Are Cloud Services Lulling You Into A Security Breach Nightmare?

Are Cloud Services Lulling You Into A Security Breach Nightmare?More companies are turning to cloud services to host their servers and software. In fact, Cisco is predicting that by 2018, 28% of the total cloud workloads will be Infrastructure-as-a-Service (IaaS). IaaS allows companies to move the burden of server and software management out of their offices and into the cloud. Such a move lets businesses focus more time and effort on their core business strategies.

However, cloud services don’t lessen the need for tightly integrated and coordinated security plans. Knowing who to call at any given time and which teams will be involved, should any type of data breach occur, now has elevated importance.

As one of our clients discovered not too long ago, a data breach can be a “near death experience” for any business. Here’s how to prepare your business to handle a data security breach quickly and less painfully.

The Key Players

When server and software management are done in-house, there is a convenience of knowing everyone needed is on location when security issues arise. Speed of putting teams together usually isn’t an issue given the proximity of team members.

Once server and software management become more distributed (e.g. cloud services) and more teams become involved, though, resolving problems can become more complex and time consuming without proper coordination.

It’s important to know who the key players are. Some might include the following:

  • Server hosting company
  • Backup service company
  • Software service company
  • Security management/analysis company

 

The number of players will depend on how distributed your systems are.

Once any type of security problem arises, having one or two people available to coordinate multiple distributed teams will become critical. An overall team leader can mean the difference between a few hours of work to resolve data breach issues, or a few days.

Backup Validation - One of the Most Critical Tests You Can Perform

Consistently running backups is a great practice. But without periodic validation, they’re just a black box. When you need them most, you might reach for your backups only to find they don’t restore or that you haven’t been creating the right backups (full vs. incremental, file vs. OS, etc.).

Just as consistent backing up is good practice, consistent backup validation should be part of that practice.

Backup validation does require more work. Backups are automatic and require little human interaction. On the other hand, backup validation is a manual, labor-intensive process. But the time invested can far outweigh the surprise of incorrect or non-functional backups.

Your Response Plan

We’ve seen that several teams might need to be involved in the case of any cloud-based data breach. To create a robust response plan, having a coordinator who can quickly route information between teams and contact people as needed is critical. Additionally, periodic validation of backups to determine what exactly is being backed up fills another potential hole in any response plan.

Creating a checklist ahead of time will help with workflow as you progress through any security issue. Certain teams can have their own checklist for their specific tasks. A coordinator checklist will help in orchestrating overall progress of teams.

To summarize, your plan should look similar to the following:

  1. Decide on an overall multi-team coordinator
  2. Conduct a periodic validation of backups
  3. Create checklists for each team
  4. Create a checklist for the coordinator to help orchestrate all teams

 

If you’d to read more about data protection, 5 Simple Yet Powerful Ways to Protect Your Data is well worth the read.

A response plan for a data breach scenario involves constantly looking for any point of potential breakdown and providing suggestions for possible solutions. While a data breach can be a time-consuming endeavor to resolve, being prepared lessens the chance of data or revenue loss.

Is Your Company Prepared?

Your managers and your IT team need to work together to make sure your whole company is as secure as possible. If you have any concerns at all about your data security, don’t hesitate to contact us here at Fluid IT Services.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 3

How to Create an Incident Response PlanWhat would your managers do if hackers attacked your business? What would they do if your system got a virus? Or an employee’s computer caught some nasty malware? An incident response plan is critical for your business’s information security. And your management team has a great responsibility in creating and triggering that plan.

Your Incident Response Plan

A clear-cut, well-rehearsed incident response plan can be the difference between hours of downtime and days of downtime.

When everyone knows their role and the actions required of them during an incident, your team can work together to get the company back on track.

Step 1: Identify the team

Who is responsible for responding to information security incidents? “Your IT team” is not an acceptable answer.

Gather individual IT staff names and contact information, and detail each person’s responsibilities. Also note contact information for service providers and appropriate law enforcement.

Many incident response decisions are business-driven and not technical, so also include the names, contact info and responsibilities of the appropriate business-management personnel. If, for example, the business experiences a Crypto virus attack, the business leaders (guided by the IT team) will ultimately decide if they will pay the ransom or restore the data from backups. Know who your decision-makers are and include them in your incident response plan.

Step 2: Create your documentation

Create three levels of documentation.

