Avoiding IT Standards Overload

MSPs that use standards have seen a lower ticket count, less reactive work and have more time to focus on strategic relationships with clients. myITprocess provides MSPs with a centralized platform to manage their clients’ technologies and develop and maintain a library of technical and compliance standards.

TruMethods also provides robust Standards Library templates in our myITprocess software. This may seem overwhelming at first, but let’s break this down. Statutory, regulatory, and contractual compliance is no easy task; there are many requirements necessary for alignment. Examples like NIST 800-171, HIPAA, and CIS Controls 7.1 contain an overwhelming amount of questions and categories. At times, it can feel like drinking from a firehose; It is almost unrealistic to implement and enforce everything required by these agencies.

Disillusionment can occur when our TruMethods members request standards templates for myITprocess. Some are dismayed at the number of questions and the lack of How-To information included. They are often cited as unrealistic or time consuming for a Technology Alignment Manager (Net Admin) to complete in a single visit. These are valid responses to this amount of information and I wanted to clear up some confusion.

  1. Unless otherwise noted, all compliance templates are verbatim from their sources. TruMethods made the decision not to interpret any information from the source material into these templates. We do not want to define how a member should achieve compliance. We feel it is up to the member to perform proper due diligence and make their own interpretation of the requirements.
  2. The templates do not prevent a member from performing the work. Compliance is case by case—as mentioned above—and the How-To and Why are we Asking fields are often intentionally blank. This prevents TruMethods from determining the outcome of the question for its members.
  3. Completing the requirements may require multiple visits or a separate project. I have received ample feedback about compliance standards being impossible to complete during a standard TAM visit. That’s OK! This presents the option for two different opportunities: Add it to AISP (All-in Seat Price) or charge as NRR.
    • If your organization specializes in a particular industry (healthcare, legal, financial), rolling ongoing assessments into your AISP is probably worthwhile since compliance is not a ‘one and done’ effort. Adding the cost of ongoing compliance to AISP may make the most sense.
    • If performing a compliance audit as a one-off project, this will add to your NRR. Depending on the frequency of compliance assessments for customers, these provide the perfect NRR opportunity for almost any customer.
  4. Never feel obligated to use a template or benchmark in its entirety. You can use the questions and categories to build your own custom audit depending on the needs of your customers. Take these questions piecemeal, use what you need, and discard the rest. Or use all of them, whatever helps you meet the goals set forth as an organization.

Everyone has the best intentions when performing onsite assessments. Reducing the number of questions to a manageable level prevents ‘analysis paralysis’, allowing you to concentrate on those that matter most to the customer.

Request My Demo

New myITprocess Template: MSP Cybersecurity Jumpstart

A little over seven months ago I presented a topic at our TruMethods event, Schnizzfest, that gained a lot of steam in recent months. The subject of cybersecurity for Managed Service Providers was popping up everywhere from news websites to social media. 

The topic of my presentation centered on the vulnerabilities of MSPs and why they are the target of malicious attacks. I introduced a template called Improving Cybersecurity for Managed Service Providers designed to get MSPs started on their own cybersecurity program. Templates are part of the myITprocess Standards Library, a repository of compliance and best practices our members use to align their customer’s technology and strategy.

The template differed from other templates available in myITprocess and targeted the goals of MSP security.

  • 56 questions derived from 112 NIST Cybersecurity Framework sub-categories.
  • Clarified the requirement language from the original text.
  • The How To field mapped to relevant CIS Controls 7.1.

Template revision 1 intended to get the ball rolling. There was not a lot of information in the How To section for MSPs to get started without much research of their own. I was relying on existing experience and real-world scenarios for MSPs to take the baton. The idea is that this template provides a level of utility for our members. The How To field was quite barren and lacking diversity except for mappings to CIS Controls 7.1. Time for an update!

Recent world events and overnight changes to our workflow called for a revisit and update to the template. More businesses shifted to work from home than we ever thought possible and focused more on the need for cybersecurity. I made some drastic changes to the template for revision 2 to help members stay on track with their own cybersecurity program.

