Help me understand what a proper business IT system looks like.

Really good questions here and it's great that you're trying to improve things yourself. My suggestion is to bring in some small business-focused IT companies to interview. They'll come in for free and sell you on their services. Smaller companies would be happy to back you up and answer these questions, even if you only call them once in a while. You don't have to hire them full time. It would be helpful to network with professionals in your field. There may be local computer, user or Meetup groups available to you. These folks can talk to you about what you're doing now. I'll jump in on a couple, but there are really too many to answer completely in a comment. Note that these are opinions, and if you put three systems people in the same room, you'll get four different answers. I'm assuming you have Windows because you mentioned group policy and malware. 1. Centralized secure file storage and access restrictions. Granular, flexible permissions preferred as opposed to top-down permission management. Use groups for permissions on centralized files. Do not assign permissions to individuals or your permissions will become a mess. Avoid changing permissions twenty levels deep in a folder hierarchy if you can. Create new root-level folders (\\server\Marketing\campaigns when you change permissions.) 2. Centralized management of the various workstations, so I don't have to go to each computer to perform updates, install software, do maintenance and such. There are various ways to go about this, but the cost+labor benefit isn't great at your size when implementing something like System Center. Look at Chocolatey for software deployment/updates, which is the biggest/most important system management issue in small biz. 3. Proper anti-virus/malware/trojan/etc solutions. The major players are effectively all the same, and none are very good at detection/removal. If you're buying something you can centrally administer, buy mostly on price and simplicity of administration. You'll need to supplement this with third-party tools like Malwarebytes when you get infections. Use WSUS for updating Windows. 5. Somehow stuff (including viruses) sometimes gets installed without me having to use my Administrator rights to install it even if the person only has User status. I'd really like to restrict people's access in Windows, but I'm not even sure what are the most important things to restrict, honestly. Some apps (Google Chrome) don't require Admin rights to install. Others are portable apps that basically run inside a folder. You're not going to be able to 100% stop people from running stuff on their machines. As far as malware goes, two things. 1. Don't let people run as local Admin. In most cases, the malware is limited to their user profile, so you delete the profile and recreate it to get rid of the malware. (This is not foolproof, and you must have some way to store/backup their documents.) 2. Update Flash, Adobe Reader, Java and Quicktime. This jibes with #2 above. If price is an issue (which I'm betting it is in smallbiz) look at Ninite Pro in addition to the above. 6. Internet restrictions and firewall setup. I really don't know the level of rigor I need to go into here. Almost everywhere uses the default firewall settings. If you're in a high-security business, hire outside help. 7. Restrictions on or at least logging of any information that is removed from computers. There are some really sophisticated, complex, expensive solutions for managing files in this way that, for example, the NSA wasn't using. Just about any of those systems can be defeated with a smartphone by anyone with access to the documents. No specific advice here, other than really calculate effort vs. effectiveness when doing this. You can turn up some of the audit settings in Windows logs so file access is audited. Be aware that you'll generate a lot of logs. 8. Passwords: Do I let people set their own passwords or give them passwords? You let them set the passwords. You do not and should not know the passwords. If you need something in that user account, you change the password and login. Then the user knows you've been in. They reset the password when they return. 9. General IT security standard operating practices. Yeah, I know this is general, but I’m sure it encompasses a lot of specific things I need to be aware of. Outside IT consulting firm. 10. Email security and management. Right now, we do not run our own email server, but use our webhost for email. This sounds really risky. I'd centralize on a cloud-based e-mail suite that offers backup/restore, etc. Not necessarily local backup and restore, but guarantees around cloud backup/restore/multiple versions, etc. Microsoft and Google have solutions in this area. Microsoft's solution is more integrated in my opinion, but I use Google personally. 11. BACKUPS. Right now, I do occasional, non-automated, backup images of peoples' entire HDDs This is bad. You don't have all of the company's information backed up because it's spread everywhere. You don't know when the last time you backed up a specific file so if it goes missing you'll lose a good part of or all the work. Every desktop PC is a single point of failure. You're backing up the same files in Windows and program directories over and over again wasting backup space. If people have desktops, they need to store their files in a central location. Period. If they have laptops, you need to find a way to replicate their data to the server while they're in the office. You need to have scheduled backups of all data, rotating backup media and take backups off-site. There are apps that will help with this - CommVault and BackupExec are commonly used, though I'm not sure of small biz pricing. I talked to a technology/IP lawyer recently who cautioned that the cloud is an uncertain setup if you're trying to protect sensitive information. Paraphrasing his words: "Even if the data is encrypted on their server, as long as they possess the encryption key, they can expose your data if necessary if compelled." IANAL, but I will say that Google's (or whoever) security is better than yours and mine. It's a start. Again, I'd find someone to come in and help you out. Sanity check everything I've said here (and whatever else you're told). You're on the right track. Good luck! Edit - on preview - if you use Active Directory in house (which isn't clear from your post) you can often sync those passwords with a cloud provider, meaning that your users have one password instead of multiple passwords.

where I can split the load between me and my secretary Yeah... Assuming you own the company, your job is to run it (and not worry about this level of detail), and your secretary's job is secretarial work. This isn't a place to save money: you're going to lose any savings the first time you make a mistake. In a big firm you have teams of people assigned to specialise in different areas of IT. For a smaller firm you have a dedicated IT guy who is on call, or you outsource. I'd suggest you talk to a local IT company, they'll talk you through what you need.

