Survivor's Guide to 2005: SMBs: Attention to Prevention

The lesson for 2005: If you don't get proactive, you might need to be reactive--about your employment and/or continued viability as a service provider. Emergency service has shown up on many budgets of small and midsize businesses as a relatively huge line item. If you want to survive, get on an even keel.

I know what you're thinking: Easier said than done. Clearly, worms and viruses continue to hurt businesses of all sizes, and no doubt this will continue. Moreover, peer-to-peer technology has had a significant impact on traffic; it continues to morph so it can run over any open port or protocol (á la Gnutella Web cache), and it will suck bandwidth in any shop. It's an inevitable arms race: Random workstations with spyware and Trojans will continue to beat on bandwidth and reliability.

Object lesson: I met with a financial-services IT group that insisted management wouldn't authorize preventive projects or strategies until certain other projects were done. Prevention was sidelined, and the organization had a serious internal security breach that could have been foiled. Moral: Get proactive.Manage the Managers

Some small businesses are doing proactive IT the right way, and they will kick the snot out of their competitors. But the rest of the pack is typically risk-averse and tends not to make long-term investments the way many larger organizations do. If a project doesn't affect cash flow in the short term, it probably won't be addressed. And many small businesses don't hand out budgets to managers, but rather insist on line-item approval for every expense. It's possible in the enterprise to fly a stealth improvement project by using existing funds, but this is much less likely in a small business. Therefore, you've got to get aggressive in 2005.

Show, don't tell. Do something small that can improve uptime, then document it. With success in hand, it's much easier to get buy-in and, thus, funding. If you don't have hard metrics regarding your infrastructure, try perception surveys. At one job, my team embarked on an initiative called "MIB"--not Management Information Base, but rather, Make It Better. The rules of engagement were simple: If you see something wrong, make it better! We reserved several hours a week for proactive measures, such as alert systems, code upgrades and configuration tweaking. Cost: zero dollars, but our customer-service score was improved significantly. Try it. Ultimately, you must demonstrate success--that, for better or worse, is the only thing many managers understand.

Manage the Management Tools

The low-hanging fruit of proactivity is to simply use the management capabilities built into your network infrastructure. Indeed, the message that vendors and pundits have been selling for years is that a managed infrastructure is a happy and active infrastructure; too bad everybody's been too busy to listen.In particular, a proactive infrastructure should include basic SNMP metrics, such as traffic counters, CPU utilization, RAM utilization, paging and error counts, SNMP trap handling, threshold alerts, and log-exception alerts (see "Proactive Points," below.)

We're not naming names, but consider: If a drive in your RAID array goes out and the management software isn't set up properly (and by properly, I mean configured to notify a real person in real time), you won't know about it for weeks or months. The next time a drive goes out, the whole array is unrecoverable, which answers the age-old question, "If a RAID array dies in the data center and no one hears, do you still lose your data?" Uh, yeah.

If your gear comes with a management console, make a New Year's resolution to set it up. Even if you don't use all the console features, you're doing something. Have patience with yourself. Crawl before you walk and create some success, so you'll be better able to justify other proactive projects.

Other tools we've used with success in the SMB space are free or inexpensive--no $20,000 SNMP consoles here! For SNMP monitoring, Cricket (cricket. sourceforge.net) is a good bet. It's free and more easily configurable than MRTG (Multi Router Traffic Grapher). If you're short on time or simply don't want to plow through how-to documents, SolarWinds' $1,500 Network Engineer Toolset is a relatively inexpensive management console, and it comes with groovy tools. SolarWinds also makes Orion, a purpose-built network-monitoring tool that starts at $2,000 for monitoring up to 100 network elements--surely enough for most small businesses. (For a review of tools that do network monitoring on the cheap, see "More Ping, Less Bling," at ID# 1519f4.)

