Get in Touch

As an IT Managed Service Provider (MSP) we are regularly meeting with and consulting with various businesses in the SMB space. From manufacturers to not for profits, all declare that they are 'not tech savvy' people as they venture away from the comfort of what they know and understand. This self declaration often leads people into decision making patterns which greatly limit their capacity to make clear, confident decisions.

There are 3 common mistakes people make when evaluating and investing in technology and IT providers. All 3 ultimately stem from wanting to protect the business from being misled or oversold. All 3 however come from the false assumption that not being 'tech savvy' puts the buyer at a disadvantage. The truth is that investing in technology and/or a new provider is a business decision, not a technical one. As such, a business leader should be well equipped to make confident decisions provided they are put in the right context.

In this article we would like to highlight these common mistakes and our advice on how to overcome them.

 

Mistake #1

Not evaluating the value of the objectives in mind

Many businesses understand when they have a problem with IT, but fail to spend the time to evaluate what that problem means to the business. Likewise many business owners are aware of gaps in their providers services, but don't evaluate what the business is missing out on by those gaps not being filled.

Most often this is due to poor consulting & advisory services on the part of the IT provider. In any case, all business leaders should be able to ballpark the value of certain issues and lost opportunity. Failure to do so results in impossible decisions being made, often leading to under investment and ultimate failure of the initiative.

As an example, in a business with 20 staff, would you invest $50k to upgrade technology that will increase speeds and reduce user frustrations?

If your answer is a straight forward yes be sure to give us a call, but all jokes aside this is an impossible decision to make. What will the increased speeds mean? In what way does improving staff satisfaction improve the business? Without exploring these effects you cannot easily determine the right course of action.

As a consequence, many business leaders feel 'forced into' IT spending based more on the implied seriousness by the vendor, rather than quantifiable commercial measures. This commonly leads to the seeking of alternative quotes and lower cost implementations of the 'same thing'. Further complicating the decisions and leading to underwhelming results.

Alternatively, what if you were faced with a decision to invest $50k to upgrade technology that will allow you to save 30-40 hours a month of lost productivity, reduce staff turnover and attract top talent. What if those same improvements also allowed you to shorten turnaround times with clients, improve your customers experience and attract more referrals. Such a change could be worth $200,000 a year to the business, which would not only make this purchase a no brainer, but could warrant even more investment.

The point is you can't evaluate ROI without understanding the potential return. Not being tech savvy should not preclude you from making sound investment decisions.

We would recommend any organisation seeking to change provider or invest in a major upgrade to first spend some time with internal stakeholders brainstorming the 'what ifs' and benefits that would justify a change. This need only be a 30 minute meeting, but simply defining some goals will make evaluations significantly easier and more effective.

 

Mistake #2

Evaluating pricing irrespective of capabilities

It's amazing how often we get asked 'how much do you charge for your services?' before we have been asked anything about what our services are or include. It's unclear why this is but whatever the reason, it is generally counter productive.

Such questions further anchor the persons thought processes and lead them away from logical decision making. It is almost laughable when someone objects to higher pricing immediately following their negative review of the incumbent provider citing being poorly trained, poorly resourced and slow to respond to issues. In reality, skills, experience, and capacity are directly related to cost. Whilst sometimes possible, it's generally accepted that you need to invest more to get better outcomes.

Whether it be a new car, a kitchen appliance or a drink in a restaurant, it doesn't make sense to start with price. You should first assess what you need, find an option that best suits those needs and then be willing to make sacrifices depending on cost constraints and/or diminishing returns.

This behavior is a common cause for businesses repeating past mistakes. To reference one of the most misquoted and overused phrases in business; repeating the same thing over and over and expecting different results is the definition of insanity.

 

Mistake #3

Looking for similarities, not differentiation

It's incredibly common to hear that someone is looking to compare 'apples with apples'. This approach is undoubtedly taken to simplify decisions around complex offerings. This however is contrary to the fact that decisions are only made easier when there are clear differences between options. By restricting the scope to a set of common attributes, options tend to look very similar, making choices harder.

This also feeds the untrue narrative that all providers are kind of the same. As a result, many people believe MSP's are best evaluated according to comparable attributes such as price, company size, response times and industry experience. In reality these attributes are only indicators and have no direct effect on results, service quality or inherent capabilities.

