Transcription

Speaker 1 (00:11):

Hello, thank you for joining us, uh, on our live stream today, um, where we help educate business owners on what to expect of their it support. And right now I have Gary with, uh, in green. Uh, it joining us. Hello, Gary, how are you doing today?

Speaker 2 (00:30):

Pretty good. Chris, how about yourself

Speaker 1 (00:31):

Doing well? Uh, you and give us a, a quick overview of, uh, of your company.

Speaker 2 (00:37):

Sure. And grain has been around for about 14 years. Although my personal experience goes back way to the, uh, eighties. Um, we're a managed service provider MSP, so we do flat rate it for our customers and become their in-house ideas department, even though we're outsourced. So,

Speaker 1 (00:55):

Yeah, very good. Well, thank you for, uh, joining us today and our topic that we're going to be discussing is the, uh, uh, warning signs or red flags to look out for, with your existing it company and kind of what you should expect, um, you know, of them. Uh, so these, these topics or items that we're going to be going over, you can, um, use that information to talk to your it company and just to make sure you don't get caught in kind of bad situations. Um, so, uh, you know, it's, it's, it's gonna be helpful for just any type of, of management, uh, business owners. Um, we just want to help educate and have you guys keep your company safe. Um, so, um, on these, these warnings, uh, Gary, um, are there any, uh, I'm just trying to think of like an intro here on anything just overall that you've experienced. I mean, have you seen these types of issues where you're doing onboarding and you're like, oh my gosh, I can't believe, you know, this it company never did this or, or that, or

Speaker 2 (02:07):

I think it's a common occurrence. I mean, I don't think we've had an onboarding yet where there hasn't been some issue we've looked at it and said, how did this exist for so long? Um, an example was a backup that was actually doing instrumentals for over four years. Oh yeah. Which means you have to go back to the very first backup and restore that and incrementally backup every single day for four years of something went wrong and

Speaker 1 (02:34):

There's no. Did any of those points failed then? The whole thing is worthless. Okay. And

Speaker 2 (02:38):

There is no visibility to that by a non-technical person. So if you're the business owner you're expecting, the backups are done and the technical person is going, oh yeah, we're handling backups. But until somebody gives visibility on what does that mean from a continuity standpoint and start asking the questions, what happens if my server fails? How will I be down? And most organizations, especially business owners don't know what questions to ask. So they're really at the mercy. So an it provider should be very upfront and make that a very routine conversation with you.

Speaker 1 (03:14):

Yeah. Yeah. It's, it's, uh, I think, you know, kind of what you're, what you're saying I totally agree on is, is, you know, you hire someone to do a job for you. It, and you just expect that they're going to be doing everything correctly, staying on top of everything. And a lot of the times it's just totally not the case, but you, you don't know that. Right. So we don't expect business owners to know the technical side, but, um, you know, open communication is a big item and like on backups, uh, just asking maybe even quarterly, can you give me a backup report? Just talk to me about your backups. You know, they don't have to get technical, but can you show me, uh, um, reports of, uh, success and fair failures that you've addressed? Right. Um, get an idea.

Speaker 2 (04:04):

Well, the other thing about backups, we discovered too, and I think all the partners that I know manage this the right way, you gotta be very leery of a small business owner when an organization is home growing some backup solutions. I mean, for sure there are definitely pitfalls with that. You don't get the support. Um, you don't get the, you know, the brand behind it, the longitude putty, the kind of reoccurance of what happens. If certain things are a corner problems, when you're a good man, a service provider emit, and you go back and find the right partners, there's very good confidence and experience with those tools and you know, where the stuff is being stored. Right. You know, it's being stored in secure data centers. It's not in some server rack in an open office, right. In Joe blow its environment. That is a dedicated storage facility that's secure and has compliance behind it.

Speaker 1 (05:05):

And not just some yeah. Right, right. But you got to ask the question. Yeah, yeah, yeah, yeah, yeah. That's great. You know? Yeah. Where's my backup being stored. Is it at your office to where if you got robbed, my backups are gone or there's a fire, my backups are gone or you just, I don't know, stuck a fork and electrical socket and fried your lecture. Cool. Right back. Yeah, exactly.

Speaker 2 (05:29):

How do I know that my data is a customer of yours is actually being isolated from other customer's data in the right way. Right. How do I know my encryption key is different than ABC company's encryption key? I don't know unless I asked those questions or less, the service provider actually uses that that's part of their posture. Right. It's, it's something that they know is important and they're upfront and transparent that these are things that we do to protect you and your data and your business in multiple ways that it's not just about the restore. It's also about protecting the data as it sits at rest versus moving up to the backup server.

