Cliffhanger on Selecting Managed Service Providers
My good friend, Jim Abbott at Ashton Technology Solutions read my last blog post about cybersecurity and pointed out something I think is worthy of a follow-up.
Wait a minute, he read my blog post? Woohoo! Yes! I have a reader. Thank you kind sir.
Oops, sorry for that transgression. What Jim said was that I left a bit of a cliffhanger when I wrote: To get started, reach out to your friendly neighborhood managed IT service providers. Do some research on which one meets your needs and is credible. Then hire 'em. The cliffhanger? Finding one that is credible.
So I said to Jim: Hey Jim! How about sharing a little something, you know, about how to screen for a credible IT service provider? And he did just that. You can read it below. He even provided categories of providers, broke selection down into two perspectives, and offered some pricing info. He’s a helluva good guy that Jim Abbott.
I hope you find his guidance as valuable as I did. Feel free to leave constructive comments, share with your friends & business colleagues, and let’s keep pushing for small businesses to Achieve Greatness.
When evaluating IT vendors, it’s important to look at the operational maturity of the organization you are looking to entrust your business operations with. Lower maturity organizations are reactive and lack the resources to stay on top of industry trends and threats, while high maturity organizations demonstrate clear process, procedure, and investment in training and security. Generally speaking, MSPs can be broken down into the following maturity levels:
One-Man Shows: these are very small organizations who often do a great job for their clients, but don’t have the manpower or bandwidth to both tend to their clients and keep abreast of what’s going on in the world of technology.
Value MSPs: in many cases, these shops still offer ‘break/fix’ or blocks of hours and don’t have set processes to run a business.
Bolt-On MSPs: i.e. accounting firms or web marketing firms who’ve added technology management to their list of services.
Mature Providers: firms with repeatable processes and procedures, whose sole focus is on technology management. These companies bring depth of bench to clients, through in-house technical resources. Billing is on a monthly subscription model, and the company does not have one person handling multiple tasks i.e. President/Head of Sales/HR/Chief Dishwasher.
Things to consider when choosing an MSP relative to Operational Maturity:
Do you consider technology to be an investment in the growth and future of your business, or a monthly expense? This goes a long way in determining what type of provider is best for you and your budget
MSPs are one of the top targets for cybercriminals. A hacker gaining access to one MSP now has access to all of their clients. Does the MSP undergo regular penetration and vulnerability testing, as done by a third party? If their security isn’t up to par, how can they secure your network?
Do they have standard policies and procedures for operations? Process, standardization, and documentation are key to how a good MSP works with its clients.
Do they offer ‘depth of bench’? When a one-man show is working with another client, on vacation, or having emergency surgery, how does your problem get solved? When a Value MSP is faced with a problem they’ve never seen before, is the engineering team qualified to find a solution?
What sort of investment is made in the team and the business? How does the provider stay ahead of the ever-changing technology landscape? Staff training, peer groups, industry best practices?
Do they have a published Service Level Agreement (SLA)? How long will it take for them to respond to your request for help and what is their goal for resolution? Based on our research, the industry norm is eight business hours to respond and 24 business hours (three days) to resolve. Is that fast enough for you?
Things to consider when choosing an MSP relative to Network and Data Security:
The lack of two-factor or multifactor authentication on their network and their clients’ networks is a huge red flag.
What sort of security solutions do they provide in terms of endpoint (formerly known as ‘anti-virus’) and firewall? If not using behavior-based solutions (those that look for specific concerning behaviors) and are instead providing those that alert only to known/defined threats, you’re placing yourself at risk.
What type of data backup and recovery solutions do they provide? All MSPs offer a backup solution, but the main question should be “how quickly can you recover my data and network” in the event of a breach or failure. Data should always be encrypted and backups should be tested regularly (with proof of the results). If sending your data to a third-party provider, you may be nothing but another number, and “we’ll get to you next week”.
How are they securing cloud email solutions such as Office 365? This is currently the number one security threat through phishing and business email compromise (BEC).
When it comes to pricing, the general per-user monthly fee for a mature MSP ranges between $100-$175. This is for a fully managed, fully secured, all-inclusive (excepting hardware and projects) solution. If a proposal seems too good to be true, it probably is. Those claiming to offer all-inclusive support and managed services for $60-$100/month are usually trying to get you in the door, hoping that you don’t bury them with support requests. The licensing they are supplying (endpoint security, monitoring, backups, etc.) is clearly of a lower quality, and economics prove that a business can’t remain profitable while still supporting clients at that rate.
This is where it comes back to the question of “Do you view IT as an investment in the long term growth and health of your business, or as an expense?” Not all providers are right for all businesses. If you value IT, then you should focus on those mature providers in the market. If you’re just starting up or still view IT as an expense or necessary evil, there are plenty of options from which to choose. Just because a provider’s website lists them as “The Premier MSP in (Insert Your City Here)” doesn’t mean they are. They just think they are!