Posts

Best practices to deploy Windows 10 across your organization

/in /by

Microsoft has been bombarding end-users with free-upgrade ads for Windows 10; their goal is to bury older Windows operating systems, which should reduce support requirements while enabling future capabilities. (Click here for specifications on Windows 10.)

The free-upgrade process works reasonably well for individual users, particularly those with compatible applications (Microsoft Office 2016) and modern peripherals (printers, monitors, etc.). However, upgrading in a multi-user environment across many different PCs with older peripherals can be problematic; these upgrades require a planned approach, with significant testing before implementation.

Windows 10 is a major upgrade to the Microsoft Windows franchise, which started back in 1985. It is an operating system (OS) which controls system functions and provides the basic, under-lying glue that unites end-users with their applications, peripherals, and the organization’s computer network. (See “Can Windows 10 revitalize the PC?” from the November issue of Bryley Information and Tips (BITs).)

Because of their complexity and the disruptive impact on the end-user’s desktop environment, we typically delay OS upgrades for at least a few months; we like to see a body of evidence that suggests the upgraded operating system is actually behaving as advertised. This is a two-part concern:

  • We want to ensure that user experiences match the manufacturer’s claims.
  • We need to verify that supporting parties – relevant vendors with installed applications and peripherals – have caught up with the upgrade and have made their products compatible with the new version.

These are the recommended steps:

  • Planning
  • Testing
  • Training
  • Deployment

Planning

Planning should include all of the steps necessary to ensure a successful upgrade throughout the organization; it is particularly important to discuss and review all relevant applications, older peripherals, and the impact on end-users.

Applications are critical: If the upgrade does not work with existing applications, something will need to change. With compatibility issues, typical choices include:

  • Upgrade the application to its latest version – This works if the application vendor has upgraded to work with the new OS.
  • Launch the application from within the OS in compatibility mode – This does not work for all applications, but should be evaluated and tested thoroughly.
  • Delay the OS upgrade – This option does not solve anything, but might provide time for the application vendor to upgrade or to select a new app.
  • Replace the application with a compatible application – A difficult choice, particularly if the application is organization-wide, but might be a welcome change if the existing application is a bit dated and under-performing.

You will need to identify and locate installation media, license keys, and product software for all applications; these applications may need to be verified and/or reloaded during the upgrade.

Peripherals are controlled via device drivers; a driver is a small, software-based application that interfaces the peripheral to the OS, enabling access without requiring detailed knowledge of the peripheral. For compatibility, the driver is typically upgraded. However, if the peripheral is old or the overall need for compatibility is limited, a manufacturer might choose to not upgrade a driver. (Click here for a list of manufacturer support pages.)

If uncertain, end-user peripherals are often cheaper to replace than upgrade, particularly printers, scanners, etc. However, large-scale equipment (high-volume printers, CNC machinery, and the like) will need to be tested and verified.

Don’t forget to check the Microsoft Windows 10 upgrade requirements:

  • Do I have enough available disk space and Internet bandwidth to deploy the Windows 10 upgrade? (It is a 3 GB download.)
  • Do my computers qualify for the Windows 10 upgrade? (Upgrade is only available for the latest Windows 7 SP1 and Windows 8.1 versions and must be applied within one year of availability, which ends 7/29/2016.)
  • Do my computers meet the minimum hardware requirements of 1 GB RAM, a 16 GB (or greater) disk-drive, and a modern video adapter?
  • If my computers are old, should I consider a wholesale replacement rather than trying to upgrade hardware?

End-users will need to be informed and trained before deployment.

Deployment schedules and dates must be considered:

  • Do we hit everyone at once, or upgrade department-by-department?
  • Can we schedule individual upgrades during the day or must they be performed (at greater expense) after-hours?
  • Can I meet the free-upgrade deadline of 7/29/2016? (Click here for Microsoft’s Windows Lifecycle schedule.)

Testing

The only way to ensure compatibility is to test everything:

  • Test all applications and their modules
  • Test all peripherals and their drivers; be prepared to replace when needed

Unfortunately, thorough testing takes a lot of time. An alternative is to upgrade or replace whenever possible, especially peripherals. However, core applications will need to be thoroughly vetted, either by the manufacturer or internally, to ensure that post-deployment users can operate without restriction or obstruction.

Testing should take two forms:

  • Test the upgrade process directly on an application-equipped computer.
  • Test a clean installation of Windows 10 with a reinstall of all components.

