2016 IT budgeting: things to consider

Creating a culture of security awareness within your organization takes more than annual training

With fall here, IT managers should be fully immersed in their annual budgeting process and determining their priorities for the coming year. That means assessing what purchases, projects and services are most needed and what it will take to execute them into an existing system.

Once decisions are made, each new project will have its own set of solutions for budgeters to consider: cloud vs. on-premise, outsource vs. insource, HP vs. Dell, etc. While planning, you should make sure to have your IT basics covered and be aware of any upcoming end-of-life support changes for common applications.

This has been a tough year from an IT security perspective. If you’ve made it to this point with the same credit card you started the year with, and your Social Security number has not been compromised, then you are doing well. Public data breaches have impacted tens of millions of people in the United States. The threat is not going away, so a focus in 2016 should be to continue to strengthen your network and train your employees to be prepared to defend against a breach.

The days of treating employee security training as an annual box-checking exercise are behind us. Moving forward, it should be a critical part of your IT budget.

The reason: Many of the largest breaches this year were the result of a compromised user, not a compromised system. In fact, human error accounts for 95 percent of all successful attacks, even if you have the best technology.

Creating a culture of security awareness within your organization takes more than annual training. Luckily, there are an increasing number of ongoing training and testing programs available to supplement or replace your annual training. These programs are relatively inexpensive and should be at the top of your “must-have” budget list.

From time to time, we come across a network that is missing basic security technology. Here are some security basics small businesses should have in place and if you don’t, then you should consider carving out a piece of your budget to make sure you do.

 • Intrusion prevention system: There have been major advancements in firewall technologies over the past few years, including where, when and how we obtain information on current threats. Firewalls are now smarter, adaptive and can even track what is happening inside your network.

However, these are not “set-it-and-forget-it” technologies, and for those organizations whose risks do not warrant an advanced firewall, the current batch of universal threat management firewalls continue to be a good choice.

If the current firewall in your IT environment is five to six years old or more, it’s time to think about upgrading.

 • Mobile device management (MDM): According to a recent Gartner survey, mobile security has become the number one concern for organizations. While MDM solutions can do a certain amount of device management, sometimes it’s not enough.

Enterprise mobility management (EMM) solutions not only manage devices, they also manage applications and the data on those devices. This allows you to secure corporate data on devices while avoiding the need to completely wipe an employee's personal smartphone or tablet. Take a moment to review the following questions, and if you answer yes to any of them, you should consider adding an EMM/MDM solution.

 • Server and desktop patching: The health of your servers and the computers employees utilize to accomplish their daily tasks could make or break a business’ productivity and efficiency. By placing server and desktop monitoring in place, this will guard against security vulnerabilities and allow you and your business to go about your day with peace of mind. This is a critical layer of defense that is needed in today’s business environments.

 • 2016 necessary upgrades: In 2015, we said goodbye to Microsoft support of Windows Server 2003. Careful planners who budgeted for this at least a year ago were able to sunset or upgrade their old Windows 2003 boxes before the end-of-life date. As a part of this year’s budgeting exercise, review your device and application inventory and understand when the end-of-life dates are, and plan to upgrade or replace accordingly.

Although there are no major Windows operating systems reaching their end of life in 2016, Internet Explorer is changing its support model in January. There are significant security and productivity implications of not running the latest version of IE in your environment.

 • Know what to outsource: The cloud is changing many things, including staffing strategies. When considering your staffing strategy for 2016, carefully consider whether you should hone in on technical infrastructure skill sets or applications and integration skill sets. Ideally, you need a good balance of both.

Erik Thomas, a senior analyst at Maine-based Systems Engineering, can be reached 603-226-0300 or through syseng.com.