbox, your company's file server, whatever).

The paid services typically are about $5-$10/mo/user, so not a drain on even a small company. However, if price is an issue then Buttercup (or KeePass, or other similar systems) are worth taking a look at.

You should ensure that all the company employees AND external parties who have access to your shared documents etc. use similar secure methods for their passwords.

Two-Factor Authentication (2FA)

Quite a few services with any security implications for you support 2FA using various different means. The easiest to set up typically is using either Google Authenticator, Authy, or similar mobile app to generate 2FA tokens, but a YubiKey can be a good investment as well and offers many surprising integrations to e.g. PAM on Linux servers and Windows Hello.

You can avoid a large number of issues by having Two-Factor Authentication set up on your:

  • Password managers
  • Collaboration and productivity tools (Google G Suite, Microsoft Office 365, ...)
  • Web based email
  • Social media accounts (both company's accounts and everyone with access to e.g. your company's Facebook page)
  • Cloud hosting systems (AWS, Azure, GCP)
  • Really anything that supports it

These should be required by company policy and software configuration where possible. Once the staff has used these for even a short while they become second nature and don't really bother people, even if they feel like a chore to begin with.

However, storing your backup tokens etc. becomes another little hurdle.

Document storage

Often you will want to write documents available for multiple people in your company and not just for yourself. Even if you're writing for yourself, you might want your documents to be stored securely and without risk of you losing them. Additionally sharing documents between your different devices might be a thing you might want to do.

The worst option you can do, typically is to juggle your documents and their hundreds of different versions over email, but this is still the de facto standard in quite a few places.

Your priorities might vary, but at least the following considerations might be important to you:

  • Security (no unauthorized access)
  • Reliability (no accidental loss of data)
  • Sharing (allowing access to other people)
  • Convenience (e.g. simultaneously editing a document, etc.)
  • Version control (knowing where to find the latest version, and keeping history)

There are several good options for this, and how much value you put on each of these areas will affect your decisions.

Some of the obvious easy answers are:

These tools definitely rank high on sharing, and convenience, as well as version control. Typically security is pretty high too, making it possible to e.g. require 2FA, but some people just don't like U.S. corporations controlling their data. They also don't store the files in a zero-knowledge encrypted manner, which might be something you'd like.

Other options I've seen used and have used to various degrees of success are:

These all operate on a quite different fashion, as both Google and Microsoft provide high degree of convenience, but using these tools e.g. simultaneous editing of documents is going to be very difficult, and version control might have to be done using filenames (progress report 2018-11-02.docx). However, at least some of them can provide higher degrees of security (zero-knowledge encryption), and potentially other benefits to you.

As a side note, if you ever use file/directory names for versioning, grouping or similar, use ISO-8601 (YYYY-MM-DD) to make sure they get sorted properly.

Regardless of which option you choose you still need to worry about backups - human error happens and an accidental drag & drop or fumble on the keyboard could wipe your whole storage.

Backups

What you really need backups for are at least:

  • 2FA backup codes
  • Legal documents, book keeping information (invoices both in and out, etc.)
  • Corporate documents
  • Passwords (at least if you don't rely on a service with it's own cloud storage)

How to manage backups is unfortunately still not an easy subject, even in 2018. There are several complications, and security risks associated with backups as well.

Some of the problems are if you store your documents on these cloud storage systems, you need a system able to read the files from there, before it can back them up. Additionally if your backups are not stored securely, in an encrypted format with restricted access, they might become a new weak point in your security strategy.

Some systems that may help with this are (in alphabetical order):

If in a pinch, you might get reasonable backups by using something like rsync on a secured server, but hard disks fail even on backup servers, so it's yet another little thing to monitor and worry about.

Internet security

It's important for you to make sure that at least for critical things your Internet usage is securely handled.

E.g. your personal social media use, gaming, etc. should optimally not be done on machines you work on. This so you limit potential damage of ransomware, other malware from getting to your corporate banking, or people stealing your secrets.

Additionally, it's good to use tools like HTTPS Everywhere, and trustworthy VPNs to reduce the chances of your communications being intercepted while at an airport or cafe or similar. Having anti-virus software (yes, even on your Mac) is also important to reduce chances of malware breaches, and limit their potential damage.

One of the best packages I've seen so far is F-Secure TOTAL, which combines antivirus, password manager, and VPN service in one package. There are however many other excellent VPN services, as well as antivirus tools, so you should check them out and evaluate them with your own needs in mind.