Although Microsoft has taken great pains to provide a clean upgrade, we find that a clean rebuild, although it takes longer, can reduce some deployment issues.

A clean rebuild requires these steps:

  • Document all applications and peripherals for all users on a computer
  • Install Windows 10 as a fresh installation (rather than as an upgrade)
  • Reinstall all applications and peripherals
  • Test thoroughly

Training

Not as well understood, but extremely important, are the changes to the end-user interface and how it will be received within your organization. For example: When Microsoft introduced Windows 8, its Tiled approach was extremely different from the Start Menu in earlier versions of Windows. As such, its adoption was poor, even though its core components improved on Windows 7.

Most end-users see their computers as a tool; they’re not particularly interested in upgrades unless they receive significant benefits. It helps greatly to introduce the differences and train end-users before rolling out a new OS.

End users should be trained not only on the new interface; they also need to know how to perform basic functions that may have changed, like loading applications, printing, retrieving files, accessing the Internet, etc.

Rollout timing should also be considered: I suspect most folk would want to be trained separately and then come to work with the update completed rather than try to work around a computer person in their office.

We find it helpful to have advocates; those internal end-users who are enthusiastic about the new version and willing to assist their co-workers. These advocates should be upgraded first, so they can spread the word.

Deployment

At last, we have done our homework, the users are trained, and everything is ready to go.

Although critical data should never be stored on an end-user’s computer, a backup is always a good first step; a backup provides recourse in case anything is missed.

Disk cloning is an excellent tool; it is a process whereby a computer’s disk image is first replicated and then redeployed on multiple computers, adjusting for differing components (video adapters, etc.) and the input of valid licensing keys. It works well, particularly if your computers are fairly similar and, preferably, are from the same manufacturer. Even though commercial-grade disk-cloning-software licenses cost about $50 per computer, disk cloning can save a lot of time and effort when deploying multiple new computers or upgrading many existing computers. (Click here for a list of disk-cloning software.)

If you are not cloning, create a detailed checklist that documents every step of the upgrade or clean-rebuild process. Ensure that the checklist is followed in its entirety for each computer.

Try to work systematically, but efficiently. If possible, line-up all similar computers and work your way down the line, performing each step at the same time on all computers, but verifying completion before moving on to the next step.

As always, we’d be glad to help or to do it for you. For assistance, please email ITExperts@Bryley.com or call us at 978.562.6077.

Recommended Practices: Basic training for IT end users

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End users receive the benefits of IT, but usually with some pain involved, which they are glad to share with the IT administrators and technicians.  Oftentimes, the pain comes from not knowing the correct way to do something or from enabling malware; these can be avoided (or at least reduced) through proper training.

Training is usually considered optional, but the increased emphasis on security and compliance, along with the potential gains from trained users that are comfortable and knowledgeable with their IT assets and systems, can provide significant return on investment.

Training can play a critical role in the satisfaction of end users and in the security of the computer network.  It can provide end users with the knowledge to safely browse the Internet, reject harmful emails, and avoid trouble.  It is also important to define appropriate-use policies and demonstrate how to enter timely data into information systems.

Training topics

Generally, IT-oriented training occurs in these areas:

  • End-user equipment
  • Network resources
  • Applications
  • Policy
  • Security

End-user equipment

End-users have a myriad of devices, ranging from desktop PCs to terminals, tablets and other mobile devices; some have specialized items like hand-held scanners or terminals tied to a specific application.

The fundamentals are important:

  • Simple maintenance (cooling, ventilation, etc.)
  • How to operate the user interface (touch display, special keyboard, etc.)
  • Basic usage at the operating-system (Windows, Android, iOS) level

Ergonomics should also be considered; ensure that the equipment is optimized to the user’s body in the placement of displays, keyboards, mouse, etc. and that ergonomically correct accessories (gel-based wrist pads, comfortable seating, etc.) are provided and aligned properly.  (See Ergonomics Made Simple from the May 2014 edition of Bryley Tips and Information.)

Network resources

Resources available to end-users should be identified and demonstrated:

  • Printer features (b&w/color options, duplexing, etc.), location, and use
  • Multi-Function Printer (MFP) functions (faxing, copying, scanning) and use
  • Server names, basic purpose, shared folders, and access privileges
  • Conference-room display and wireless keyboard/mouse
  • Login credentials to Wireless Access Points (WAPs)

Labeling these resources makes them easier for end-users to identify.