Suppose you were after a new car with an automatic transmission, cruise control, reversing camera & automatic wipers. If you decided to blindly evaluate vehicles based on these attributes you would soon find yourself in a difficult situation. Compatible solutions could include compact hatches, SUV’s, vans, and luxury sedans. All things being equal you would only be left with price as an evaluator; most likely selecting the one just a little more than the cheapest. Congratulations, your new daily city driver is a commercial van.

Of course this example is a little ridiculous, but it hopefully provides an adequate analogy of how dangerous it can be to focus on minor factors. Instead you should look for differences in capabilities, approach and results delivered to customers as it pertains to what you are looking for. Rather than asking if they are familiar with Microsoft 365, ask what challenges they have seen clients have when adopting 365. Avoid easy to answer yes/no questions like 'can you help us with advice?' and instead ask what approach they would recommend towards creating an IT roadmap.

These sorts of questions will give some insight into the MSP's inherent capabilities and work culture. Just like interviewing for a new hire, you should focus on understanding their traits, personality and fit with your business rather than simply their quantifiable achievements.

 

Summary

In summary, all of the mistakes above are not exclusive to technology decisions, they are simply more common when people feel out of their element. Technical decisions are ultimately business decisions. If you're being presented recommendations in overly technical language and are finding it hard to make decisions, you may need to make a change to either your perceptions, or the provider you're working with.

At Sensible, one of our core value propositions is in helping businesses make better business decisions. There are several elements to our service delivery model that allow us to make this happen. If you would like to gain a different perspective or learn about how your business could work differently with an alternative approach to IT then please get in touch.

Simply give us a call or book a time directly here: https://calendly.com/ray-sweeney

Is your business really secure from cyber threats?

There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?

The unfortunate truth is that most business leaders rely on blind trust.

Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.

 

The Reality for Many Businesses

When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.

Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.

Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.

If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.

 

What is 'secure'?

Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.

If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?

Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.

This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.

Some important things to consider when defining what 'secure' means to you:

  • What is the impact of downtime as a result of a cyber attack?
    A business with minimal transactions of high values products often has less risk than one with frequent small transactions. Losing a day's transactions could create irreparable damage to customer relationships in some settings.
  • What is the impact to your clients in the event of a breach?
    Many clients are now imposing compliance of various elements of data security. There could also be legal ramifications to a data breach.
  • Would you lose business if you had to declare a data breach to all customers and suppliers?
    You have an obligation to advise others if you experience a data breach. What reputational damage would such a breach create, and what may happen as a result.
  • What is your level of liability, and how are you protected?
    It's possible that directors may soon be liable for negligence around cyber security. Additionally, insurance companies are providing little leeway for businesses that are caught out.

The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.

 

Separating the Wheat from the Chaff

In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.

Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.

The most commons security features or addons provided by MSPs:

  • Managed Anti Virus
  • Managed Spam Filtering
  • Managed Backup
  • Managed Updates and Security Patches

Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.

This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.

Some of the hallmarks of an MSP that is truly providing an effective security practice include:

  • Security Standards and Policies that are regularly reviewed and implemented.
  • Processes & regular audits designed to ensure that essential security software (as above) is not only operating correctly, but that their configuration remains consistent with changing policies and best practices.
  • Cyber security training & regular testing of users for potential vulnerabilities.
  • Compliance checks, configuration management and routine reporting of key findings.
  • Strategy & Advisory around key decisions to bring security in line with requirements.

Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.

You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.

Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.

This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.

 

Summary

The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.

Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.

If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.

Simply give us a call or book a time directly here https://calendly.com/ray-sweeney

 

 

The purpose of a password is to protect sensitive data from unauthorised access.

For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.

This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :

  1. Systems and data only used to be accessible in a single office, on a single device, on a single network, where we could easily identify the trusted people.
    1. Now, many (unseen) people can now work on many (known and unknown) devices on many networks on many different systems at many locations – How do you know what to trust?
  2. Cybercrime is now super-industrialised which means old defences are easily and cheaply beaten. Bad actors can easily be profitable targeting individuals, let alone small businesses.
    1. Attacks will happen – so you need to contain and limit the spread and damage that will occur.

However, Human Nature is unchanged:

The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.

  • Use the same passwords for every system – once known, access everything!
  • Predictable changes in passwords (e.g. !Password1 just changes to !Password2, etc.)
  • Use the same special characters all the time ( ! at start / end, $” for “s”, “@” for “a,” “1” for “l”, etc.)