  1. A high-level document that outlines the policies
  2. A detailed document that covers the implementation of the incident response plan
  3. A technical document that the IT team can use as a guideline. This includes quick-response guides for common scenario

All three of these sets of documents should include the team contact information from Step 1.

Step 3: Define the triggers

When will the incident response plan be triggered?

  • When a network intrusion is detected?
  • When a system is acting strangely?
  • When an employee suspects their computer might have malware?

Define potential risks, threats and points of failure here. Then ensure your managers share this information with every employee!

Stress Testing

Once your backup solution is in place, ensure it is tested regularly. Backups are useless if they are not usable.

Run simulations to develop and maintain “muscle memory.” This will also help keep data security at the top of everyone’s mind.

Is Your Company Prepared?

Your managers and your IT team need to work together to make sure your whole company is as secure as possible. If you have any concerns at all about your data security, don’t hesitate to contact us here at Fluid IT Services.

What in the World… Series Went Wrong?

 

Anyone in the United States or much of the world for that matter, is very aware of that giant of sporting spectaculars, the fall classic known as the World Series.  The first game was an absolute thriller, starting off with a leadoff first pitch inside-the-park homerun (last accomplished in a World Series in 1929 and first leadoff since 1903), continuing for 14 innings over 5 hours and 9 minutes, tying the record for the most innings in World Series history.  Pretty heady stuff, but that wasn’t even the big story.

“We are experiencing technical difficulties”

What stole the show was the inexplicable 4 to 5 minute blackout that literally shutdown the game and made millions of viewers blast four letter tirades at their televisions.  The problem - the Fox broadcast lost power, which would never have been noticed had the first generator not failed, but the backup generator also failed.  What are the chances of that?!  Both backup generators ‘failed’.  I’m sure someone at Fox will become the ceremonial fall guy for that one.

With Fox paying around $500 million for the broadcast rights to the World Series this is a no laughing matter and a very expensive “technical glitch”.  It is very obvious what the immediate impact is in a situation like this – millions of pissed off viewers, panic stricken Fox technicians, irked broadcasters (Joe Buck was NOT happy) and mortified Fox executives.  But what about the aftermath?  Is there any lingering negative effect on the Fox brand, trust, and goodwill?  Only time will tell.  The point is, it was the worst possible thing that could happen at the worst possible time on the world’s largest stage.

But they did everything right, didn’t they?

Technically speaking, Fox, if they did as they say, had the right setup – a backup generator with a second backup generator in the event of a power failure and unlikely failure of the first generator.  This is what we call N+1 in technology speak.  It means for critical systems, always have one more than you need to failover to if there is an issue.  This certainly met the criteria for a ‘critical system’ and they had N+1, but it still wasn’t enough.  You can bet Fox is opening their wallet today to spend whatever it takes to avoid issue again, even if it means having four generators on standby with a person physically watching each one throughout the broadcast.  By the way, having more redundancy than one more backup than you need is typically called 2N+1, where you have twice the redundancy, or in this case 3-4 generators.  We may see just that outside the stadium on Wednesday night.

It’s not if it happens, but when

The situation was bad enough, but had it happened during one of the 162 regular season games back in April it would have registered as a blip on the radar.  Happening during the first game of the World Series blew up the radar and made every front page – it become the story.  If you are a business owner or operator, you should take notice.  I’m sure Fox thought this could ‘never happen’ but now we know otherwise.  What if this happened to your business at the absolute most critical time?  What would it cost you?  What would you be willing to spend to prevent it from happening again?

Sadly, most small to mid-sized companies do not have redundant systems simply due to the cost and the minimal risk of a critical failure actually happening.  The cost vs. risk just won’t justify it… unless it happens to you.  However, this very public SNAFU happening in the most unlikely of situations to one of the world’s largest companies (number 97 on the Fortune 500) shows it can happen to anyone at any time.

Is your business aware of the risks?

Forget about backup generators. Do you even know where the weak points are in your business?  Do you know every single-point-of-failure that could bring your company down?  If you don’t, you should get busy and find out. Not sure where to begin? Contact us and we can help you start the process.  After all, being in the dark is the worst place to be, especially when watching the World Series.

 

Need more information? Check out our Valued Added Solutions and why Fluid can help.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 2

Training Your Team in Information SecurityIn part 1 of this series, I talked about how managers should work with the IT team to set up strong anti-virus solutions for your offices. And in my recent post about hacker-proofing your businesses, I outlined how employees play critical roles in information security.

But here’s an important point, and something that – once again – managers must be responsible for:

Employees must be taught how to defend the business against hackers.