Applications

Software applications fit a variety of functions, including:

  • Productivity suites:
    • Microsoft Office
    • Google Apps
  • Organization-wide:
    • Customer Relationship Management ((CRM)
    • Professional Services Administration (PSA)
    • Enterprise Resource Planning (ERP)
  • Utilities:
    • PDF readers and writers
    • Password managers
    • File compression
    • Storage
    • Backup
  • Prevention:
    • Email protection
    • End-point security
    • Web filtering

(Software applications are discussed in the September 2013 through January 2014 editions of Bryley Tips and Information.)

Policy

Usage policies focus on the organization’s permissiveness (and lack thereof); they are designed to specify proper use and discourage improper behavior.

Most organizations have at least these IT-related policies:

  • Authorized use of computer network and its resources
  • Internet, email, and social media use and etiquette
  • Information Security Policy

Security

Security relies heavily on policies, training, and protective applications; the human element is the largest security risk in any organization.  Policies and training should encourage end-user behavior that minimizes security risks; protective applications help to enforce policies and to detect and remove problems when they occur.

Security training should include, at a minimum:

  • Anti-virus/anti-malware protection
  • Preventing phishing attacks
  • Password guidance
  • Safe web browsing

Many organizations will provide continuous training and reminders; some setup internal honeypots designed to lure end users into inappropriate behavior so that this behavior can be addressed and corrected.

Training process and related factors

The training process:

  • Set training goals
  • Assess end-user needs
  • Tailor the delivery methods
  • Create the training program
  • Scale the program to the audience

Trainers should factor in these items:

  • Budget training at the beginning of the project
  • Consider the needs and learning styles of the end-users
  • Marry the business context of the need to the IT training

References

Recommended Practices: How to update technology

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

The psychological impact of an IT upgrade is significant:  Most employees are excited to receive new equipment (larger monitor, faster PC, better tablet), but often balk at a significant change – like introducing a new version of Microsoft Office – since their daily, tried-and-tested routines might shift, and not always for the better.  Also, these changes could impact their ability to get things done, even if for just a few hours during the cut-over.

In general, various groups involved might have different perspectives:

  • CEOs and C-level executives see IT as an influential asset that should increase operational efficiencies or provide a competitive advantage – either through data analytics or by enhancing the customer experience – but they don’t want the pace of technological change to inhibit growth.1
  • Professionals might be more willing to accept the changes (and the pain) that go with new technology, particularly if they see how these changes will help them succeed in their roles within the organization.
  • Middle management wants things to work the first time, every time. They are glad to have new equipment, but are concerned with keeping their direct reports functional and happy.
  • Office workers have the most to gain (or lose); some might be excited by the prospect of bigger-better-newer, but none want to lose what they had, whether it was an icon pointing to a specific file on their desktop or an older, label-printing application. To many, IT can be confusing and frustrating.
  • Line workers view technology primarily as a tool; when it is broken, replace it, but make sure the new one works the same as the old one or show me how to use the new one.

The strategic objectives of an organization also play a role in the process:

  • A growing organization will want improvement, but with a strong emphasis on planning to ensure that the direction taken is suitable, now, into the near future, and beyond.
  • A stable, slow-growing organization might focus more on replacement rather than on change, preferring to avoid the pain of a significant upgrade.

Typically, the management team develops the technology plan, either internally or with an IT partner like Bryley Systems. Needs filter up through the organization, typically during the budgeting process.  The implementation then filters down through the organization.

For technology planning and implementation, we recommend these steps:2

  • Define needs and requirements
  • Assess and select
  • Implement
  • Train

Define needs and requirements

Identify what you have before you decide what you need; a full inventory of all IT assets can remove the guesswork and point-out critical issues.  (We use Kaseya, our remote-monitoring-and-management tool, to inventory existing clients.  We also use Network Detective from Rapid File Tools to audit and assess new clients.)

Knowing what you need simplifies the decision and timing; having a good handle on where the organization is now and where it is going is critical, but also defining what constitutes success, and how to measure it, are important.

Consider these needs from the context of the different groups above; try to permit these groups to define their individual requirements within the overall plan.

Requirements can be as simple as counting new PCs or as complex as determining the best-fit solution to permit a quick recovery after a disaster.  Requirements should be recorded, categorized, prioritized, and then monetized.

Assess and select

We at Bryley Systems tend to err on the side of caution; we’re rarely early adopters and we don’t want to be far in front of the pack, but we do try to keep up with the well-tested tools and hardware that will improve our efficiency, particularly when this technology impacts our clients.