 

The new Best Practice Password System:

  1. Introduce 2-Factor Authentication for all systems (e.g. a separate notification on your smartphone to make sure it’s you).
  2. Passwords should be a small phrase (not a single word) that contain no personal information and are easy to remember – e.g. the first few words of your favourite song.
  3. Use a password management system so you can easily have different passwords for every system and not have to remember them.
  4. Introduce risk-based protection / analysis
    1. Automatically Report/ Block any logins from locations you will never travel.
    2. Automatically Restrict what unknown devices can do with your data – e.g. if its unmanaged, don’t allow edits / downloads, etc.

If you do this, then:

  1. Passwords can stay small – around 8 characters in length
  2. Passwords rarely need changing at all (every 12 months or only if a breach is suspected)

Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !

If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.

 

Microsoft Office 365 has proven itself to be one of the foremost business-level office solutions in the world, regardless of industry. It’s a set of tools that companies and MSPs all over the world utilise and promote—but that doesn’t mean it’s perfect, and it definitely doesn’t mean that people have mastered and taken advantage of all of its features. Unfortunately, one of the most important aspects of IT management is neglected in most Office 365 implementations: cybersecurity.

Here in Australia we’ve seen a number of high-profile successful cyberattacks in the past few months; Toll Group suffered two attacks, BlueScope Steel was hit by an attack that forced them to shut down operations company-wide, and money management company MyBudget was hacked, causing a nationwide shutdown that left over 13,000 customers financially upset.

If companies of that size are able to be hacked, so can your organisation—you cannot assume that your standard firewall and antivirus combination will keep you safe.

This takes us back to Office 365, which has a variety of security features that many organisations are not aware of, and therefore do not utilise. With more and more organisations moving to Office 365, there are more and more people not optimising their environment or taking the next steps to protect themselves. When we consider the growth and staying power of remote work environments, it becomes an even higher priority.

A Case Study

In our years of experience, we’ve run into a few cases where a company adopts Office 365 out-of-the-box, and experiences some form of cybercrime that they thought they were safe from. In one case, there was a malicious actor that was automatically forwarding every email the employee received to their company’s competition—including sensitive personal and financial information. Office 365 has a security feature that can alert the user and/or administrator if company emails are being forwarded outside of the network, or if there’s other strange behaviour—but this feature is not enabled automatically. The victimized company in that case was being spied on for two weeks before they found out —not many companies come out of that with revenue and reputation intact. If they had looked into their cybersecurity options, and didn’t assume that Office 365 automatically secured everything, this could have been mitigated or avoided entirely.

Noteworthy Office 365 Security Features

Another form of security that Office 365 supports is “impossible travel detection”. In an impossible travel scenario, the system detects if logins are being attempted from different geographic locations in a timeframe that you couldn’t physically achieve. e.g. Login attempt in London, and after an hour it’s being attempted again from New York. This is impossible travel, and it’s a major indicator that someone is trying to hack your account. There are tools to detect those things and alert the proper individuals—but again, these are not automatically turned on. You need to set it up specifically.

While those tools (and others like them) are less known or understood, there is one security feature that almost everyone is aware of—and also isn’t activated out-of-the-box : Multi-Factor Authentication (MFA). With MFA activated, users are required to validate their login attempt via another system—this could be a text message, a smartphone app, or token. While yes, MFA adds another step to every login, it also adds an impossible step to any hacker or social engineer that manages to get a hold of your password. If they don’t have both your password and your smartphone, they can’t get into your account to cause problems. Sensible recommends always implementing MFA.

Another major misconception and point of neglect with Office 365 is the assumption that data stored in OneDrive or other Cloud-based solutions are backed up. Microsoft only supplies a short term recycle bin. They do not supply backups at all: this is up to you to arrange. Just because you are working in the cloud does not mean your data is immune from accidental / intentional data loss or corruption.

So what can we do? Sensible is happy to work with you to improve your cloud defences and cybersecurity solutions, whether it involves an Office 365 subscription or not. We begin by discussing your current environment, and business, before auditing your company for security risks. Once we’ve audited your network and identified your weak points, we can work with you to improve. Whether there’s a certain cybersecurity benchmark you want to hit, or if you need to meet regulatory compliance criteria, we can help you get there.

If you’re interested, feel free to give us a call; we’re happy to lend our expertise to your organisation.

Sales
Support
Email
Sensible Business Solutions © 2022 All Right Reserved
Privacy Policy
magnifiercrossmenuchevron-down