Cultivating a Security-Minded Culture

Information security starts at the top. For any security solution to succeed, it needs to have the support of those in leadership positions.

First, gather your management team and your IT staff and create an information security governance plan. Write detailed policies and procedures that not only keep the environment clean and operational, but also serve as a point of reference should employees have questions. This will also help hold staff accountable.

Second, empower your management team to create training programs for employees. An organization that teaches its staff what they can do to prevent a compromise will be less susceptible to hackers and loss of data.

Information Security Training Basics

Your IT team should not be the only people focused on protecting your company’s data. Managers should learn and then teach the following basic protocols:

  • Do not access personal email within a production environment
  • Do not open email attachments from unknown or untrusted recipients
  • Avoid installing unauthorized software in the production environment. If in doubt, talk to management and/or IT personnel
  • Be suspicious of others asking for sensitive information

For more detailed information on these topics, read our Hacker-Proofing series: Dangerous Applications and Content, and Social Engineering.

Open Up the Lines of Communication

Make sure your managers have open lines of communication with IT and with employees.

According to a Verizon study of data breaches, more than 80% of breaches happened because Wi-Fi systems were not protected with passwords. This may seem like the most basic thing your IT team can do to protect your network – and your management team probably feels the same. Encourage your managers to question things when it comes to your information security! It’s better safe than sorry.

Other things managers may want to get a handle on:

  • Data encryption. Is sensitive employee and client data — such as social security numbers and credit card accounts — encrypted?
  • Physical security. Are the offices protected by security alarms or motion detectors? Is hardware locked down?
  • Data storage. How much customer data is your business actually storing? How often is it purged?

What to Do When You’ve Been Hacked

If you think your company data has been compromised, or your system has a virus or malware, contact your IT team immediately.

Part 3 of this series will go into detail about an incident response plan.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 1

Managers: Defenders of Data Computer viruses and malware can be devastating for businesses. Recent Crypto virus attacks left businesses down for days, and cost them in both downtime and ransom money.

And we’ve all seen the news reports about businesses that lost confidential customer data to hackers.

Keeping your company’s data out of the hands of hackers is a cat-and-mouse game. New viruses and malware are created continuously.

Your management team is the first line of defense.

Define Your Defense

Though the IT department and each employee have responsibilities when it comes to defending your business against hackers, a defense solution is still necessary.

Empower your managers to work with your IT staff to create a definitive solution to viruses and malware.

This solution should include a service that can monitor for threats in real time. This will enable you to catch malicious data before it enters your production environment.

Remember, though, that just because you have an anti-virus program installed doesn’t mean that you’re protected against other forms of malware. Some programs only scan for viruses, and malware can sneak through. Have your IT team review your anti-virus system thoroughly and determine if you need a more robust program to protect your business.

Keep your anti-virus/anti-malware programs up to date. These programs are only as good as their current definitions. Communicate to your managers that they must drive this point home with employees. Delaying updates can be as easy as clicking a button on the screen – so assert the importance of updates and make sure management cascades the information.

Beyond Anti-Virus Software

It’s not enough to just cover the obvious entry points of your business’s network. There are multiple points of entry for malicious agents — so ensure your organization is protected node to node.

This includes a good firewall that receives regular updates. This will scan traffic for viruses before it enters your office environment.

A good firewall will help keep hackers from getting access to your system in the first place. It will monitor your network traffic and prevent hackers from compromising business systems.

Once again, this is a place where managers and IT staff should work together to determine exactly what firewalls are needed for the office. Managers will have a much better idea of overall day-to-day business operations – and thus possible vulnerabilities – than either the IT department or individual employees.

Managers: Defenders of Data

Your management team is your first line of defense when it comes to protecting your business’s data. Ensure they have an open dialogue with your IT team so your information security remains tight.

Don’t have an IT team that really knows your business and is comfortable working with your management team? Let’s talk!

Hacker-Proof Your Business: Social Engineering

Hacker-Proof Your Business: Social EngineeringNever heard of social engineering? Well, the hacker trying to get at your business’s data sure has. TechTarget defines social engineering as:

A non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.

As I pointed out in part 1 of our Hacker-Proof series, hackers are actually pretty smart. They not only know how to code, but they know how to trick users into falling for scams.

But hackers don’t always use technology to break into your system. Sometimes they simply use conversation.

Hazards in Your Inbox

Be wary of emails from unknown recipients — especially those that ask probing questions about your organization or someone’s role within the company.