Speaker 1 (06:11):

Yeah. Yeah. And I, I know some, some it companies that, that do exactly that they're backing up, you know? Oh yeah. We're, we're taking full snapshots of your server, but they're just transferring it to another server right. In their office. And to me, that's, that's one of those big red flags. Um, they're, they're trying to cut costs, but the potential impact, if something goes wrong is huge.

Speaker 2 (06:37):

Well, for sure. And the other aspect of that, there's a big difference in conversation when it comes to backup and file recovery versus business continuity, and most traditional providers still talk the language of disaster recovery. So they're saying, Hey, I can restore a file from you from the cloud. Well, when a server fails, what is the dialogue and the plan and those environments good. It providers not only talk about the technology, they talk about the procedure and process. Where do people go? When, if you're a hospitality company know company and all of a sudden your servers down, what's your standard operating procedure in that case, do they start writing hand chips? What's the process. Cause as soon as you don't have that process in place, even if it's temporary, you have a big loss of productivity from people, but if they have a plan and they initiate that plan, which is part of an ongoing conversation, productivity loss has minimized even without the server, there's still ways to continue business function until the server function is restored again. And most people don't talk about those things. It's not part of an ongoing strategic dialogue.

Speaker 1 (07:47):

Yeah. And making sure someone is always available to take action on it, uh, as well. And just, uh, you know, response times expected downtime, uh, and all that. Yeah. Good, great points.

Speaker 2 (08:01):

And you know, the other aspect that ties into that is talked about tool sets with open source technology. It's easy for people to start the homegrown on some type of technology, which is good, but there's also an investment by mid providers that say, when I go with a vendor, I want to make sure that there's integrity and support and security behind it. That usually requires pain for a specific tool. So that's another question to ask, are you adjust, you know, are you fronting this and doing all the labor in the back or are you actually working with the partner? Because the one thing you find about most of us mids, especially as it evolves in a skillset, we can't do it all and finding the right expert in the right area, solidifies both you as a customer, your confidence that the tools and the functionality is being performed, but should also solidify the fact that a provider knows their limits and they play to their strengths and find partners that actually played their weaknesses. So as a customer, you get a very comprehensive solution. Not just I do it all because no, it company can do it all today.

Speaker 1 (09:08):

Yeah. Yeah. Like, yeah. If they have their own flavor of backup program, they made, uh, I mean, think of their, their skillset of even programming that, um, on bugs and discovery, you know? Oh yeah. We, it says it's been backing up, but actually there was this bug and this program.

Speaker 2 (09:26):

Right, right. Well, and think about it, right. Uh, Malcolm Gladwell, as she said, it takes about 10,000 hours to become an expert in something. Right. So those of us in the it space who really do this, that 10,000 hours for us is actually been a fast paced, dynamic change that has been going on for years. Even with that experience, there are things that we're constantly learning. Right. So if you take that into very specific spaces like programming, whatever else, how can one person again, no at all. So you try to find those right partners that actually fill that gap. So the customer knows they're being protected because you have those experts in skillsets. When it comes down to the rubber, meets the road, Diggy down to the minutia detail, there is a true expert that can actually help and assist them.

Speaker 1 (10:13):

Right. Right. Yeah. And kind of a lead into one of my next points is a good question. Okay. What if my server does go down and you're restoring it, uh, is there extra costs to that? You know, knowing, uh, what you're, you're going to be paying before something happens, you know, are you going to be billed, okay, now we're billing for after hours and we're going on site and we're replacing this hardware Nelson, it's this, you know, several thousand dollar extra project that, you know, it's not necessarily your fault, even that that server had a hardware failure, but you're going to be dishing out thousands of dollars for it, uh, just in labor.

Speaker 2 (10:54):

Right. And I said, go back to Mohamad Ali on this one, right? That's, that's the rope, a dope, a lot of, you know, mid providers or should say, non-mid providers break fix. They will actually give you the allure of cost control and some other things. But at the downside of when something happens, you're going to pay for it. And in our experience as a mid provider, the last conversation I want to have with the customer, when everything is falling apart and there's chaos and silliness, oh, by the way, this is going to be a billable event. And I don't know what it's going to cost you, but it's going to cost you a lot because there no. Right. Right. And for us, it's about skin in the game, you know, we're trying to minimize your risk and take as much interest in that makes making sure you're up. Then you're actually contributing financially, which also means you have an obligation of the customer to make those right investments. So we can effectively do that as well. So there's a balance there, but again, most break companies don't look at it from that perspective. It's very, one-sided meaning that if something takes place, they're going to make a lot of money and you're going to lose a lot of productivity. So you've got to find the right provider that balances them.

