As an IT Managed Service Provider (MSP) we are regularly meeting with and consulting with various businesses in the SMB space. From manufacturers to not for profits, all declare that they are 'not tech savvy' people as they venture away from the comfort of what they know and understand. This self declaration often leads people into decision making patterns which greatly limit their capacity to make clear, confident decisions.
There are 3 common mistakes people make when evaluating and investing in technology and IT providers. All 3 ultimately stem from wanting to protect the business from being misled or oversold. All 3 however come from the false assumption that not being 'tech savvy' puts the buyer at a disadvantage. The truth is that investing in technology and/or a new provider is a business decision, not a technical one. As such, a business leader should be well equipped to make confident decisions provided they are put in the right context.
In this article we would like to highlight these common mistakes and our advice on how to overcome them.
Many businesses understand when they have a problem with IT, but fail to spend the time to evaluate what that problem means to the business. Likewise many business owners are aware of gaps in their providers services, but don't evaluate what the business is missing out on by those gaps not being filled.
Most often this is due to poor consulting & advisory services on the part of the IT provider. In any case, all business leaders should be able to ballpark the value of certain issues and lost opportunity. Failure to do so results in impossible decisions being made, often leading to under investment and ultimate failure of the initiative.
As an example, in a business with 20 staff, would you invest $50k to upgrade technology that will increase speeds and reduce user frustrations?
If your answer is a straight forward yes be sure to give us a call, but all jokes aside this is an impossible decision to make. What will the increased speeds mean? In what way does improving staff satisfaction improve the business? Without exploring these effects you cannot easily determine the right course of action.
As a consequence, many business leaders feel 'forced into' IT spending based more on the implied seriousness by the vendor, rather than quantifiable commercial measures. This commonly leads to the seeking of alternative quotes and lower cost implementations of the 'same thing'. Further complicating the decisions and leading to underwhelming results.
Alternatively, what if you were faced with a decision to invest $50k to upgrade technology that will allow you to save 30-40 hours a month of lost productivity, reduce staff turnover and attract top talent. What if those same improvements also allowed you to shorten turnaround times with clients, improve your customers experience and attract more referrals. Such a change could be worth $200,000 a year to the business, which would not only make this purchase a no brainer, but could warrant even more investment.
The point is you can't evaluate ROI without understanding the potential return. Not being tech savvy should not preclude you from making sound investment decisions.
We would recommend any organisation seeking to change provider or invest in a major upgrade to first spend some time with internal stakeholders brainstorming the 'what ifs' and benefits that would justify a change. This need only be a 30 minute meeting, but simply defining some goals will make evaluations significantly easier and more effective.
It's amazing how often we get asked 'how much do you charge for your services?' before we have been asked anything about what our services are or include. It's unclear why this is but whatever the reason, it is generally counter productive.
Such questions further anchor the persons thought processes and lead them away from logical decision making. It is almost laughable when someone objects to higher pricing immediately following their negative review of the incumbent provider citing being poorly trained, poorly resourced and slow to respond to issues. In reality, skills, experience, and capacity are directly related to cost. Whilst sometimes possible, it's generally accepted that you need to invest more to get better outcomes.
Whether it be a new car, a kitchen appliance or a drink in a restaurant, it doesn't make sense to start with price. You should first assess what you need, find an option that best suits those needs and then be willing to make sacrifices depending on cost constraints and/or diminishing returns.
This behavior is a common cause for businesses repeating past mistakes. To reference one of the most misquoted and overused phrases in business; repeating the same thing over and over and expecting different results is the definition of insanity.
It's incredibly common to hear that someone is looking to compare 'apples with apples'. This approach is undoubtedly taken to simplify decisions around complex offerings. This however is contrary to the fact that decisions are only made easier when there are clear differences between options. By restricting the scope to a set of common attributes, options tend to look very similar, making choices harder.
This also feeds the untrue narrative that all providers are kind of the same. As a result, many people believe MSP's are best evaluated according to comparable attributes such as price, company size, response times and industry experience. In reality these attributes are only indicators and have no direct effect on results, service quality or inherent capabilities.
Suppose you were after a new car with an automatic transmission, cruise control, reversing camera & automatic wipers. If you decided to blindly evaluate vehicles based on these attributes you would soon find yourself in a difficult situation. Compatible solutions could include compact hatches, SUV’s, vans, and luxury sedans. All things being equal you would only be left with price as an evaluator; most likely selecting the one just a little more than the cheapest. Congratulations, your new daily city driver is a commercial van.
Of course this example is a little ridiculous, but it hopefully provides an adequate analogy of how dangerous it can be to focus on minor factors. Instead you should look for differences in capabilities, approach and results delivered to customers as it pertains to what you are looking for. Rather than asking if they are familiar with Microsoft 365, ask what challenges they have seen clients have when adopting 365. Avoid easy to answer yes/no questions like 'can you help us with advice?' and instead ask what approach they would recommend towards creating an IT roadmap.
These sorts of questions will give some insight into the MSP's inherent capabilities and work culture. Just like interviewing for a new hire, you should focus on understanding their traits, personality and fit with your business rather than simply their quantifiable achievements.
In summary, all of the mistakes above are not exclusive to technology decisions, they are simply more common when people feel out of their element. Technical decisions are ultimately business decisions. If you're being presented recommendations in overly technical language and are finding it hard to make decisions, you may need to make a change to either your perceptions, or the provider you're working with.
At Sensible, one of our core value propositions is in helping businesses make better business decisions. There are several elements to our service delivery model that allow us to make this happen. If you would like to gain a different perspective or learn about how your business could work differently with an alternative approach to IT then please get in touch.