Some scammers will attempt to appear as a vendor trying to glean information. The particular information they are gathering compromises your system and gives them what they need to break in. These people are usually very good at what they do. Their conversation will be polite and seemingly legitimate.

Your personal email isn’t off-limits to this type of behavior, either. Recruiters are notorious for blowing up our inboxes these days, and social engineers know this! It doesn’t take a genius to impersonate a recruiter – and remember, hackers are smart.

Though this is more of a phishing scam than a social engineering attack, it’s worth noting here because too many people still fall for it: the fake “your password needs to be reset” email. Beware of these emails from scam artists!

I got this email the other day that looks VERY official, and if I wasn’t paying attention I might even click on it.

card security procedures

But there were a few things that tipped me off right away.

  1. There is an attachment. Always a red flag!
  2. It asks me to download and save the attachment. Major red flag!
  3. It tells me to open the attachment. Obviously, this is how the virus is activated.

I hovered over the “from” address and it showed the sender as Americanexpress@aecom.com. I knew “aecom” was probably not an AmEx address – and a Yahoo search confirmed it.

yahoo confirms it

Dangers Lurk Outside Your Inbox, Too

Social engineering isn’t limited to emails. Hackers also use social media, phone calls and even in-person visits to your company site. However they can pull you into a conversation most easily.

Some examples we’ve seen are false on-site technicians, fake LinkedIn and Facebook groups, and phone calls from bogus financial institutions.

How to Protect Yourself

The first thing you can do to protect yourself from a social engineering hack is to be skeptical. Never give out confidential information – or even seemingly non-confidential company information – without verifying the identity of the requestor first.

The second thing you can do is to be aware of common tricks. For example, no legitimate financial institution will ask for your social security number or system password over the phone. If someone you don’t know asks you for that information, it’s a red flag.

I am going to assume that you’re using strong passwords on all your systems, and you’re updating them frequently. (Ahem.) If you feel like you might have been the victim of a social engineering hack, change your passwords. Then let your IT staff know about the situation immediately so they can minimize the damage.

Don’t have an IT team that can come to the rescue in the case of an information security threat? Let’s talk!

Hacker-Proof Your Business: Dangerous Apps and Content

Hacker-Proof Your Business: Dangerous Apps and ContentThe best offense is a good defense – but good judgement is your best friend when it comes to your information security. Many businesses feel like information security rests solely in the hands of their IT team. And while knowledgeable IT staff are important to hacker-proofing your business, your own employees play critical roles as well.

Here are two things you and your employees can do to keep your business safe from hackers.

Avoid Unauthorized Applications

Often businesses end up with computer viruses and malware because they installed them. Sad, but true.

Hackers are – in general – pretty smart. Malicious, but smart. They can trick people who might never fall for a scam offline. The best hackers know more than code. They also know what makes Internet users tick, and they can create scams that the smartest users fall for.

When it comes to apps, if it’s not needed for you to do your job, don’t download it. It’s not worth the risk.

Even if you’ve installed that application before, be careful. Hackers often create bogus versions of popular software and repackage it to include malicious code. Make absolutely sure the source you’re downloading the (business-critical!) app from is the real deal.

You put yourself and your business at risk when you download from unauthorized or unofficial sources, or peer-to-peer networks.

When in doubt, consult with your IT staff.

This applies to add-ons, plugins and extensions as well.

Beware of Browsing to Questionable Websites

Make smart choices about the websites you visit. Browsing to questionable website is another easy way to compromise your system.

Aside from being against the code of conduct for many companies, sites that advertise adult content or free downloads of any type are often dangerous to your data security. They frequently contain misleading links that install harmful software.

The site doesn’t have to have adult content to be a security risk. Many seemingly harmless websites host malicious code. Some sites even execute downloads just by visiting them – no user input or clicks required.

Rule of thumb: If it looks odd, it’s best to leave it alone.

When in doubt, you can check the validity of web addresses (URLs) with a WHOIS search. A popular site for this is DNSstuff.com.

Your Internet browser matters in this equation, too. Make sure it is up to date to ensure it is using the latest technology to identify and filter out phishing sites.

Antivirus Software Will Only Protect You So Much

Common sense is your first line of defense against hackers. But everyone makes mistakes.

If any software begins to install itself, close it out immediately. Then run a security software scan and alert your IT department pronto.

It is critical that you ensure your antivirus software is always up to date. Many infections happen because people don’t allow their antivirus programs to apply updates.