  • Changed template name to ‘MSP Cybersecurity Jumpstart’ to differentiate it from other industry best practices.
  • Questions now align with CIS Controls 7.1 Implementation Group 1.
  • How To field maps to relevant NIST CSF subcategories and provide other informational sources.
  • Reduced the question count from 56 to 41.

TruMethods members can find the MSP Cybersecurity Jumpstart in their standards library under myITemplates. With the help of myITemplates, you can better tailor your assessments for clients based on their specific industry needs and requirements. Click here to read a more in-depth article on the template and its history.

As I mentioned before, the Jumpstart template is an evolving project, so look for changes over time. This project improves through user feedback and industry changes, meaning updates will occur once or twice per year.

Request My Demo

MSP Compliance is a Turbo Rocket Sled to Technology Alignment

I recently wrote a blog post titled “Why Regulations are a Good Thing for Technology Service Providers“. The concept was simple: regulations and compliance benefit Technology Services Providers. Customers providing products and services within their industry usually have compliance requirements like protecting credit card information. Most business owners are not trained or prefer not to deal with these obligations and rely on third-party vendors. I wanted to revisit this topic now that the business environment has changed overnight.

When businesses sneer at compliance and regulations, this is an MSP opportunity. The COVID-19 pandemic altered our business environment and threat actors are taking advantage of security flaws. Financial records, health information, and personally identifiable information are vulnerable while businesses attempt to solve problems with personnel and loss of revenue. As our President, Gary Pica says in every webinar, “the environment has changed and will not return to normal.” Within this new—and constantly changing—environment, we can continue to look for opportunities that benefit our customers.

How does compliance benefit you and the customer?

  • Compliance requires extra effort and those costs can be rolled into your All In Seat Price (AISP). Rolling the maintenance cost of a compliance program into an AISP prevents the addition of other monthly fees and retains a single price per seat.
  • Compliance objectives have additional requirements for security and privacy. For a standard business, those safeguards are most likely not in place and require separate implementation. These projects add to and provide Non-recurring Revenue (NRR) opportunities.
  • The addition of a compliance strategy is added to the customer’s strategic roadmap. A vCIO can add recommendations and initiatives centered around compliance and cybersecurity programs. Doing so leverages the need for products, services, policies, and procedures that meet and retain compliance status.
  • It is always a topic of conversation. Modern business practices likely fall under regulation, compliance, or statutory law and these topics are good to keep in mind when having discussions with a decision-maker. Some decision-makers are not up to speed on the latest requirements and informing them regularly has its benefits.

The message isn’t to “prey on the weak” or take advantage of a customer while they are down; it is to perform the heavy lifting while they concentrate on the day to day. After all, one purpose of an MSP is to remove the burden of Information Technology from the customer.

The pandemic changed how we work and how we support those who require help with their technology. Now is the time to adapt and accept the new normal for Technology Success.

Request My Demo

Eliminate Tribal Knowledge in Your MSP

For those not familiar with the age-old classic of ‘whisper down the lane’, here is a refresher. Whisper down the lane is a game when someone whispers a phrase into someone’s ear and their job is to whisper it to someone else who then whispers it to someone else and so on. The more people there are the greater the chances of the message becoming altered during transmission. It’s a fun game that makes people laugh for hours—or days—depending on your sense of humor. Information passed down between generations is referred to as Tribal Knowledge; someone did something one way, then passed it on.

How does this relate to standards? Building standards around industry frameworks and best practices are essential to your customer’s technical alignment. Best practices are often provided by an authoritative or regulatory body, a vendor, or a third party. When a technician acquires them for the first time they naturally pass their knowledge along to the next person. Herein lies the problem.

When knowledge is transferred from one person to the next it is often altered—intentionally or unintentionally—causing the next in line to follow what was passed along to them. Eventually, the next person shares their knowledge with further alterations. Sometimes, these alterations are based on personal experience or opinion and will affect the outcome. An example of this is a family recipe that is passed down between generations. Every so often the recipe is altered due to available ingredients, improvements, or personal taste.