Also make sure your office router is properly configured, with a unique strong password, so you don't fall victim to the simplest possible forms of attack.

It's also a good idea to make sure your work machines are properly firewalled, and that you regularly run software updates. This applies both on your work machines, as well as that little web server you bought from that nice hosting company 5 years ago. Having someone replace your homepage with a goatse is not exactly good advertisement.

Limiting access

Does your CEO (or the CTO for that matter) really need all the SSH keys to your servers? Access to all the passwords? Admin account on every service you use?

The same question applies in addition to the CEO to most other people - you should limit access to systems that are relevant to the person's work, and access levels as well.

This simply so when accidents happen, the scope is limited. It's best if you can have different admins for different systems, so a compromising a single person does not compromise all your systems.

Physical security

In addition to threats from the Internet, you're always at risk of physical attacks, and more likely, negligence - e.g. losing equipment.

Make sure your office has locks and alarm systems, as burglaries happen even in nice places and you don't want to lose that backup server in the back room.

It's a bit questionable if this belongs in this section, but encryption is important on every system. Make sure all your work machines use full disk encryption, as well as BIOS passwords or similar when possible. BitLocker is a pretty decent tool on Windows machines (though it regularly gets automatically paused with updates for some reason so be careful), and Macs have FileVault.

These rules should also apply to all phones with any work material on them (email, collaboration tools, password managers, access to company social media accounts, ...) - they should be fully encrypted, and require strong password to unlock.

Now, your CEO might feel these rules don't apply to them, but you should assure them that they are not infallible either and get them to see the light.

PCI-DSS

If you operate any kind of online store, you probably fall under PCI-DSS (Payment Card Industry Data Security Standard) regulation at least on some level. For at least the lower tiers of self-certification completing the above should ensure you're fulfilling their requirements.

For higher tiers you might have to do additional work, e.g. locking down what people can do on the work machines they use for certain actions. This is not exactly pleasant for anyone, so it might be best to limit the exposure to PCI-DSS regulation either by using 3rd party payment solutions, or by organizational structures, but this is a very lengthy topic and I'm not the best expert on these.

GDPR

The GDPR requires quite a few little things from your company, among which are most importantly that you:

  • Know where your data is (especially personal data) and who you share it with (e.g. Google Analytics, PayPal, your accounting company)
  • Use reasonable means to secure that data (encryption, limiting access, etc.)
  • Keep only the minimal amount of data about people for your needs
  • Notify your customers of breaches in a timely manner (a few days within breach)
  • Get consent from your customers for processing their data
  • Avoid collecting sensitive personal data (race, political preferences, religion, union status, health, sex life, sexual orientation, even e.g. hobbies)
  • Provide easy way to get a copy of their data to people who request it
  • Provide an easy way to have their data be deleted for people who want it

Now the above steps help you with security quite a bit, but leave most of the others still for you to figure out.

To get you on the right mood to solve this problem, you might want to check out the "GDPR nightmare letter", which is quite exaggerated but highlights many potential issues for your company: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/

Other resources on the matter:

Final words

There's probably still a lot missing, especially for tool and procedure recommendations, as well as some topics completely.

I'll try to update this over time as I get new ideas to add here.

What do you think about the suggestions? What did I forget to mention? Let me know in the comments.

I at least identified a need to write more on:

  • Internal communication tools (Slack, Discord, Microsoft Teams, and the like)
  • Calendar
  • Email

Posted on by:

lietux profile

Janne "Lietu" Enberg

@lietux

Enthusiastic IT generalist. Spent most of my time doing everything with computers since a very young age. If it can be done with a computer, I've probably done it.

Discussion

pic
Editor guide
 

What do you think about the suggestions?

  1. Password managers are basically the same thing as "write your password on a Post-It, but hide that Post-It". A password you can't remember is not a good password.
  2. Anti-virus software should be dropped, except on Macs. Honestly, those things open more holes than they could ever close. Even Microsoft has recently decided to sandbox theirs - because a sufficiently complex software with full admin rights is also another attack vector. In fact, certain malware has actively abused holes in "anti" virus software in the past to infect a computer in the first place. - That said, given that macOS is currently the desktop OS with the largest number of actively spread trojans, you could make an exception for your Macs only.
  3. I fail to understand why third-party tools based on the security failure Electron -- like Slack, Discord and so on -- have made it into the list of "internal communication tools". What is wrong with Jabber/XMPP and/or the IRC? Looking forward to your article about that.
 