We also favor these technology-selection principles:

  • Business-grade (rather than consumer-class) equipment and software,
  • Well-known, USA-based manufacturers with time-tested credentials,
  • Available updates and ongoing support, and
  • Green and ergonomic (where appropriate).

Price should not be the overriding selection factor; a long-term investment should consider all impactful areas, including:

  • Going Green
  • Length of service

Going Green

In technology, going Green is mostly about reducing energy consumption:

  • Virtualization techniques can cut energy costs by efficiently using on-premise servers to house multiple platforms, both for server-based applications and for end-user access.
  • Tablets, Ultrabooks, and small-footprint PCs with SSD drives consume less electricity than traditional PCs with internal fans and moving parts.
  • Inkjet printers use significantly less energy than laser printers.

However, other Green factors can also apply:

  • Printers that print two-sided (duplex), reduce costs and paper use.
  • Multi-purpose printers that fax, copy, and scan increase efficiency.
  • Fewer components, each with higher value, simplify recycling.

Length of Service

Most technology decisions have a span of three to five years; newer, virtualized platforms and Cloud-based options can be significantly longer.  Due to the rapid pace of change, planning horizons are typically only a few years, but consideration should be given to the longer term.

Implement

Implementations work best with planning and preparation; knowing what to expect and being prepared to deal with anomalies can shorten deployment time and minimize user disruption.

A solid, reliable series of backups should be completed and verified before starting.

We try to schedule our automated deployments to occur overnight or over the weekend, often arriving early the next business day to sort-out any issues.

Train

Often overlooked and usually under-budgeted, training should be considered, particularly when deploying a software change that introduces a new interface to the end-users.

Training often occurs during implementation, usually by the implementer showing the end-user what is new.  However, pre-implementation training on any new technology platform will facilitate a successful transition.

For large-scale deployments of new technology, we recommend initial group sessions followed by refresher courses for those greatly impacted.

Sources:

  1. Dennis McCafferty of CIO Insight What CEOs expect from IT investment on 4/17/2015.
  2. Brian J. Nichelson, PhD, of About Money Keeping up with Technology – Four Steps and some Resources, undated.
  3. Susan Ward of About Money Information Technology Makeover, undated.

Recommended practices – Part-3: Password security

/in /by

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

October is National Cybersecurity Awareness Month, and to help you celebrate, we have compiled a list of best practices for password-strength optimization.

Passwords are the primary tool for online authentication; as such, they are targeted information for cybercriminals looking to gain access to your workstation, mobile device, and/or personal records.  Proactive measures are vital to prevent online identity theft, network infiltration, system crashes, and the spread of malware.  By following the practices described below you will fortify yourself against these malicious cyber threats.

1. Create a “strong” password:

A strong password is one that cannot be easily identified by a cybercriminal.  When creating your next password, here are the do’s and do not’s of password strength:

  • Do not draw from the obvious: When selecting a password, do not draw from obvious sources – your name, your child’s name, not even something as seemingly ambiguous as your favorite flavor of ice cream or a random word.  With social media, today’s cybercriminal can easily aggregate personal information and crack obvious passwords.  Even if you feel that your password is obscure and/or unconnected to yourself, if the password is simply a word or phrase, dictionary attacks – programs that plug in every word from a database – can still compromise you.
  • Do use a mixture of letters, numbers, and special characters: Make your password complex and you help make it secure.  Random placements of letters, numbers, and symbols will make it very difficult for cybercriminals to hack into your accounts.
  • Do not use the same password: Using the same password for every login is a recipe for disaster:  A cybercriminal now only needs to crack one password for unlimited access to all of your online accounts.
  • Do use longer passwords: When it comes to password security, the longer the better.  According to online security experts, a password 15 characters in length could take up to two trillion years to crack.  However, password length isn’t everything:  You must be sure to utilize a mixture of letters, numbers and special characters.

By creating long, complex, and unique passwords for every one of your authentication accounts, you will guarantee password strength.

2. Change your password regularly

It is very important to create strong passwords, but even strong passwords can be discovered by expert cybercriminals – especially if they are given ample time for discovery.  That is why it is essential for you to get into the practice of routine and mandatory password changes.

A perfect time to schedule updates is with the change of seasons as they divide the business year into obvious and unforgettable quarters.  And, as it is now fall, it is the perfect time to begin this excellent practice.  You can start by announcing a mandatory password change in the next few weeks and update your business calendar for three more alterations for the winter, spring, and summer.

