(661) 281-4000

Working Against Each Other: Break vs. Fix

When you were a kid, did you have a bicycle? If you did, I’m sure you can recall the thrill of zooming away from home, feeling the wind in your face as well as the freedom of personal mobility. But all that freedom ended when you got a flat tire. If you were handy, you repaired the innertube yourself. You popped off the tire, found the leak and patched it with glue and a piece of rubber. In no time you were back on the road, off to find your next adventure.

These days, you run a small business that’s doing pretty well. Everything runs smoothly, that is until a server crashes or your network goes down. You’re still following the patching approach with the technical issues around the office, trying to repair things as they happen. And, yes, that strategy may work for a while, but just like that innertube, your business won’t run if it has too many leaks.

SMBs have many reasons why they let the technical portion of their business exist on the Break/Fix model. But is it really the safest way to ensure that your business keeps running? Maybe, up to a certain point of growth. But there will come a time when the breaks are outnumbering the fixes and your budget gets out of control. So, what are the other options? Let’s explore five reasons why small businesses are timid about signing contracts for Managed IT Services, as well as offer a few solutions:

COST

Of course, cost is always the first reason. Some business owners find it difficult to see the logic behind paying a monthly fee whether they use the service or not when they can simply call on a Break/Fix provider when they need it. But they need to understand that they are using the service every day, through overnight software updates, constant SPAM filtering, and 24/7 system monitoring. And when something does break, it gets fixed much more quickly. Thanks to proactive monitoring, costs of downtime are drastically reduced.

TRUST

It’s scary to sign up with an entity you don’t know. Your business workstations and network are what keeps you in business, so it’s not easy to trust it to an unknown service provider. The best bet, of course, is to get recommendations from friends or other business owners. And it’s easy to do a quick Google or Yelp search and read some reviews before you make your decision.

BUDGET

I know you’re probably thinking that budget is the same thing as cost, and they do go hand-in-hand, but the difference is that a Budget is something you can plan for. Unexpected Costs are what you’re trying to avoid. With a Managed Services Provider, you can budget the cost month to month, year to year. You can factor it into each yearly budget which will help you plan for company growth and expansion. On the flip side, if you’re still operating under the Break/Fix model, you can really rack up some unexpected bills quickly. Bunch together too many of these surprises and your plans for growth may just go down the drain.

URGENCY

When something in your office stops working, you must get it fixed and up and running as quickly as possible. Downtime is money lost! If you don’t have a regular IT person you usually call, then you’re searching the internet for whatever Break/Fix provider is available. You’re hoping to get the best Tech you can, but in all reality, there is a very good chance you’ll get an average Tech, or maybe even someone new to the industry. Then there’s the cost issue again. In the heat of the moment, you’re willing to pay whatever it costs to get up and running. But a few weeks later, you receive a bill for much more than you thought you agreed to. Things like drive time, off-hour calls, and even parts can inflate that bill.

Needless to say, with a Managed Services Agreement all those things are covered. You’ll also get well-trained and certified Techs who are familiar with your business. And since they are contracted with you they will make repairing your business a priority.

CONTRACTS

Signing a long-term contract for Managed Services is very much like a leap of faith. You want to be sure that you’re making the best decision for your company, and long-term contracts may seem counterproductive to those plans. What happens if you’re unhappy with the service? If you’re in a HaaS (Hardware as a Service) agreement, who owns the equipment if you terminate the contract? These are scary thoughts. Your business might falter if you make the wrong decision.

But the good news is that you can negotiate all of these things, and more before you sign a contract. Make sure to ask if there is a way to get out of a contract if you’re not happy with the service. Ask about the ownership of any hardware or software you’re concerned about. And, most of all, don’t sign with anyone who you’re not sure about. Use your best business intuition to judge if the fit is right for you.

As a small business, it makes sense to start with a Break/Fix model of IT repairs and maintenance. But as you grow it makes good business sense to contract out services and get those worries off your plate. A good MSP will actually become your Business Partner and help you with Growth. Look at it as a Force Multiplier: your monthly investment gives you your time back, opening the doors for increased productivity and more potential growth. Let the MSP worry about risk mitigation and cybersecurity updates and you can go back to doing what you do best; running your business. Wouldn’t it have been nice to have someone fix those flats for you when you were a kid?

With all the rules and regulations surrounding the compliance alphabet soup in play today, it will take more than one person to bring your company in line. We’ve laid out the multiple roles needed to up your compliance game, especially when it comes to HIPAA, PCI, and GDPR.