Log centralization is also relatively simple nowadays. Try using the open-source tool Snare (www. intersectalliance.com) to collect info from Windows boxes, then shoot the data over to a syslog server. Free or cheap syslog servers abound for Windows and other operating systems. I've had success with the Kiwi Syslog tool (www.kiwisyslog.com).The rock and hard place will be insufficient time to do this management yourself and a lack of funds to pay someone else to do it. To make life easier in 2005, consider reaching out to your local professional association. Even my little hometown of Savannah, Ga., with a population of less than a quarter million, hosts a thriving ITPA (IT Professional Association) and a growing InfraGard chapter. Professional networking isn't just for social climbers. Like physicians who give and receive "consults," a professional network is one of the best sources of advice and counsel. Don't have time to learn how to implement a given technology or methodology? Someone else has already done it. Why reinvent the wheel?

Finally, whether you do management yourself or outsource it, start an IT calendar on which you schedule periodic checkups. Consider these "fire drills" where you manually check to see that everything is still collecting, and make sure that alerts get to the right mailboxes. Is your backed-up data OK?

The same goes for software updates--virus protection, for example--I've seen lots of small businesses let theirs lapse. Sure, the sales organization that sold you the virus protection has an incentive to make sure you stay up-to-date, but the fact is, it tends not to check.

Remember, no service provider or vendor is going to replace you as the accountable person. It can simply move on to greener pastures. No one customer is a critical account at the small-business revenue size.

Manage the Management ProvidersThose of you in very small shops may want to enlist a managed-service provider to track metrics for you. This is a common scenario because, according to a study by AMI-Partners, the U.S. small-business market comprises 7.73 million companies, more than 75 percent of which employ fewer than 10 people. Only one in three has a dedicated IT person, and he or she is usually busier than a one-armed paper hanger.

But remember that setting up a managed-service contract doesn't mean your job is done. Far from it. I see many small businesses that have a network-service contract but either no SLAs (service-level agreements) or bad SLAs. What's a bad SLA? One that doesn't cause the service provider any pain when things go wrong.

If you're in this boat, resolve to turn your ship around by enacting a tough SLA during the next contract renewal. If no one on staff is familiar with what a good SLA should include, hiring a third party to help you write it is well worth it. One tip: Your SLA should allow for periodic third-party checkups on your service provider. Some of my financial clients have been told by their financial auditors that someone needs to check up on their managed security providers on a regular basis.

No news is not necessarily good news, either. Insist on monthly reports so you know if you can rest easy. Case in point: I was called in after a virus outbreak and found that the customer had been paying a provider to check its definitions every month. But the virus console had gone south at some point, and the patterns hadn't been updated for months. No records existed of when the service provider had last checked it. Who's watching the watchmen indeed.

Hourly FatesInstead of a service contract, do you simply pay by the hour for IT service? If so, this is a reactive policy that will cost your company big bucks in 2005. Hourly contracts do have their place, but make sure you know what you're getting into. Hourly providers have no motivation to set you up correctly--there's just an incentive for you to get billed ... and billed ... and billed.

You'll find tips on negotiating a maintenance contract in "Affordable IT: Vendor Support Options," at ID# 1522f3, but if you decide to pay by the hour in 2005, make certain you do so proactively: Negotiate up front how many hours you think you'll need for the year, and make sure you get a significant price break. In addition, get references from local providers, and pit them against one another in terms of price. After all, if your service provider can plan for your business, it will have less risk in terms of capacity, which translates to lower cost, and it ultimately should pass on some portion of that savings to you. That will mean better use of your resources, which will translate into a thriving IT environment in the coming year.

Jonathan Feldman is director of professional services for Entre Solutions, an infrastructure consulting company based in Savannah, Ga. Write to him at [email protected].

• Keep long-term baselines of SNMP counters for all production servers, switches, important ports on the switches, firewalls and routers.

• Counters should include "vital signs" for all production gear: CPU utilization, total traffic sent and received, error counts, memory utilization, paging, and hard-drive space.• Once you have a baseline for your metrics, set up alerts based on counters exceeding the baseline.

• Begin at the beginning--attack the low-hanging fruit first to establish success.