WHAT 2 YEARS OF TECHNOLOGY ASSESSMENTS REVEAL ABOUT ASSOCIATION IT: Infrastructure & Management
When we perform technology assessments for clients, we use our IT Maturity Model to gauge how effectively they’re managing IT across four domains: data, digital, infrastructure, and management. What are the most common technology issues for these associations? I looked back over the recommendations we made in the last two years to identify the five top areas for improvement in each technology domain. If your association hasn’t addressed these issues yet, the “next steps” I suggest are a good place to start.
1. Formalize cybersecurity training for end users.
Even with the proper security defenses in place, staff members who haven’t had cybersecurity awareness training can expose your organization’s data and systems to significant risk. Some compliance programs, like PCI, also require annual cybersecurity training.
Online, self-paced video courses are an affordable way to deliver this training. Its advantages—compared to presentations developed by IT staff—are many, including vetted, comprehensive material delivered by cybersecurity experts. Many of these firms also offer phishing testing so training can be an ongoing initiative.
- Find out when training was last offered.
- Evaluate training options that would work best for your organization. Schedule training as soon as possible.
- Work with HR to require training and enforcement.
2. Implement multi-factor authentication (MFA) for all remote access.
Passwords are easily hacked. A more secure login requires another “factor” in addition to a username and password. This factor is typically a one-time password generated on a mobile app or via automated phone call or text. Ideally, you enable multi-factor authentication for all logins but the next best option would be to enable it for all remote access.
- Determine if your remote access authentication supports MFA.
- Develop and implement training for staff so they understand the importance of this security measure.
- Start by requiring this additional security measure for “high value” targets such as executives and users with administrative privileges (that means you, IT director).
3. Review access to data and systems and adopt the principle of least privilege.
Staff members should not all have the same access to files and systems. The best practice is to provide access to only the files and systems someone needs to do their job. If their needs change, remove or further restrict their access, for example, change it to read-only access.
Likewise, a network administrator should only use a login with “admin” privileges when a task requires those elevated privileges. For example, an IT staff person should use an unprivileged account for everyday tasks, like e-mail and helpdesk access. But, they use their privileged domain admin account for domain management tasks.
This “principle of least privilege” takes time to administer, so some network managers take the easy route and make access too broad—a practice that can expose your organization to unnecessary risk, like a ransomware incident.
- Determine who has access to different systems and with what level of permission.
- Review permissions for each system and adjust accordingly.
4. Increase focus on endpoint security.
The traditional firewall + antivirus combo of yesterday is not enough. As cyberattacks increase in sophistication, and users spend more time online and on mobile devices (read: outside your firewall’s perimeter), you must increase endpoint protection. This goes beyond traditional antivirus measures to include DNS-level web filtering and mobile device encryption, as well as leveraging threat intelligence to improve your response to risks. And of course, this all must go hand in hand with item #1: training!
- Determine the scope of your endpoint protection capabilities
5. Standardize on a file sharing and collaboration tool.
A number of solutions facilitate file sharing and collaboration, for example, traditional network file shares, FileCloud, SharePoint, OneDrive, Box, and Dropbox. With the prevalence of so many options, a file sharing strategy and policy can help prevent knowledge management chaos and inefficiencies for staff and partner collaborators. Identify your file sharing needs and select a system that most effectively meets them. Training and access control can help you enforce the use of the standard system and file sharing policies.
- Find out how many file sharing solutions are in place.
- Conduct an analysis to determine if these solutions are adequately meeting needs for file collaboration and document management.
Management1. Develop a project portfolio management process.
An IT project portfolio is a prioritized list of an organization’s technology initiatives and projects, both current and planned. This portfolio is a living resource containing only projects that have been through a prioritization process. Criteria-based project prioritization helps you identify critical needs, keep projects aligned with the strategic plan, and ensure appropriate resources are available.
- Determine how many projects are in your backlog.
- Explore project-ranking schemes used by other organizations.
- Convene a team to develop a project evaluation and prioritization approach that would work best for your organization.
2. Develop standards for technology skills competencies.
Because technology is involved in almost every aspect of the workplace, it’s more important than ever for all staff (not just IT) to have the necessary technology skills to do their jobs effectively and productively. Everyone must meet a minimum expectation for technology competencies, for example:
- Create basic Word documents.
- Save documents in the appropriate location.
- Schedule meetings with multiple participants using Outlook.
- Enter data into Excel and perform basic formatting.
- Look up a member in the AMS by name.
- Remotely access the network.
- Identify phishing and other cybersecurity threats.
Since technology will continue to change and expectations will continue to rise, revisit this list of skills periodically.
Assess your staff’s existing technology competencies to determine where training could address skills gaps. You could also use this assessment during the staff recruitment process. While you may not wish to use the assessment to rule out otherwise qualified candidates, it would at least alert you to the need for additional training so the candidate has the necessary skills to be successful at your organization.
- Convene a team, including a representative from HR, to identify at least ten minimum expectations for technology skill competencies.
- Work with HR to develop a plan to assess skills and offer appropriate staff training to improve skills.
3. Improve documentation of IT policies and standard operating procedures (SOPs).
Having good IT management practices is not sufficient. You must document these practices. Documentation is often required for compliance with regulations and standards. On the bright side, developing and documenting IT policies and SOPs forces you to carefully consider each policy’s impact and what it will take to support it. Associations are often missing policies on security, electronic information/records retention, mobile, employee termination, and social media.
- Inventory and review existing IT policies to make sure they’re still current.
- When you detect outdated or missing policies and procedures, prioritize the ones that need to be updated or written. Create a timeline for development and documentation.
4. Develop a disaster recovery and business continuity plan.
If disaster strikes, you won’t have time to come up with a plan for recovery and impact minimization. Be prepared by developing a disaster recovery and business continuity plan ahead of time. This process will also help you identify mitigation strategies to prevent some disasters from occurring.
- If you have a plan, review and update it.
- If you don’t, start by identifying your most important assets—and figure out how long the association can “live” without them!
- Consider bringing in someone to help you develop a comprehensive plan.
5. Follow a formal system selection process when selecting any major technology system.
Too many associations select technology systems based on a trade show demonstration or raves from another organization. What looks good in a demo or works for another association may not work for yours. Before considering any new technology, identify your business and system requirements. Then, evaluate multiple options against those requirements. After narrowing down the field, do due diligence on the vendors and systems selected.
- Before starting on your next system selection, follow a formal process that begins with defining and documenting business and system requirements.
Do any of these scenarios sound familiar? If so, the suggested “next steps” are a good place to start. If you haven’t already, read my previous post on the most common areas for improvement in the data and digital domains. You can learn more about our IT Maturity Model and technology assessments on our website.