A password you can't remember is not a good password.

Most systems really shouldn't require a password from you. Passwords are an anti-pattern. No human being can generate unique strong passwords at the rate that is required for the modern world.

What you can do to help, is use a way to help you deal with the hurdle in a secure manner, which also makes life more convenient for you.

You should have a strong master password for a password manager, and then use it's tools to generate new unique strong passwords, and they can autofill your passwords later making them even more convenient than plain passwords can ever be, while clearly increasing your security.

Any other strategy depends on your limited capability to remember and generate passwords, which typically ends up with either just reusing passwords, or using something like mypassword-dev.to, both of which depend too strongly on every developer on the planet knowing (and caring) how to sensibly store passwords in their systems. Quite a lot of them still don't.

If even ONE site with your "clever" mypassword-dev.to variant (or even worse, just your reused mypassword) gets compromised, then ALL your accounts are potentially compromised. It depends a bit on your luck in terms of how good the developer was (did they use plain text, or plain MD5, or properly configured PBKDF2), and a bit on your password complexity.

Now, even if it's just an MD5, if you use a good long random password, it won't get cracked even with rainbow tables - collisions will be more easy to generate, but ultimately quite pointless as it's random and you don't reuse it anywhere.

Anti-virus software should be dropped, except on Macs. Honestly, those things open more holes than they could ever close.

Seems like a rather weak argument. Since computers have security problems, we should stop using computers. Since there have been security problems in browsers, we should stop using browsers. Eh, I don't buy it.

They might open up new attack vectors for e.g. advanced persistent threats, but most people don't get targeted like that. Most people simply bump into malware the normal way (bad links, worms, ...), and these tools do an excellent job at protecting against those.

You're of course free to choose to apply whatever security strategy you wish.

I fail to understand why third-party tools based on the security failure Electron -- like Slack, Discord and so on -- have made it into the list of "internal communication tools". What is wrong with Jabber/XMPP and/or the IRC?

Frankly, quite a lot. There is a reason those tools are getting out of fashion and being replaced typically with Slack in the tech world.

With these tools I can:

  1. Search the history
  2. Use formatting
  3. Do calls, incl. video calls, screen sharing, and teleconferencing
  4. Attach files
  5. Get tons of productivity and convenience increasing integrations

If you don't trust their Electron clients, don't use them. They web based clients as well.

 

Most people simply bump into malware the normal way (bad links, worms, ...), and these tools do an excellent job at protecting against those.

Most people should be taught to not click on everything that looks like a link. Problem solved. ;-)

I can't deny you to install dangerous software for more "theoretical protection". I just wanted to remind you that a good security concept can't be replaced by software. Also remember that modern malware is usually out in the wild for days before those scanners detect it.

I warmly recommend intrusion prevention systems instead. Less resources, more detection. :-)

There is a reason those tools are getting out of fashion

Fashion is a weak argument in technology. Nobody should replace a working system because of fashion. However, all of your numbered advantages are possible with XMPP as well.

If you don't trust their Electron clients, don't use them. They web based clients as well.

I thought we were talking about security. If a software is a risk because of Javascript, using a web version of it makes no sense.

(On mobile, sorry for the shortness.)

However, all of your numbered advantages are possible with XMPP as well.

There's always options, but just try to get your marketing guys, business people, CEO, and external partners to use your XMPP over the convenient Slack/Microsoft Teams/Discord installation.

It might work for you, but it's unlikely to go well for most.

If a software is a risk because of Javascript, using a web version of it makes no sense.

So now you're against using the web. Good luck with that.

try to get your marketing guys, business people, CEO, and external partners to use your XMPP

I did once. It was fine. Have you actually tried it?

you're against using the web.

I'm against pressing anything into the web. The web is (broken, but) fine for what it wants to be. But your web browser is a glorified document viewer, not a decent hardware emulator. Just because something is possible and beginners, usually learning JavaScript :-), are able to solve (already solved) "problems" with it, there is still a big chance that it is not the best solution.

All I can do is point out the flaws and the alternatives. If the audience still decides to stick with their adoption, nothing's wrong with it. But nobody will think about the options if they only know one anyway.