Best practices ultimately become fairy tales because they are so diluted from the actual account, making it vital to maintain a written Standards Library. I have personal experience with this type of situation. I worked with a technician who wanted to make sure a server I was ordering for a customer had a NIC with 4 Ethernet ports since the server was to be a Hyper-V host. Here is how the conversation went:

Technician: Be sure to order a 4 port NIC with that server.

Me: Why is that?

Technician: Because we need to assign each port to an individual virtual machine.

Me: Why is that?

Technician: Microsoft recommends it as a best practice.

Me: Did you read this or did someone tell you?

Technician: Someone told me it’s what is best.

It may be a Microsoft best practice, but it is a prime example of why not to transfer knowledge verbally. When it comes to standards, ensure you are referencing best practices provided by an authoritative or regulatory body, a vendor, or a third-party source. And write them down!

Request My Demo

MSP Templates for a Best Practices Cybersecurity Assessment

If you have not heard about cybersecurity online, in print, or on the news in the last 10 years, exactly how safe are your customers? Cybersecurity has become a serious topic for businesses and consumers. And unfortunately, cyber threats are set aside in favor of other initiatives and become a bigger problem in the long run.

Creating an initial and ongoing cybersecurity plan requires effort. Best practices are chosen, an assessment is performed, recommendations and gap analysis determine resolution, a project becomes implemented, rinse, and repeat. It is like a Technology Alignment Manager (TAM) onsite assessment with an emphasis on securing Personal Identifiable Information (PII) from malicious threats.

To maintain the security of a customer—and their customers—there are three areas to understand: Threats, Exploits, and Vulnerabilities.

  • A Threat is a person or thing likely to cause damage or danger intentionally or unintentionally. Understanding who, what, and where threats originate assists in reducing the risk of a breach.
  • An Exploit is a method of circumventing or taking advantage of a bug to cause unintended behavior to occur. These are often discovered and used by threats to gain access to software and systems.
  • A Vulnerability is a bug or defect that presents a weakness and exposes it to a threat. These allow unauthorized actions to execute within a system to access confidential information.

The three areas are summed up in a simple sentence: Threats use Exploits to attack Vulnerabilities. Cybersecurity requires detailed attention to all three areas to protect clients. Focusing on one area temporarily relieves risk and is not a permanent solution. Every customer needs a cybersecurity assessment regardless of their industry. Protecting company data is critical and executing the minimum requirements is the least a Technology Success Practice (TSP) can do for its customers.

As of this writing, there are a few templates in our myITprocess software that are available to assist with a company-wide cybersecurity assessment.

  • NIST Cybersecurity Framework (CSF) 1.1
  • NIST 800-171
  • CIS Controls 7.1
  • UK Cyber Essentials

There are many templates available within myITprocess, but this set has particular advantages over others for a general cybersecurity assessment.

  • They are easy to interpret. Many regulations and statutory requirements come directly from the law. It takes a bit of translation to make them understandable for a TAM, vCIO, and the customer.
  • They are industry- and technology-neutral best practices. No specific hardware, software, or service comes recommended by name. This is due to the varying risks different businesses face in their industry.
  • In comparison, they are easy to deploy and maintain. Each of the templates has minimum requirements with maximum effectiveness. Allowing a TAM to maximize their assessment with fewer questions makes a recurring audit workable.

Because these templates are not tied to one industry, they are usable for almost any customer. But take that statement lightly; Industry-specific regulations must follow their own set of rules. For instance, a government contractor must follow NIST 800-171, and performing a CIS Controls 7.1 assessment in its place is not advisable.

There is a lot of flexibility for Technology Service Providers to mix and match questions and categories to fulfill a clear-cut need. Vendor- and technology-neutral guidelines contribute to customized assessments by focusing on risk mitigation and not which brand to use.

cybersecurity ebook

End User Cyber Security Risks and Training Options

In today’s IT environments productivity is necessary, uptime is essential, and security is critical. The latest hardware and software provide layers of protection in hopes of preventing cyber attacks. The newest technology causes most IT providers to forget the weakest link: the end user.

A typical user focuses on their job responsibilities without prioritizing security risks. A surprising amount of security breaches stem from users unknowingly granting administrative access or installing crypto-malware—all due to a lack of user security awareness and training.