IT Team

Your first line of defense against compliance failures is the technology in use and the team you have to maintain it. Consult with your IT team to discuss:

Internal Compliance Officer

While this may not need to be a full-time role within your organization, you should have a compliance champion on staff. Your IT company can absolutely set you up for success, but they are not around to police your staff every hour of the workday.

The Compliance Officer is responsible for ensuring that your staff follows important compliance policies, maintains vigilance surrounding compliance, keeps documentation up to date, and works with authorities if necessary. Specifically, they:

All Employees

You can have the best technology, the most intense compliance officer, and still completely fail at successful compliance if your employees are not onboard. At the end of the day, it comes down to successful employee implementation and clear communication. In order to get employee buy-in, here is what we recommend:

Compliance is not a one-man game. It involves the whole company and IT team engagement to really be successful. Next blog, we’ll cover the processes necessary to build a compliance-friendly environment.

In 2018, the European Union enacted a new directive to protect its citizens from having their personal information stolen or sold known as GDPR or General Data Protection Regulation. This legislation protects EU citizens, but in reality, it is a global law at this point. Any businesses in the world that mishandle the personal information of an EU citizen, including something as simple as improperly tracking a cookie on your website, could be fined for non-compliance. Those fines are not cheap. A company failing to comply with the regulation could be subject to a 4 percent forfeiture of its annual revenue. In its first year, there were 95,000 complaints from Data Protection Authorities all over the EU. It’s here to stay, so should you care? 

 

Of the 95,000 complaints received, telemarketing, promotional e-mails, and video surveillance were the top culprits. So far, three fines were issued by DPAs for GDPR violations. The largest fine issued was in the sum of €50,000,000 for lack of consent to processing personal data. Compliance is no joke and it can be tricky to implement. 50% of all businesses still have not migrated into the world of GDPR compliance, though they know it could end in litigation. This carries over for American companies that either employ EU citizens or service them. Even though your business is in the states, you can still get fined from across the pond.  

 

The main idea behind GDPR is protecting citizens and consumer rights. Not only are businesses held responsible for storing people’s information, but they are also held accountable if any misuse occurs to that information. If data is hacked, that business is obligated to report it within 72 hours of the breach and give a detailed account of the data that was stolen. In addition, under GDPR, citizens can request to have their information taken out of data storage, and a business must comply.  

 

Currently, social media networks and automated email services are the heaviest hit by GDPR. Facebook has seen a steady decline in European consumers. Also, it has cracked down on how people can use FB ads when targeting certain audiences. Email marketing has seen an increase of opt-outs and tighter spam regulations, changing the marketing game for many companies.  

 

In order to become compliant with GDPR, you will need to first appoint someone as your DPO, or data protection officer. This person will be the point of contact and GDPR expert. They’ll need to be able to handle IT services as well as monitor all the data handling processes in your company. Then, of course, they’ll need to be able to consistently monitor any area that may be impacted by GDPR and ensure they’re within compliance. It is highly recommended that the DPO goes through thorough training on the subject so they know exactly what to look for when it comes to staying compliant. 

 

GDPR is great at protecting citizens, and most professionals believe it’s only a matter of time before the United States adopts similar regulations. It’s always better to be prepared, so perhaps it’s time to look into GDPR compliance. 

Even though ransomware attacks decreased in 2018, they remain a major threat in the cybersecurity landscape. So much so, that ransomware was recently featured on 60 Minutes. The story primarily covers three major instances of ransomware, two that affected municipalities, and a third that targeted a hospital. 

All three were attacked in a way that encrypted every single one of their files and also encrypted some of the files within their backups, sending the organizations back to operating on pen and paper. Two, despite FBI recommendations, ended up paying the ransom to restore their data quickly, while the third decided not to pay the ransom and went about remediation on their own.  

The hospital was hit with a $55,000 bill, while one municipality (Leeds, AL) was able to negotiate the payment down to $8,000. These ransom sums may not appear astronomically high, but that’s exactly how the hackers keep going. If they requested millions in ransom, no one would pay. An amount in the solid five-figures, though, feels doable for most organizations to get their precious data restored. The third entity (Atlanta, GA) suffered millions of dollars in losses and time in efforts to recover. Some of their data could never be recovered. 

The story presented a very clear picture of the dangers surrounding ransomware; however, there were two major issues in the story. First, the entities covered were obviously major entities implying that you needed to be in the public eye to be affected. This is certainly not the case. In fact, nearly 50% of small business owners say their business was affected by a cybersecurity attack in the last year. Ransomware is not just for highly public entities.  