3. Keep written reminders secure or use a Password Manager

Long, complex, constantly changed passwords are hard to remember.  You may need to write them down as a practical safeguard.  Just be sure to avoid the bad habit of keeping these written reminders close to your computer – or even worse, taped to your screen for all to see.

If you need written reminders, keep them in a secure area away from your workspace, such as at home or in the glove compartment of your car.  Better yet, consider using a Password Manager to record and manage your passwords.  (See the July 2014 Bryley Tips and Information for a review on Password Managers.)

4. Keep reset information up-to-date

There will be moments when you simply cannot remember a password and will need to request a reset.  As a precaution you should always be certain that your online accounts have your relevant email address on file so that when reset information is sent, it is sent to you and not to an abandoned account that has the potential to be exploited.  It would be best to get into the practice of checking reset information on the scheduled dates for password changes.

5. Review your organization’s password policy

Take the time during your quarterly password changes and reset information checks to review and/or update your organization’s password policy, which has the rules and procedures employees are required to adhere to in order to ensure password and network security.  If your organization does not already have such a policy, be sure to create one and distribute it to all technology-enabled employees.

6. Expunge temporary usernames and passwords

If you recently employed any temporary staff or summer help, be sure that their usernames and passwords no longer access your system.

Recommended practices – Part-3: Password security

/in , , /by

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

October is National Cybersecurity Awareness Month, and to help you celebrate, we have compiled a list of best practices for password-strength optimization.

Passwords are the primary tool for online authentication; as such, they are targeted information for cybercriminals looking to gain access to your workstation, mobile device, and/or personal records.  Proactive measures are vital to prevent online identity theft, network infiltration, system crashes, and the spread of malware.  By following the practices described below you will fortify yourself against these malicious cyber threats.

1. Create a “strong” password:

A strong password is one that cannot be easily identified by a cybercriminal.  When creating your next password, here are the do’s and do not’s of password strength:

  • Do not draw from the obvious: When selecting a password, do not draw from obvious sources – your name, your child’s name, not even something as seemingly ambiguous as your favorite flavor of ice cream or a random word.  With social media, today’s cybercriminal can easily aggregate personal information and crack obvious passwords.  Even if you feel that your password is obscure and/or unconnected to yourself, if the password is simply a word or phrase, dictionary attacks – programs that plug in every word from a database – can still compromise you.
  • Do use a mixture of letters, numbers, and special characters: Make your password complex and you help make it secure.  Random placements of letters, numbers, and symbols will make it very difficult for cybercriminals to hack into your accounts.
  • Do not use the same password: Using the same password for every login is a recipe for disaster:  A cybercriminal now only needs to crack one password for unlimited access to all of your online accounts.
  • Do use longer passwords: When it comes to password security, the longer the better.  According to online security experts, a password 15 characters in length could take up to two trillion years to crack.  However, password length isn’t everything:  You must be sure to utilize a mixture of letters, numbers and special characters.

By creating long, complex, and unique passwords for every one of your authentication accounts, you will guarantee password strength.

2. Change your password regularly

It is very important to create strong passwords, but even strong passwords can be discovered by expert cybercriminals – especially if they are given ample time for discovery.  That is why it is essential for you to get into the practice of routine and mandatory password changes.

A perfect time to schedule updates is with the change of seasons as they divide the business year into obvious and unforgettable quarters.  And, as it is now fall, it is the perfect time to begin this excellent practice.  You can start by announcing a mandatory password change in the next few weeks and update your business calendar for three more alterations for the winter, spring, and summer.

3. Keep written reminders secure or use a Password Manager

Long, complex, constantly changed passwords are hard to remember.  You may need to write them down as a practical safeguard.  Just be sure to avoid the bad habit of keeping these written reminders close to your computer – or even worse, taped to your screen for all to see.

If you need written reminders, keep them in a secure area away from your workspace, such as at home or in the glove compartment of your car.  Better yet, consider using a Password Manager to record and manage your passwords.  (See the July 2014 Bryley Tips and Information for a review on Password Managers.)

4. Keep reset information up-to-date

There will be moments when you simply cannot remember a password and will need to request a reset.  As a precaution you should always be certain that your online accounts have your relevant email address on file so that when reset information is sent, it is sent to you and not to an abandoned account that has the potential to be exploited.  It would be best to get into the practice of checking reset information on the scheduled dates for password changes.

5. Review your organization’s password policy

Take the time during your quarterly password changes and reset information checks to review and/or update your organization’s password policy, which has the rules and procedures employees are required to adhere to in order to ensure password and network security.  If your organization does not already have such a policy, be sure to create one and distribute it to all technology-enabled employees.