 

Common Malicious Security Risks for End Users

Employees in all divisions within an organization are subject to malicious threats. Believe it or not, computer users are not the only asset regarded as a cybersecurity threat. Warehouse workers, receptionists, and delivery drivers are potential vulnerabilities. Security awareness and training are not intended for a specific group of users, but for the entire workforce. 

Security breaches come in many forms: technical, physical, and administrative. Training employees in these areas reduces risks associated with data breaches, lowers active noise, builds a proactive service provider, and prevents lost productivity.

 
Baiting

A baiting attack exploits a person’s curiosity. An attacker may leave a USB memory stick in the open—labeled ‘Confidential’ or ‘Payroll files’—to bait a user into plugging it into their computer. Attaching it to a PC would then activate malicious code or files with the intent of accessing company information.

Phishing

Phishing attacks are the most common social engineering technique. Attackers use email, social media, or SMS to trick victims into divulging sensitive information or to direct the user to a malicious website to infect the user’s PC. Like baiting, phishing usually involves a method of attracting the user’s attention by leveraging their curiosity.

A spear-phishing attack is like a regular phishing attempt but targets a particular end user. This is usually accomplished by the attacker impersonating another employee—like a member of Human Resources—and requesting specific information.

Whaling

A whaling attack uses sophisticated social engineering techniques to steal confidential or personal data. The information typically has a relevant value from an economic or commercial perspective. What distinguishes whaling from phishing is the target: an executive or heads of government agencies. The term “whaling” implies there is a bigger fish to capture.

Quid Pro Quo

A common tactic of a quid pro quo attack is calling a user while impersonating technical support. They attempt to befriend the user by fixing their issue in exchange for access to the user’s PC or other information. A user may unwillingly grant access to the individual because they assume they are calling from their service provider.

Tailgating

This type of attack is a simple and very common attempt at physically accessing a restricted area. An attacker may ‘piggyback’ an authorized employee, delivery person, or warehouse worker by waiting for someone to open the door and stepping through, avoiding security measures. These attacks are common in areas with many employees due to the constant exchange of employees in the restricted area.

Human Social Engineering

Gaining access to sensitive information and security questions is as simple as talking to another person. An attacker will befriend an employee, asking questions to drill down and divulge the data they need. A common example is gaining a user’s trust and having a conversation on topics like their choice of password. The attacker will steer the conversation towards their process of selecting a password and get the user to reciprocate.

Benefits of User Training

User training provides benefits to the service provider when implemented regularly. Cybersecurity awareness is important and working with clients that trust their vCIO strengthens the strategic relationship.

Implementing a recurring training program creates a steady flow of Non-Recurring Revenue (NRR). Training sessions have the potential to generate multiple revenue projects per year. A Technology Service Provider not prioritizing user training is a surprise, to be sure, but an unwelcome one. Training strengthens and reinforces the strategic relationship. When a customer trusts their IT service provider, they are more willing to accept recommendations. Strong connections do not see expenditures as a sales pitch or revenue-generating scheme, but as a partner concerned for their best interests.

Users who identify threats and resolve minor issues on their own reduce tickets which in turn reduces Reactive Hours per Endpoint per Month (RHEM). A self-sufficient customer—even if eliminating a handful of tickets per month—is a great boost to efficiency. The reduction of RHEM leads to a reduction in tickets and leads to an increase in margins.

At the end of the process, security awareness and user training benefit the service provider and client. There is no reason to deny a customer the knowledge of preventing their own issues. Users who can sustain themselves are much more productive, efficient, and better customers in the long run.

cybersecurity ebook

Why Compliance Supports the vCIO Process

I worked as a vCIO for an established MSP in my area. I had the traditional vCIO responsibilities: onboarding new clients, detailing service plans, generating proposals, planning meetings, discussing budgets, consulting, and so on. It was about 6 months into the role when I shifted exclusively to a Health Care vCIO and relied on HIPAA as my compliance backbone.