Forward this post on to your teammates so everyone can get on the same page when it comes to apps and web content.

Don’t have an IT team that can come to the rescue in the case of an information security threat? Let’s talk!

What Should You Do When Your Data Is Held for Ransom?

What Should You Do When Your Data Is Held for Ransom?You come into work on a typical Monday morning… and find something devastating. One of your machines was infected with the Crypto virus, which then spread to your main servers.

All of your files are locked.

But it gets worse.

The virus owner is demanding you pay a ransom – or lose your files forever.

Does that sound like the plot of a modern action movie? Well, sadly, it’s not. It happens to businesses every day. In fact, it happened to some of our IT support clients.

Lessons From a Near Death Experience

“It was a near death experience for us. One more day being down and we would literally have been out of business.”

This statement may seem dramatic, but it is actually a quote from one of our long-time IT support clients. And it was all too true. Due to several missteps by their cloud provider, the Crypto virus caused 7 days of downtime.

This was no mom-and-pop shop, either. This was a 50+ employee company with multiple locations brought to a standstill due to this horrible virus.

No business wants to be in this situation. Most businesses couldn’t survive a full week of being completely down. So you might be asking, What can I do to avoid getting a virus?

First, let’s set the record straight. It is a myth that you can secure your business so tightly that you never get a computer virus. Even with the best firewalls, anti-virus software, intrusion protection, Internet filtering and policies in place, your system may still get infected at some point. Why? Because…

  1. Virus protection is a cat-and-mouse game. New viruses are created and released every minute, and antivirus software must be updated to contend with each one
  2. People are only human. Human error is the number one reason companies get infected. Well-meaning employees click on the wrong thing while surfing the web or reading emails, or they open infected attachments
  3. Many hackers are diabolically smart. Many viruses are cleverly disguised to look safe and legitimate. That infected email might have a very real-looking logo from a major company. That attachment might look like a resume PDF – one you’ve actually been expecting – only to reveal itself as a virus once you open it.

So what’s a business to do? Beyond the IT team doing all they can to protect the business against viruses, the most important deterrent is user education.

Do all of your users really know what not to click on and what not to open? Do they know what telltale virus clues to look for? Hackers are getting more clever and sophisticated, so this education has to become even more of a priority today. Many users are so busy, they quickly open and click just to move on with their day. But taking that extra few seconds to assess before they click might mean the difference between life and death for your business.

Your Business EMTs: The Response Team

Once a virus is found, the company must move quickly into an organized response process. This should include a designated and well-trained response team that can jump right into action. Whether that team is made up of internal IT people or a third-party IT support vendor, identifying this team before a virus hits is critical.

In the past week alone, we have seen 5 clients’ systems become infected with dangerous viruses. Most of them were infected with some form of Crypto virus, which locks you out of your files (encrypts them) and tells you to pay a ransom to regain access. If you don’t pay the ransom within the “kidnapper’s” timeframe, your files will remain locked forever.

So if you are hit with a Crypto virus, what steps should you take?

  1. Inform your IT staff so they can begin the response process and investigate the severity of the infection.
  2. Every virus comes with a “payload.” This is what really does the damage to your systems. If the payload has not been activated, your IT team may be able to remove the virus without any damage.
  3. If the payload has been activated with a Crypto virus, this means you will be unable to access your files – and you must choose one of these two options:
    1. Determine when the payload was activated and restore clean files from a backup prior to that date and time.
    2. Pay the ransom and hope the hacker will unlock your files.

Choosing 3a or 3b is a business decision – not a technical one. Because of the financial implication (in money and downtime) in paying a ransom for data, only the business leadership can make this call. To make that call wisely, though, they need the best information their IT team can provide.

To Pay or Not to Pay

Just this week alone we have seen both cases: paying ransom and restoring from a backup. In all cases the clients were able to get their data back and get back to business, but only after several days of costly downtime.

But let me be very clear: paying the ransom is no guarantee. In that case, you are trusting the hacker (the person who infected your system in the first place!) to keep up their end of the bargain.

Because no one can guarantee paying the ransom will work – or work long-term — many companies choose to restore their data from backups. This can be a relatively easy endeavor, or one that is very painful. Success depends on knowing these key pieces of information before restoring from a backup:

  1. Do you know when the last date/time your data was clean, and do you have backups from that date and prior?
  2. Is the good data backup prior to the virus still viable? For example, if the last known good backup was 30 days ago, that data may be so old that restoring it would useless.
  3. Are the backups complete server container backups or only file backups? This is VERY important. Server container backups may be restored with the underlying server software, software application and data all at one time, which only takes hours. File-level backups require manually rebuilding the servers, configuring them, loading the software, configuring it and finally loading the files — which can take days.