IT security is a hard nut to crack for a small business. You need to try to balance security, usability, and budget. I'd start with "what sensitive data do I have that can get me into legal trouble?" SSNs? PHI? Payment card? PII? I'd figure out what my maximum legal exposure is. Will that bankrupt your company? If so, consider: you need to get everything right on the security front with every dollar you spend to prevent business failure. You're not a security pro. You aren't going to get it all right. So what to do? Only concern yourself will security that makes sense within your operation -- things like "permissions should be set up so only the owner can see employee files." Things like "we should run antivirus so our systems don't run slow." Things like "we should not run an open relay mail server so our hosting doesn't get turned off." Don't spend a minute on any "best practice" that doesn't support operational goals. Bruce Schneier, security guru, has said he wouldn't spend a single dollar on security in a small business. It just isn't worth it. I don't entirely agree, but it's a rare case where you can make that work, and normally involves scoring a security pro as your IT manager. Consider that cloud providers actually evaluate their risk, something that you don't have the skill to accurately do. Most cloud providers have more skin in the game in terms of millions of dollars of profit than you do. They have incentive to be secure. Yes, law enforcement can request access to your data through a cloud host, and yes that key can be hacked. Far more likely that someone will guess the admin password for your account, though. I haven't personally vetted box, but a former coworker is their security architect, and I trust him to know what he's talking about. I don't know if Box's management lets him do what he wants, though. But again, while the details are fun, in a small business ops are king. Availability, availability, availability. Then you get to worry about everything else. If I were consulting on your network, and you told me you were a small business, I'd be looking at: - Is there an active directory domain - Is every system joined to the domain - Is there a sane default GPO applied to every system - Do most settings for a new system get configured automagically via network settings (printers, mail, etc) - Are groups in use? Are they role based? - What data is of value on the network? - Is that stored in one place? - Is that place stupid (read: email)? - Is that place backed up? - Do the backups work? - Is that place segregated (permissions and network) from the rest of the network? - Does that stuff even need to be on the network? (personnel files are much better under lock and key in small business) - How do people work remotely? - Is that method stupid (e.g., over the public internet without encryption) - Do you repeatedly get the same help desk calls or random tasks? - Is it because of something stupid (i.e., should that be automated)? - Are things slow? - Is that because of something stupid (insufficient capacity, non-scalable architecture)? - Do people only have access to the things they're supposed to? - Are you sure? - Really? If you work through that list, know the answers, and are confident you aren't doing something stupid, you're in a good place for a small business. Until then, keep reading, keep plugging, and drop more specific questions.

And, you know, I left out an important one based on your question about viruses getting installed: - Do you know what software is installed on everyone's machine? - Are you licensed for all of that? - Is everyone running the most recent, fully patched version of every piece of software out there? (p.s.: If you say yes, you're lying). - How are we going to get there? - How long are we lagging behind the patches? - Is patching automated? There are probably some others I'm forgetting. But you really need to start with these basic things before you worry about your potential risk exposure with, e.g., cloud providers or some outsourced service.

I take it you're on a domain already. Are your servers virtualized? We recently overhauled our network with help from a small-business focused consultancy. We now have two physical vmWare ESXi 5.5 hosts, splitting the load of Windows Server VMs. We replicate the VMs across the machines and also do a VM-level external backup. This has all been a huge win for a small business shop without a real IT department (which we used to have, kind of, before our former firm split up.) Office365 for email etc. on site Exchange is a huge cost driver and generates other requirements. Remote access can be anything from LogMeIn to a full blown Citrix/RDS (Terminal Services) setup. What are your needs? No McAfee please. I've had good luck with GFI and ESET/NOD lately. You may also want to look at a security gateway with UTM features. I could bend your ear about this stuff, I'm in your position, dual-hatted at a law firm with a similarly technophobic Dad/boss (and grew up in this role on and off). Feel free to memail me for more details and/or referrals to the companies I work with.

I was trying to figure out how to craft a response when devnull basically beat me to it. I'd only add that contracting with an IT company doesn't mean you throw in the towel on knowing anything about your own network. What happens when you get sick and the server throws a rod on the same day? Regardless of any one person's competence, it's a recipe for disaster. As for your specific questions, a lot of it sounds like Microsoft Exchange to me, although there are of course other solutions. There are hosted exchange solutions which provide about all the same functions as if you had a server in your own closet; since I don't run one of those I don't know as much about them as I should. In my under-educated opinion a really robust, full-featured cloud-based server setup isn't hugely less expensive than running our own, and as long as you have PCs in your own building that you own you'll still have IT problems above, beyond (and below) the magic server in the sky. And the point about confidentiality is a point taken, although, you know, if it comes to that you can be compelled to hand over a computer you own, too. Lastly, touching on backups - I'd say even with competent tech support back-ups are the most difficult thing to make sure is getting done. My own approach with my tech support is to specifically, and in painful detail, peel through the layers and ASK THEM TO SHOW YOU where and how the backups are getting done. It's all too easy to hand-wave this area, because it's tedious to go through and list every damn thing in your network that needs to be backed up, but more than once I've had the tech support guys say "oh, you wanted THAT backed up, too?"

For reference, I don't own the company. My dad does. I'm the jack of all trades second-in-command who's managed to keep the company from grinding to a halt with technology problems my dad doesn't understand. And my secretary and I split the IT duties right now, with me supervising her. It's not my ideal solution, obviously, especially considering that my focus should be in other places now. I just want to know more before I go out vendor hunting, so I don't waste my time.

It sounds to me like you need a full-time dedicated IT professional. At least for awhile. Especially with the questions that you have about security and the fact that you know everyone's passwords. I recommend meeting with a well-regarded IT Security consultant in your area who could tailor answers to your specific situation.

re: backups...unless a restore is physically demonstrated, I assume a backup plan is aspirational - and probably fictional.