Speaker 1 (12:06):

And in those situations, not really have any choice in the matter. I mean, you're down, you have to get back up. Right, right. Yeah. It's kinda, yeah. It's putting them in a bad, very bad situation that you're basically taken advantage of.

Speaker 2 (12:21):

And most of the time you'll find in the situation that we've been brought into the it providers, weren't actually diligent in advance to drive and talk about investing in technology, budgeting for replacements that have specific time budgeting for and planning for replacement of a line of business application or upgrade of a SQL server license or whatever else. So when those events take place, it's because things have gotten to the point of so aged they've now really extended the return on investment to the point where they've increased their risks significantly. And nobody has those conversations in advance. And those are a very big dialogue to have. The more you play on, even if it's one year, two years, three years, the better prepared you are to make sure that you're investing in the right things at the right time and maximize no leverage on your investment.

Speaker 1 (13:13):

Yeah, totally. Yeah. Another, um, item that I have listed, uh, to review, and I actually see this quite a lot is you're, you're talking with an it company or a, uh, a business and let's just say, you've done, you know, the sales pitch. And they're like, yep. You know, let's start w we got changed it companies. And so you're doing onboarding you say, okay, do you have, you have all this equipment, all these servers, networking equipment, you know, whatever. Um, do you have any documentation or passwords? Oh yeah. Yeah. My it company has that, you know, okay, it's your stuff, you know, it's your company, your infrastructure, you need to have documentation yourself. And sometimes, you know, they'll go and ask for documentation, but they'll provide them just a very small amount or refuse, uh, to give you a copy. And that's just another huge red flag to me that I, I just see it happen so often is the it company is not collecting any documentation and not giving you a copy of it.

Speaker 2 (14:22):

Well, I mean a good it company, especially if it's a true win-win partnership wants that documentation available on both sides, right? Meaning that they have access to it and the customer has access to it. And it companies should never actually hold hostage data required to manage a customer's infrastructure. Because as soon as they do that, it's not a true partnership, right. Again, it should be transparency. If I'm doing my, you know, a good job as an MSP, as a provider, you may never need to use those passwords, but in the event that I'm not whose fault is it, it's actually the, it provider's fault and you should have access to those things. So you can make your business decisions and not have to feel like, oh, if I, if I want to make a change, I don't have access to that. So you have to stick for fear of, you know, being locked out. You should always have access to your administrative passwords, your backup passwords, or at least consistent visibility. And knowing that if you request for them, they can provide that information, you know, within minutes notice.

Speaker 1 (15:26):

Yeah. Because another thing to think about say, okay, you know what, I'm paying them to do that. So, you know, I'm trusting them, uh, to have all that, uh, in place. What happens if all sudden they close down, they go out of business or the, your main tech goes on vacation or quits or moves across the, you know, the U S or whatever now. Right. You have nothing good point. Yep.

Speaker 2 (15:52):

I mean, it's it's. And the other question to ask is how do you document those things in your system? Not only from a security perspective, but what is your policy internally? So that way, as an example, a technician leaves, right? Sometimes we get what I like to call it, geek attachment, right? Customers, especially other MSPs. If there's a high-level technician, these customers will actually attach that one particular geek. And that geek knows it all about their environment. They know the passwords in the environment, they know the nuances of the environment. But if that person leaves, if that person had a family emergency at that person goes on vacation, you are no longer able to be supported. So it's actually an organizational responsibility on both sides to know that information is being captured, documented, and available as necessary so that you get the support you need when you need it.

Speaker 1 (16:48):

Yeah. Yeah. I've even heard of a situation where there was a, um, one person it company. And I mean, unfortunately, but the guy died and he wasn't giving out any documentation. So now these companies were in a position to where they had to find a new it company, you know, right away. But they also could not give them any passwords in any documentation. And it can just put your company in a very bad state. Right.