In the nightmare case of the business that was down for over seven days, critical events happened that worsened the situation. First, the Crypto virus response timeframe had lapsed, so paying the ransom was no longer an option. But second — and worst of all — the backups the cloud provider had were not server container backups (which the vendor had promised they would be), but file-level backups only.

This last problem forced us to work with the cloud provider to restore the file backups. To do this, we had to figure out the last day the data was clean. Only then could we figure out where to start. However, before actually restoring the files, we also had to do the following.

  • Rebuild the virtual servers
  • Load and configure Windows Server
  • Load and configure the software applications (e.g. QuickBooks)
  • Restore files to each server
  • Reset the printer settings, file sharing settings, and user settings

If the cloud provider had done their part right, this would have taken 2 days. But unfortunately they made mistakes at almost every step, creating a lot of rework for everyone. The end result was that it took over 7 full days and over 130 hours from our team to help them get it right.

Do that math. That’s 7 days x 24 hours — 168 hours of downtime. That shows you just how intense (and expensive) getting a virus can be.

What You Should Do Right Now to Protect Your Business

In the Fluid cloud, our proprietary cloud solution, our backups have multiple layers and always include server container backups. In this same situation we would have had them back online in less than 24 hours.

No one wants a computer virus, and certainly no business wants to be down a day — much less a week. Here are some steps you can take with your business to be more proactive, so you can better avoid viruses and be more prepared to respond if you do get hit:

  1. Educate your management and users on the importance of information security. Provide them with simple tip-sheets of dos and don’ts, and follow it up with face-to-face training.
  2. Ensure your IT department or provider has the right type of data backups — and that those backups are current.
  3. Define and confirm who is on your response team and what their process is. This way they are ready to respond in a calm and methodical fashion if and when a virus infects your systems.
  4. Most importantly, be prepared. Regardless of all the precautions and preparations, you still may get infected at some point.

If you have not done ALL of the above, you are at serious risk of getting a computer virus, and of business downtime. Contact us at Fluid IT Services and we will be glad to help fill the gaps!

Should You Bring Your IT Back In-House?

Should You Bring Your IT In-House? I shared a story not too long ago about a company that wasted massive amounts of money when they brought their IT staff and all their technology back in-house and onsite. It ended up costing them $300,000 up-front and $100,000 per year in perpetuity. It was an unfortunate situation to witness, especially when the waste of money could have easily been prevented.

But not every company who brings their IT in-house loses money like that. Sometimes it makes more sense for a business to bring technology and IT support onsite.

So how do you know when it’s a smart move – and when it’s a budget drain?

Start With This Quiz

For most small to medium-sized businesses, and even many large businesses, hiring an outside IT vendor is more cost effective and provides a wider range of services than an in-house IT employee can provide.

But there are exceptions.

Answer these questions about your business honestly:

  1. Is your business growing so fast that your IT vendor can’t keep up?
  2. Do you have proprietary or regulatory reasons that you must have in-house IT staff?
  3. Does your company have a career path for an IT person?

If you can say “yes” to any of those questions, you might have a strong case for bringing your IT in-house.

Most high-quality IT service vendors can easily keep up with your business growth. With a single phone call, they can help you expand your cloud storage space, add new users or provide your company with new or upgraded software. Sometimes, however, a business grows at such a rapid rate that an “outsider” simply cannot keep up. In this case, investing in in-house IT may be a good option.

Another case where in-house IT may be beneficial is if you have special proprietary or regulatory requirements. For example, you have created your own software, or the regulatory body that governs your product or service has issued a certain IT staffing or equipment requirements. These situations are exceedingly rare, but they do happen.

Even if you said yes to both of the first two questions, if you can’t say yes to the third question, you may have a problem when you try to bring your IT in-house. If you hire IT staff and have no set career path for them within your company, dissatisfaction and attrition are going to be inevitable. You have to make sure your IT employees have room to grow, or they’ll quickly get bored and seek more challenging (and higher paying) work elsewhere.

The Benefits and Drawbacks

The benefit of having in-house IT staff is that you can walk down the hall and talk to them. They’re also 100% dedicated to your business, not splitting their time serving other customers.