To solidify my position as the Health Care vCIO, I attended a training course and became certified by a third party in Sterling, VA. I worked with medical practices, dentists, and businesses that managed clinical trials for patients. Having dealt with an array of companies in the industry, becoming familiar with HIPAA compliance was a no-brainer. In fact, even as a novice in the field, I still understood more than the businesses that required compliance. Even better: most of them did not know they needed to be compliant. Interesting, right?

Clients I managed were in the medical industry for years, had many locations, and annual revenues in the millions of dollars. But the sad part is their compliance was lacking. It was lacking to a point where the business owners had no concern. This was a level of willful neglect I had never seen as a vCIO. Why would they not be familiar with Federal regulation requirements?

As Anakin Skywalker said, “This is where the fun begins.”

Regulatory, statutory, and contractual cybersecurity requirements bring vCIO to a whole new level. The benefits of compliance add value to the process and can tip the scales in the vCIO’s favor. A recommendation to upgrade an aging server may get tossed aside, but replacing it to follow Federal law? That can move up the priority a few notches.

A majority of customers needed persistent convincing to spend money on valuable upgrades. Most did not see the value in the MSP besides the unlimited support. There was no incentive to spend money on projects when the Support Desk could patch problems and keep the business running. Our equivalent of a Design Desk and I would spend extra time researching, adding as much relevant information in the proposal as possible; we figured it would create more leverage to justify the expenditure. Sometimes that alone was enough. Other times it would not make the highest revenue customers budge.

When I began to work HIPAA into the mix, there were some noticeable changes in the attitudes of these clients.

The clients with the strongest relationship gave me more attention and opened their availability to meet more often. They started asking questions related to proposed projects or how to increase security by reducing their risks.

Clients with an average relationship sat up in their chairs and began to give their undivided attention. Recommendations still required a push, but their tone often changed when HIPAA was in the mix.

Customers with little to no relationship never truly changed. For the most part, they wanted to hear what I had to say about recommendations and regulations. Some were even interested in moving towards better compliance. But when a proposal had a price tag, they usually put it on the back burner.

A dedicated Health Care vCIO helped during the sales process as well. I had the opportunity to introduce myself before a sale was complete, solidifying my dedication to the industry with new clients from the start. Onboarding new customers was easier when compliance is on the table. Some were already working towards reducing risk and being compliant; they only needed a nudge in the right direction. Others lacking the personnel or knowledge of HIPAA compliance were a bit easier to guide in the long run. As I always say, “We provide the canvas, you provide the paint.”

At the end of the day, we need to remind customers that recommendations are not only about the sale. For a Technology Success Provider and their clients to succeed, everyone needs to be on board with the process. Recommendations benefit both parties when failure to comply is looming over them. This is especially true with HIPAA where a Covered Entity (customer) and their Business Associates (TSP) are liable during a data breach. 

Health care is only an example of compliance. Specific industries have their own compliance standards, but in general, businesses must follow some form of regulatory, statutory, or contractual compliance from a Federal, state, or private entity. Compliance help will guide customers towards Technology Success.

Request My Demo

Why Regulations are a Good Thing for Technology Service Providers

Regulations and compliance are a topic that stirs debate among business owners. Whether it’s statutory, regulatory, contractual, or industry best practices, the idea of the government or Nonprofit Organizations (NPO) meddling with profits is often a red flag for business owners. Yet, in some cases, regulations provide a safety blanket for consumers and those affected by products and services today.

While regulations are a nuisance to businesses alike, they provide an opportunity for Technology Service Providers. A service provider can specialize in a particular industry to ensure customers meet compliance. They can maintain a client environment to keep compliance up to date. They also provide ongoing training to keep personnel up to date on the latest cybersecurity threats. Let’s take a deeper look into the benefits of compliance requirements for our customers.

Develop a service structure around industry verticals

Depending on the size and skill set of a service provider, dividing clients into industry verticals works in the proper environment. By segregating legal, healthcare, construction, financial, and other types, industries have specialized services from dedicated roles. A TAM, vCIO, and Service Desk role can dedicate their energy towards one set of regulations.