Speaker 2 (17:16):

Here's the other aspect of it when you actually see the passwords and you understand how things are being established from a pattern perspective, just based on what's going on with the news, you may find that your provider is actually using weak passwords in your environment. Right. And without that visibility, you'd have no idea. So it also becomes a secondary check to you. They go, Hey, what are our passwords? Are they secure? Right. 12 or more characters, depending on the implementation server, more, if it's a, you know, a higher end security device, whatever, but at least, you know, you're starting to see some minimum requirements of length and complexity that you would even have visibility on if they weren't providing the documentation.

Speaker 1 (18:02):

Yeah. And then getting regular copies is the other side of it. You know, if they're doing their job right. They're changing rotating passwords. Um, and just keeping up-to-date with newer copies, you know, manually, or, you know, at least in some regular form. Um, yeah. Yeah. And yeah, that's just probably one of the biggest things that, that we have seen around here. Um, and that kind of leads into no, go ahead.

Speaker 2 (18:34):

And I was going to say that, you know, the next segue from documentation perspective, we've talked about backup. We've talked about documentation. You have to go to the security contacts now as well. Right. Cause it used to be the days you could put an anti-virus tool on, and that's all you needed for security, but now based on defense and layers, if your it provider, isn't looking at a posture of risk reduction by layering security for you in providing expertise within that stack or broadened expertise to make sure that things are being managed and monitored, uh, you're probably not secure, right.

Speaker 1 (19:15):

Yeah, for sure. Um, and yeah, this, this leads into my next item is, is keeping in communication with your it company. You know, if they're, if they're, um, you're only hearing from them when you've called them to report a problem, uh, it's another just huge red flag, you know, you need to be having regular communication. Um, you know, uh, QPRs is, uh, you know, quarterly business reviews, um, are really help. Um, but yeah, just, just, uh, you know, staying in the know of what's going on, does it have to be on technical sense, but, uh, you know, tell me about what's what's been going on in the last three months in, in my company, you know, what issues that you've been seeing, um, how has our security, you know, show me some reports information. Yep. And, and just having that dialogue can really open up, uh, of yeah. You know, we've actually been having this reoccurring issue. Okay. Well, let's talk about that, you know, um, let's, let's find out what the root cause of that issue is.

Speaker 2 (20:18):

Yup. Yeah. I went to one of our six key areas you focus on is actually the word presence, right? With the tools nowadays from an it provider, you can do a lot of work remotely, remote work, doesn't provide you presence of your environment. And it doesn't actually help, you know, confidence with who's bringing in who and, you know, we have this different employee who's coming. So we always focus on, I should be in present for our customers on certain intervals. So one day it may be one of my taxes. They're looking at some things, we do a server check every time we go onsite, because we want you to see that besides remotely watching that server, maintaining stuff, we are physically looking at that environment and making sure that we are documenting and understanding what's going on with different things.

Speaker 1 (21:02):

Right? Yeah. Say, um, you know, for example, for whatever reason your monitoring had a bug in it, or just didn't report a hard drive, failing issue, walking into that server room, just putting eyes on those Blinky lights, you'll see that one is Amber. And you know, that way you can catch it before it actually causes further. We have

Speaker 2 (21:23):

Absolutely experienced where the rate of software reporting did not report a failing hard drive. And when you physically did the inspection, you saw the Amber's, even though the software itself was showing the drivers actually working conditions. Um, Nope. Very key physical inspections are an important thing. Yeah, for sure.

Speaker 1 (21:45):

Um, last item I had on my list, which I find it, I mean, it's, it's sad, but it's just another big one for me is that it companies say, oh yeah, you know, we, we manage your system remotely and we're monitoring and we're keeping up on all this stuff, you know, seeing a threats or watching your backup, but then when you actually ask them to report any of that information or as us, another it company, we come in and you say, oh yeah, we were told our backups are great. And you look, and there hasn't been a successful backup in three months, six months. I mean, I've, I've, I've come into those situations. And the owner is always just so surprised and sometimes I've been brought in because it was too late, you had a failed, uh, you know, failed server and you go and look at those backups that were supposed to happen and they just haven't been run. So the, you know, it companies say they're, they're, they're monitoring. Maybe they are, maybe they're getting these alerts. Maybe they're just too busy to do anything about it, but it happens quite a bit. And it's on the security level backups, uh, patch management, um, just all kinds of not actually doing anything about the alerts.