When you bring your technology in-house, you can feel like you have more control over it. If it crashes, you walk down the hall to your IT guy and send him in to the server room to fix it.

But can you really afford to hire all the IT staff you’re going to need to cover all your possible IT needs? Probably not. An IT vendor (like Fluid!) is going to have a broader skill-set, and be able to spread out and provide the resources you need when you need them. And you’re not going to have to spend at all that money hiring staff to cover all your bases (or worse, hire a cheaper, lower-skilled staff and still have to hire an IT service company to fix things.)

And what about the ongoing maintenance cost and space requirement for all that in-house technology? Keeping your business in the cloud (in other words, using an IT vendor and having access to their data center) may require a monthly fee, but it will actually save you a lot of money. Plus, it saves you storage space – and most importantly, you can expect a lot less downtime for your business.

Consult the Experts

If you’re considering bringing your IT in-house, I highly suggest that you bring in a third-party IT expert to look at your business and crunch the numbers first. This type of consulting is something we do for our customers pretty often, and we’ve been able to save them a lot of time, money and frustration.

You might be thinking, “An IT vendor is going to be biased. They’re automatically going to tell us to not move our IT in-house.” Well, I can’t speak for everyone, but I can speak for Fluid. We get requests for consultations all the time, and I can tell you that the answer always boils down to your business needs.

Sometimes we do recommend that a company brings their IT in-house. In those cases, we also share with the client the best way to do that so the business needs are met.

And sometimes we’ll recommend that a business hire a qualified IT vendor to take care of their needs. We’ll even uncover how much money the business will save in the process, and help them define their overall IT strategy and plans. We have found that kind of information is invaluable to time- and budget-crunched business owners.

Don’t just take the leap and pray it saves your company money. Take the time to think through your business needs, and bring in a third-party IT expert to help you crunch the numbers and determine the right strategy to meet your business goals.

If you’d like to talk to the team at Fluid about this, you can contact us right here.

Why You Need a Second Opinion Before Restructuring Your IT Department

  Do This Before Restructuring Your Internal IT Department Not too long ago, we shared a story of a company that wasted well over $300,000 when they implemented an IT plan without getting a second opinion.

This is something we hate to see businesses go through.

One of the issues that came from that costly mistake was that the company got rid of their outside IT service contracts and brought all their IT support in-house. They decided that if they were bringing all their IT hardware and equipment in-house, their IT staff should be in-house, too.

This mistake wasn’t a one-time waste of money. This cost the company multiple thousands of dollars every year going forward.

When we see companies considering restructuring their IT departments – especially when they’re talking about bringing their IT support in-house – we beg them to get a second opinion from an unbiased and business-focused expert. If not us, than someone else they trust!

Many small, medium and large businesses do not see a financial benefit when they bring their IT staff in-house. This move is expensive and incurs both one-time costs as well as ongoing costs – all of which can often be mitigated with a good outside IT service vendor.

Here are three things that most business don’t know about moving their IT in-house.

1. Using Outside IT Support Allows Your Internal IT Team to Focus More on Your Business

Everyone in your office should be focused on one thing: your business. If your IT team is spending all their time managing operational tasks, like running an office-based server farm, they don’t have time to focus on day-to-day business tasks, like getting new users set up.

Managing your business’s IT equipment, hardware, data, security, user setup, etc. is a full time job – for multiple people. It’s easier to keep your IT team business-focused when the operational support is outsourced.

2. Most Businesses – Even Large Ones – Cannot Afford to Hire Every Skill-Set Necessary

No one single person is going to have every skill-set necessary to handle all of your IT needs. So if you are going to have all or most of your IT staff in-house, you are going to need to hire multiple people with varying skill-sets.

First, this is costly. You will now be paying for salaries and onboarding for multiple new employees. Even then, you likely will run into IT support issues that your team can’t handle – and you’ll still need to bring in outside help occasionally.

3. Even When You Have More Internal IT Staff, You Will Still Have to Bring in Outside Support

Let’s say you hire three IT support personnel: a Level 1, Level 2 and Level 3 IT service technician. Well, what happens when your Level 2 person is out sick and your Level 3 person is busy dealing with a major security breach on one of your office servers? Your Level 1 person doesn’t have the skills to handle Level 2 IT issues. So you call in outside support.

Calling in outside support ad-hoc is a very expensive way to run a business. It’s often much more cost-efficie      nt to have an ongoing contract with an outside IT service vendor.

