5 Practical Tips for Year-End IT Budgeting and Procurement

As year-end approaches, many of our customers take a critical look at their budget and budget-planning processes. That can involve 1) looking at the current year’s budget for opportunities to make potential procurements in order to get those expenses in before the year-end, as well as 2) setting the budget for the coming year.

Here are a few things to consider as you set priorities for new investments and upgrades. Don’t overlook changes that can lower your operating costs.

Items for Consideration

  1. License renewals. This is perhaps the most crucial item, since if you allow licenses to lapse, you lose the use of critical software and systems. License considerations are especially important this year, with Windows 7 end-of-life coming January 14, 2020. We covered this topic in an earlier post, especially the compliance implications. Include Windows 10 upgrades in your budgeting plans. Look at the age of your Windows 7-licensed workstations, and decide whether it makes more economic sense to replace them entirely with new Windows 10-licensed systems.
  2. Aging equipment. There’s a tendency to wait until something fails before you replace it. But if a system is near or past the end of the warranty period, it might be better to replace it proactively and avoid the costs and inconveniences of downtime while you wait for replacement of a broken machine.
  3. Network refresh. Take a closer look at your networking equipment, such as switches, routers and wireless access points. If they’re older, possible failure is a concern, but you also need to determine whether they can keep up with current network standards and expectations. Would a faster or more-capable switch improve performance or manageability? Would upgrading your older wireless access points or adding new ones improve network coverage or get rid of dead spots?
  4. Security. You can never be too secure, but there are a few additions that will improve your security posture immensely. One is free: enforcing a password policy that requires strong, regularly changed passwords. Another that is inexpensive or free is implementing multi-factor authentication (MFA) anytime a user logs on for the first time, or from a different machine or remote location. There are third-party solutions, or you can use the MFA capability built into Office 365.
  5. Service providers. Take a look at your monthly fees paid to service providers, and consider whether a different solution could give you a lower price, better performance, or new features. Feature-rich voice-over-IP systems have much to recommend them over traditional telephone services, and are generally less expensive. The same is true of replacing an older Internet connection with a vendor who delivers over fiber. If you have a large number of printers, there are printer management services that can save you money on consumables by controlling the use of color toner and ink, and curbing unnecessary printing.

Planning Proactively

At FIT Solutions, we help our clients look at the big picture of their technology, project future needs and plan proactively. One of the services we offer is the development of a Technology Business Plan that considers many of the areas above and more. It includes a Technology Infrastructure Roadmap that looks at short-, near- and long-term needs on a quarter-by-quarter basis so that you can budget effectively, accurately and proactively.

This holistic view will guide you to a more stable infrastructure, tighter security and increased performance while serving as a guideline for prioritizing and decision-making. If you’d like to get started, call us at (888) 339-5694.

Outlook Security: Why You Should Deploy MFA for Office 365

Multi-factor authentication, or MFA (sometimes known as two-factor authentication, or 2FA), is recommended whenever basic usernames and passwords aren’t enough for protecting sensitive logins.

If you’ve ever been asked to confirm your identity by entering a code sent to your phone, you’ve used MFA. The method is widely used for online banking accounts, to bolster security when employees remotely access corporate sites, and to help satisfy HIPAA requirements. More and more, though, we’re advising its use to protect all access to Office 365.

We’re making this recommendation because of the experiences of some of our newer clients. It’s a sad fact that organizations often discover they need our security services only after they’ve been victimized. Several have turned to us after making tens of thousands of dollars in payments that were never received, because the money was sent to fraudulent bank accounts. That’s when they called us in to untangle what happened.

Who’s Reading My Emails?

We’ve found a new breed of criminals who specialize in hijacking email accounts. They’re very sophisticated, expert in covering their tracks, and victims are none the wiser — until it’s too late and the money’s gone.

It all starts with compromised login credentials that criminals use to gain access to one or more individuals’ email accounts. The perpetrator either tricks the individual into giving up the credentials with a phishing email, or simply purchases lists of stolen login credentials on the dark web. Once access is obtained, the criminal lurks and learns, watches and waits. The goal is to find out who moves the money and how. Who are the approvers? Who gives the instructions? Who executes the transactions?

Or Worse, Who’s Sending My Emails?

Less sophisticated criminals would be content to send a bogus invoice. This new sort is looking for legitimate transactions conducted in the normal course of business. They intercept those transactions by issuing instructions to send the money to different accounts, masquerading as the authorized worker. They’re sending these emails from the actual mailboxes, complete with signatures, so the communications look legitimate. Of course, because these are sent using the real email accounts, the compromised users would see the bogus messages in their outbox, or the inbox would contain replies to messages they never sent. To avoid detection, the criminal sets rules in the Outlook account to immediately delete the bogus messages based on the subject line.

Here’s an example of a sophisticated criminal attack; this happened to an engineering firm with about 20 employees. The criminal had the email credentials for the employee responsible for payroll, and also knew, from reading the emails, who the firm’s third-party payroll provider was. Trying the employee’s email credentials on the payroll account revealed that the employee used the same password in both places. Now it was simple to log in to the payroll provider and re-route all the direct deposits to accounts the criminal controlled.  An entire month’s payroll was lost before the theft was discovered.

Detection and Prevention

There are two approaches to dealing with these kinds of attacks. One is detection, through SOC monitoring. SOC monitoring issues alerts for suspicious email access, such as a user accessing from a different location or device, or a user simultaneously logged in from two locations or devices. Either of these is an indicator of unauthorized access of an email account.

Prevention is where MFA comes in. In addition to username and password (something the user knows), MFA adds an additional factor (something the user possesses). The additional factor is the user’s smartphone. Unless the criminal also steals the employee’s phone, the compromised login credentials are useless. There are several approaches to implementing MFA:

  1. Some third-party applications that do single sign-on have MFA capabilities. Examples include Okta and Duo. Microsoft Azure also supports MFA.
  2. Office 365 has the ability to natively enable MFA through the Microsoft Authenticator application. However, some companies have issues with mandating that employees install specific applications on their personal smartphones. If the company doesn’t reimburse employees for their phone use, this becomes a concern for the HR department.
  3. Office 365 also supports native MFA by sending a one-time passcode to the employee’s phone via a text message. This gets around the reimbursement issue because it doesn’t require loading a specific application on the phone. Plus, the simplicity of the approach allows employees to self-enroll through an eight-step process that requires less than two minutes to complete. The impact on the employee is minimal, because the one-time passcode is required only when the employee is logging in from an unknown location or device.

At FIT Solutions, our managed IT services include implementing the multiple forms of MFA. We also perform SOC monitoring through our cybersecurity offering, SOCBOX. You can learn more about FIT Solutions managed IT services, or better yet, call us at (888) 339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!