Speaker 2 (23:00):

Well, and I think that goes back to the conversation that, you know, at some point you have to be responsible as an it provider to actually deliver what you say and based on everything becoming so largest scope, you have to find the right expertise or the right tools. And you can't rely solely on automation. Uh, one of our partners block works actually talks about how it's automation with human validation. And I think that's key. The other thing that's key, which is also block works rebels. He actually says 90, 90% secure is a hundred percent insecure. And I think that's the posture that you want an it provider to start looking at. It's not up to you to go to your IP provider and say, Hey, look, I think I have a security vulnerability. It's actually up to the it provider to say, Hey, these are things we're doing. And it's a very active posture so that you understand, where are you from a risk perspective? What are the things that you can invest in the mitigate that risk? What are some trainings or behaviors you can change within your organization staff to mitigate your risks? And if you're not talking about those things driven by the it providers dialogue, you're not going to have a successful security practice for your organization.

Speaker 1 (24:12):

Yeah. And expectations is another part of it knowing, uh, you know, in this situation, what to expect or who to go to, or, you know, to what level of security I actually am.

Speaker 2 (24:25):

Right. And even talking about, you know, what anti-virus do you use? How do you manage that? I've actually come into environments where there's been no antivirus or any type of security tool installed at all the devices

Speaker 1 (24:40):

And no idea boarding or something. Yeah.

Speaker 2 (24:44):

Oh no. The posture was that windows defender was good enough. It may be good enough. Our posture is we're not going to take that risk. We're always going to have something secondary that we know has been advancing truck. Yup.

Speaker 1 (25:00):

Okay. Yeah. You know, that's, that's, that's great. Um, yeah. Do you have any, uh, other closing comments or anything before we, we wrap up,

Speaker 2 (25:11):

You know, I probably the biggest thing that we see with other it providers is watching, if you ever so often see a salesperson come in and block and tackle, when it comes to you, getting it support that you want now engineered technical resources, we can put you understand, or certain ones that you don't want direct contact to, from an MSP perspective to the customer. But if every dialogue has the potential to be a dollar exchange, that provider probably isn't working within your best interest. So it's nice to have a good relationship with the people there from a sales perspective, but you really want to be able to have a good relationship and understand that anytime you call for tech support, I'm getting a technician. When I dial that support number, it's not being converted to a ticket swung over to the account manager for review before things started getting help. I seen this a lot, one of my last onboardings, I felt like I had dealt with the account manager more than ashy dealt with the technical people at the company.

Speaker 1 (26:18):

Hmm. Yeah. It's interesting. Just trying to, to throw in more, more charges and more opportunities for them.

Speaker 2 (26:25):

Right. And there were the ones who controlled most of the data exchange when it came to passwords and everything else. I mean, to me, my engineers have a way greater protocol when it comes to managing data security at rest in transit than, you know, maybe some account may have in another company. Right. There's different barriers to how data is actually provided privilege. Right.

Speaker 1 (26:52):

And proper way of exchanging that data too. I've had it companies just, oh yeah. Here's some passwords that we have and they'll just email it straight to us in plain text. I'm like, wait.

Speaker 2 (27:04):

Yeah. There's, there's a very, there's, there's a reason why we have best practices. And you want to make sure that your IP provider is following those best practices because that's your data being put out there at non encrypted or secure ways.

Speaker 1 (27:19):

Right. Yeah, for sure. Um, was a last, um, kind of closing item. I want to offer everybody a ebook that we put together. And so I'm not great at book titles, but I named it 11 security steps. Your it is not doing and why it's critical to start. Now, this is a collection of again, non-technical like, like what we've been talking about. Um, but it is exact items that over the years, you know, we've been in business over 10 years now that we've just very commonly found that we've done onboarding than helping a company and keep finding that their previous it company, which is not doing these and they're, you know, very big, uh, um, items that have to be addressed. And so this was just will be a talking point with your current it company where you can just ask them simple questions and get responses and kind of correct, you know, these, these mistakes, but

Speaker 2 (28:20):

That's probably a key point, Chris is that you're framing the dialogue. So customers know a question to ask their providers.

Speaker 1 (28:27):

Yeah, yeah, yeah. This isn't a, uh, you know, you have to work with us to get this. This is you can take it to anyone you want and it's opening up communication or dialogue. Yeah. Um, well Gary, thank you very much for, uh, for joining us and, um, hope to have you on again soon.

Speaker 2 (28:46):

Sounds great. Thank you. Have a good one. Take care. Bye-bye.