Perhaps more importantly, the story painted paying the ransom as the cheaper and often faster way to go. In very rare occasions, paying the ransom is the only option; but if you’re stuck in a ransomware trap, we do not recommend jumping straight into paying the ransom. Here’s why: 

    1. Sure, after you pay the sum (typically in bitcoin), the vast majority of hackers suddenly become ethical and return your files. Let’s look at the reality, though. You’re relying on someone who just took your data hostage for an exorbitant fee to return that data to working order simply because you held up your end of the unwanted bargain. Sounds a lot like using hope as a data recovery strategy to us. At any point the hacker could respond, “Thanks, but no thanks!” or “Well, we thought this would be a sufficient amount; but we ran into snags with your recovery. We’ll actually need x number to finish the job.” 
    2. Prevention is a better strategy. If your back-up is set up correctly with an on-premises and multi-tenant off-site solution, you should be able to roll back to data that existed before the ransomware attack. Granted, you may lose some data in the process if the encryption gets into the backup like it did in the attacks covered in the 60 Minutes story. Losing some data is a lot better than putting yourselves up the creek financially by paying a major ransom. In addition to proper backup, ensure that you’re effectively training employees and stringently monitoring data coming in and out of your network.
    3. Isolation is possible. In short, don’t store all of your valuable data in one place. If, on the off-chance, ransomware breaches your network, you don’t want to give it an open door to encrypt absolutely everything of value. Keep all critical applications on isolated networks to maintain global network safety.

Ransomware attacks may be on the decline. However, that just invites the hackers to come up with a more creative way to scam you out of time and money. Perhaps phone ransoms are coming next. Regardless of what the hackers create, make sure you’re prepared and don’t have to rely on paying a hefty ransom to keep your business in operation. 

No matter what industry you’re in, compliance acronyms are abundant, filling your days with both confusion and regulation. We call it the compliance alphabet soup. It’s time to make a little bit more sense of all those acronyms and what they likely mean for your business. 

GDPR (General Data Protection Regulation): While this regulation only applies to the European Union and information leaving the EU, we are seeing its effects state-side because it requires businesses that interact with EU citizens to comply, regardless of location. The goal of GDPR is to create greater data privacy and protect from breaches. If there is even the slightest likelihood that someone from the EU will be visiting your site or interacting with you online, make sure that you comply with GDPR regulations. We’ll cover GDPR in greater detail in our next blog.  

HIPAA (Health Insurance Portability and Accountability Act of 1996): While this law has been on the books since 1996, many medical practices are still not HIPAA compliant and believe that they are too small to be touched. Even if you aren’t directly in the medical industry, pay attention! Beyond the practices themselves, any organization that works with a medical practice has responsibility in HIPAA compliance through associate agreements. These agreements particularly apply to IT companies, law practices, accounting firms, and others that might have access to patient data in any way. Bottom line, all patient data must be protected, encrypted, and safe. You also need to have a specific HIPAA-compliance plan, breach response plans, and data recovery methodology. HIPAA has gained notoriety with larger scale medical breaches in recent years, in addition to larger fines levied for HIPAA breaches. The largest fine currently on record is $16 million. Small companies are also being hit with violations costing about $1.5 million apiece.     

HITECH (Health Information Technology and Clinical Health Act): HITECH entered the picture in 2009 and brought teeth to HIPAA violations. This regulation specifically covers the electronic transmission of health information. In its best form, it’s meant to improve patient care through better doctor coordination, better sharing of information, and strong data security of electronic health records. In practice, all those privacy forms that you sign whenever you go to the doctor really do have an important purpose.  

I-9 (Employment Eligibility Verification): This is the form that new hires must fill out within three days of employment to verify that they are eligible to work within the US. While this piece of paper may get lost among the sea of new hire paperwork, it should never be overlooked. Even if you’ve been correctly employing the I-9 form for years, you may want to go back and check for form updates. Some updates will have no impact; but to be truly in compliance, you’ll sometimes need to go back and have every employee update their I-9 information and verification documents.  

PCI DSS (Payment Card Industry Data Security Standard): Do you collect credit card information within your business? Any payment data collected and stored must be PCI compliant. To ensure compliance: 

These are just a few of the compliance acronyms you may encounter in your daily work. Don’t get lost in the compliance alphabet soup. A quality IT firm can help you comply with the vast majority of these and will be able to put a clear plan of action in place to increase your cybersecurity footprint.