How to Know When to Get a Second Opinion

When your IT leader brings you a business case with a price-tag that makes you cringe, get a second opinion. In fact, it’s smart to even set a dollar amount to that. Say, if an IT situation is going to cost your company more than $50,000, you call in an expert for a second opinion.

Yes, that might cost you a little bit of time and maybe a consultation fee – but it may just save you $300,000!

It’s great if you trust your internal IT team when they come to you with an IT restructuring proposition. But don’t bet your business on it. Get a second opinion before you make any large, expensive IT moves.

Avoid the Pain of Regret – Compare Multiple Cloud Solutions Before You Buy

All Cloud Services are Not the SameMany business owners, when they get ready to move their business to the cloud, immediately start scoping out the big dogs in cloud computing – Rackspace, AWS and SoftLayer, to name a few. These companies are datacenter gorillas serving hundreds of thousands of customers. It’s no surprise that this is the first place business owners start their cloud research.

But what business owners quickly discover is that, while they get what they asked for, their business needs are not actually met by these big-name companies. Future upgrades cost more, support costs more and their usage estimates were flat-out wrong. They might not feel the pinch at first – but they get bit soon enough as their business grows and changes.

Call in the Experts

Cloud services and IT support are NOT commodities. You really need to compare proposals from multiple companies – of all sizes – to get an understanding of the value of what you are paying for. Because often the price will be the same, and it’s the little details that will matter to your business in the future.

I get it. You’re not an IT expert. So how are you going to know what you’re looking at when you have five cloud-services proposals in front of you?

Well, this is when I recommend you call in an expert.

If you have an IT expert in-house, that can be a good place to start. Have them walk you through the pros and cons of each solution from a business standpoint. Don’t just consider what you need right now. Consider what you’re going to need in six months, a year or five years.

This is something we actually help our clients and potential clients with. Most of the time they don’t have in-house IT experts – or their in-house IT isn’t knowledgeable enough about the cloud to be able to help them through. So when we present our proposal, we will also help the client walk through the other proposals they’ve received. We analyze the proposals through a business lens and help the client determine what is going to work best for them.

Sometimes the result is that the client wants to go with a different company. Sometimes they choose to work with us for some services and not others. But most of the time, they become so educated throughout this process that they quickly see we can provide everything they want and need for the same price as the big gorillas. So yes, it’s absolutely worthwhile for us to spend this kind of time with potential clients.

Things to Look Out For

Whether or not you choose to bring in an expert to help you figure out what cloud solutions you need, there are things to look out for as you’re making decisions.

  1. Don’t just guesstimate what your usage is going to be. Spend the time to think through all the potential use cases and calculate an accurate usage estimate for each piece of your cloud solution. This can be tricky if you’re not super IT-savvy – so I still recommend you call in an expert for this.
  2. Inform the vendor about what other vendors you’re considering. Their response to this will be very telling. If they turn it into a sales pitch about why they are better than anyone else, beware. Someone who is truly agnostic and going to provide you white-glove service going forward is going to help you compare their solution to the others you’re considering – without a heavy sales pitch.
  3. Get to know where each cloud vendor came from. Did they start out as a cloud company, or did they just add cloud to their existing solution set? For example, Fluid has been providing hosted solutions for over ten years, and that naturally evolved into creating our own robust cloud solution. Our facilities, technologies, security, staff and solutions meet and exceed what the big gorillas can offer because the cloud is part of the foundation of our company.
  4. Find out if future upgrades are included – but also find out how much the additional labor is going to cost. This is a big “gotcha” with many cloud solutions. Patches and updates are often included, but the labor for upgrades is usually an additional cost.
  5. Consider how much attention you really want. The big cloud companies have hundreds of thousands of customers. You’re just a number in a call queue. Smaller companies can often offer much better, more personalized service for the same price.
  6. Figure out if you are okay with piecemeal service, or if you really want end-to-end service from one company. Most big companies can’t offer end-to-end service. Smaller companies like Fluid can. End-to-end would include:
    1. Defining the solutions you need in the cloud
    2. Defining all your technical specifications
    3. Migrating your business to the cloud
    4. Full white-glove support, including onsite, post-implementation and ongoing support

As CEO of Fluid IT Services, I am on a mission to help businesses stop wasting their money while also helping them move toward their goals with the right IT services and cloud resources. Contact us today – before you buy a lemon… er… get stuck in a cloud contract you regret.