6. Expunge temporary usernames and passwords

If you recently employed any temporary staff or summer help, be sure that their usernames and passwords no longer access your system.

 

More ergonomics from Marty Reed

/in /by

Marty Reed of Top Enterprise, an ergonomics specialist, visited Bryley early in September for a demonstration on proper ergonomics.  She then visited our cubicles and made individual recommendations.

Her overall suggestions included:

  • Monitor:
    • Set distance at one arm-length from body to monitor.
    • Set height so eyes focus at about 2” below top of monitor.
  • Keyboard:
    • Use wrist rests to get hands up and over keyboards.
    • Keyboard should lay flat on the desktop; do not tilt up back.
  • Chair:
    • Use chair arms periodically to rest arms.
    • Forearms and thighs should be parallel to the ground.
    • Adjust for lower-back support or add a lumbar-support device.
  • General:
    • Look away into the distance at least every hour to reduce eye strain.
    • Get up from your workstation periodically and walk around.

For details, Marty can be reached at reed167@verizon.net.

Recommended practices – Part 2: Web browsing/Internet usage

/in /by

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users browse the web; it’s usually the fastest way to get an answer, search for an item, or make a purchase.  But, browsing comes with some risks:

  • Potential liability from browsing ill-advised sites at work
  • Inadvertent or unintentional download of malicious software
  • Waste of company resources: Internet bandwidth, employee time, etc.

To reduce browsing risks, we recommend have these recommendations:

  • Set an Internet usage policy
  • Monitor and enforce browsing behavior
  • Train staff members on safe-browsing habits

A fourth recommendation, configure and patch/update end-point components (operating system, anti-malware software, Internet browser, etc.), will be covered in future articles.

Set an Internet usage policy

Unless we know what is acceptable, how can it be enforced?  Some organizations, to limit unproductive time, might restrict access to social-media sites (Facebook, Twitter, etc.), while others (police investigators) may need access to pornographic sites; without a policy, what sites do we monitor and restrict and for whom?

An Internet usage policy should define the dos and don’ts of Internet access; it should be included in the Employee Handbook with a sign-off acknowledgement and should also note that the organization reserves the right to monitor and limit this usage, without restriction.  (See a simple Sample Internet usage policy fromGFI.  Or, review an in-depth Internet usage Policy from the SANs Institute.)

Monitor and enforce browsing behavior

Paul Wood of Symantec™ studied browsing habits of end-users with these findings1:

  • About one-third of users followed the organization’s Internet-use policy,
  • The second one-third generated less than 10% of browsing violations, and
  • The final one-third had over 90% of browsing violations; about 20% of this group actually had more violations than legitimate usage.

Basically, about 66% of end-users follow an organization’s Internet usage policy most or all of the time, but there is a small group that abuses this policy, which suggests that enforcement efforts should focus on the abusers.

To protect an organization, basic monitoring and enforcement of Internet usage is recommended; a typical monitoring/enforcement software application for small to mid-sized organizations should provide, at a minimum, these capabilities:

  • Cluster related sites together (ie: gaming, sports) to set policy by site-groups
  • Combine users by department or functional area to enable group restrictions
  • Whitelist specific sites (or site-groups) to permit unlimited access
  • Blacklist specific sites (or site-groups) to prohibit access

Once deployed, you must continually review the results to inspect what you expect.

Example:  Bryley Systems offers our Secure Network™; an onsite, Unified Threat Management (UTM) tool with monitoring and enforcement of web browsing.  The results are periodically reviewed and reported by Bryley Systems to the client.

Train on safe-browsing habits

It is important that staff know and understand the importance of an organizations’ Internet usage policy; they have a significant role to play in this effort.

Basic rule is to not click on any site that you do not trust.  However, even some trustworthy sites can be hijacked and route an unsuspecting user to an unintended site with unexpected consequences.

Some browsing tips2:

  • Do not click on pop-ups
  • Do not open links within spam email
  • Check a site’s actual address in the address bar; this address should always match the expected site-name (URL)
  • When in doubt, shout it out (call for help)

There are also many online, security-training options; we offer a video-training package on a per-user basis through our business partner, Deadbolt Security.

REFERENCES:

  1. See Paul Wood’s article “Employee browsing habits, the good, the bad, and the ugly” at Symantec Intelligence.
  2. Dylan Herix offers “An idiot’s guide to good browsing habits” at AppStorm Guide.