Simply give us a call or book a time directly here: https://calendly.com/ray-sweeney
There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?
The unfortunate truth is that most business leaders rely on blind trust.
Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.
When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.
Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.
Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.
If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.
Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.
If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?
Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.
This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.
Some important things to consider when defining what 'secure' means to you:
The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.
In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.
Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.
The most commons security features or addons provided by MSPs:
Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.
This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.
Some of the hallmarks of an MSP that is truly providing an effective security practice include:
Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.
You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.
Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.
This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.
The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.
Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.
If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.
Simply give us a call or book a time directly here https://calendly.com/ray-sweeney
The Internet of Things (IoT), has become a hot topic in the technology field. The exponential sophistication and adoption of devices have experts comparing this to the third industrial revolution from steam and power to computers, referring to this wave of new device usage as Industry 4.0 or the fourth iteration of industry as we know it.
IoT is already bigger than you might expect - from doorbells, security cameras, weather stations, smart workout gear, baby monitors, and even coffee pots are streaming data and connected to the internet. As with any cutting-edge technology, IoT does have its kinks that still need to be worked out. The biggest being the security threat that adding IoT devices poses to your network.
To read more on what is IoT: click here.
The problem with IoT device security is that they are easily hacked, gateways to your entire network, and can't truly be protected by just a firewall.
In the first half of 2018, Kaspersky IoT honeypots detected 12 million attacks aimed at IoT devices coming from 69,000 IP addresses. By 2019 that increased to 105 million attacks from 276,000 IP addresses. Attempting to block all malicious IP addresses would be a huge and ineffective feat. Just recently, a Senior Researcher with Avast hacked into a WiFi-enabled coffee pot, devised a ransomware attack, and deployed it, causing the coffee pot to spew coffee and make noise until it was either unplugged or the ransom was paid.
The old castle-and-moat approach to cybersecurity - building an effective and strong firewall perimeter around your network, hasn't proven to be effective since smartphones and mobile devices have made working from home or on the go so easy. The more devices you connect, the higher the risk of a breach becomes.
Here at Sensible, we encourage the usage of IoT devices. They can be substantial productivity boosters, excellent solutions for your business needs, and can help your business scale. However, whenever introducing new devices to a client's network, we have to be cautious and mitigate the additional risk they pose to security. These are the steps we take to do so:
1. Evaluate the current security approach
As mentioned, only having a firewall isn't enough anymore. If we encounter a client that has not yet shed the castle-and-moat approach, we start by shifting their security to a more policy-based approach. Basically, this means we are adding extra security on the drawbridge over the moat. For every attempt to access the data, we put policies in place to prompt the user to verify they are who they are and that they should be accessing that information.
2. Be selective
With the addition of every IoT device, the security risks increase. We caution our clients against adding devices that they don't necessarily need. You shouldn't have to be accommodating for threats posed by your office coffee pot!
3. Research your options
As the need for IoT devices increases, the market is being flooded by tons of new products. Just like in purchasing a new computer, you should do your research to understand if the device is good quality, has the features you need, is compatible with your existing systems, and can be secured. Working with an IT partner like us, we can make informed recommendations on what you should be looking for, and even source the devices for you.
4. Configure the IoT devices adequately
Once you have settled on the device you would like to add, make sure you have technical support when configuring it. The majority of devices do not come out of the box set up to be secure. We can help add additional security or enact the devices existing security measures to ensure it doesn't become a liability.
Client Success Story: Recently, we helped a medical research company implement video cameras in their lab so they could adequately observe and record sample changes 24/7. We were able to help them evolve their security approach, determine the necessary devices required to achieve the solution they needed, source cameras that were compatible with their existing network, could add necessary additional security and featured the live streaming and recording options the lab required.
If you have a business need, we can help you find a sensible solution. We love to help businesses improve by crafting and offering informed technology solutions. Book a call with us anytime, and we'd be happy to lend you our expertise.
If your business relies on Microsoft 365, you may have noticed that on Tuesday, September 29th, there was a multi-hour outage. Microsoft confirmed via their Twitter account that the "residual issue has been addressed, and the incident has been resolved." Still, for many, this was a wakeup call to the fact that they need to have a backup form of business communication.
Businesses are moving towards more modern workplaces. Many of our clients no longer utilise landlines and handle all communication electronically via platforms like Microsoft Teams, so when Microsoft 365 went down, they found themselves without any way to communicate to their clients or conduct their business.
For everything in life, to be prepared, you should always have a backup plan. In these cases of technology outages, we would recommend putting together a Disaster Recovery Plan detailing what to do if any of your virtual systems fail. That way if something happens, your business will be able to take it in stride with minimal interruption.
For example, in the case of losing your communication method of Microsoft Teams, your Disaster Recovery Plan should:
1. Plan how you will notify your team that the Disaster Recovery Plan is being enacted
2. Designate your secondary communication platform(s) for external communication and internal communication
3. Define where calls or messages should be forwarded to
4. Designate who will be in charge of setting up the call forwarding, be sure to include updated personal contact information for this person
5. Craft a generic message that can be posted to social media channels or on your website to inform your customers of the best way to reach you
6. Designate who will be in charge of posting your external messages, be sure to include updated personal contact information for this person and how to access the necessary accounts or website
7. Be shared with your team and kept in an accessible place so anyone can reference it if needed
If you are working with an IT provider, it is essential to share this information with them so they can help you adjust as needed if the time comes. Additionally, you can utilise their expertise to ensure your Disaster Recovery Plan is well detailed and sure to support you through a crisis. If your business could use help creating Disaster Recovery Plans for your solutions, we would be more than happy to help you out.