A large benefit to verticals is how recommendations are similar between clients. With the same set of compliance rules to follow, implementations may vary slightly, creating a more streamlined approach to proposals (and some relief to Design Desk). A drawback to industry verticals is resource allocation. In smaller service providers with numerous clients, it is a chore to suddenly divide customers among those in service roles. Larger providers would need ample time to phase out the old method and rearrange clients under individual verticals.

Specialize in a particular industry

While industry verticals may work for some providers, it may not be the right fit for others. Regulations in healthcare, finance, and legal create niche markets to fill a service need. Rather than split customers up, a service provider could concentrate on servicing a particular industry. Taking this concept at face value seems like a great idea, which it is, but can have some drawbacks.

Specializing in one industry would benefit two types of service providers: startups and those looking to reboot their service structure. These two options present the opportunity to start from scratch and work in the selected industry. A service provider with numerous clients suddenly pulling a 180 could turn into a disaster if not planned and implemented properly.

Add more value to vCIO meetings

A vCIO is, unfortunately, very familiar with rejected or back burner recommendations. Some are a tough sell because most decision-makers feel the investment is not necessary unless something is already broken. A proactive strategy is often an uphill battle.

Regulations and compliance reinforce most recommendations not because the vCIO wants the decision-makers to implement the change, but because they have to make the change. The sentence “We recommend encrypting server data at rest to prevent unauthorized access.” may not sound convincing enough to warrant the project. But “We recommend encrypting server data at rest because it protects unauthorized access and is required by law.”. This sentence as-is may not be best to use at the next meeting, but shows how adding an additional layer of liability makes the case hold water. 

Generate additional MRR and NRR

Speaking of vCIO recommendations, regulations and compliance can generate Monthly Recurring Revenue (MRR) and Non-Recurring Revenue (NRR) in addition to normal project work. Implementing changes to a client environment becomes a requirement rather than a need, giving a vCIO more leverage than normal.

Adding MRR would come in the form of raising the All In Seat Price (AISP). When a customer environment is subject to more rules, additional monitoring is necessary to ensure regular compliance. Increasing AISP to cover the extra costs of compliance audits, monitoring, and user training is justifiable to businesses where it is a requirement.

Avoiding regulations is not workable, so the best option is to embrace them. Businesses of all shapes and sizes are subject to various rules from many authorities. As a service provider, the best option is to embrace these rules and help customers achieve compliance. Taking the burden of compliance off their plate strengthens the business relationship and enables a higher level of trust.

Request My Demo

Small Business Guidance and Loan Resources

*Please note that the information in this blog post is not advice and TruMethods recommends speaking with proper legal counsel or a financial advisor before making decisions.

United States

Coronavirus (COVID-19): Small Business Guidance & Loan Resources

The United States Small Business Administration (SBA) is offering financial assistance to any business affected by COVID-19 through numerous programs. The list below is a compilation of what is currently offered on their website. Please visit the links for more information or the SBA.gov website for full details.

Economic Injury Disaster Loans and Loan Advance

In response to the Coronavirus (COVID-19) pandemic, small business owners in all U.S. states, Washington D.C., and territories are eligible to apply for an Economic Injury Disaster Loan advance of up to $10,000.

SBA Debt Relief

The SBA Debt Relief program will provide a reprieve to small businesses as they overcome the challenges created by this health crisis.

SBA Express Bridge Loans

Express Bridge Loan Pilot Program allows small businesses who currently have a business relationship with an SBA Express Lender to access up to $25,000 with less paperwork.

Guidance for Businesses and Employers

The Centers for Disease Control and Prevention (CDC) offers the most up-to-date information on COVID-19. This interim guidance is based on what is currently known about the coronavirus disease 2019 (COVID-19).

SBA Products and Resources

Access to Capital

SBA provides a number of loan resources for small businesses to utilize when operating their business. For more information on loans or how to connect with a lender, visit: https://www.sba.gov/funding-programs/loans.

Exporting Assistance

SBA provides export loans to help small businesses achieve sales through exports and can help these businesses respond to opportunities and challenges associated with trade, such as COVID-19.

Government Contracting

SBA is focused on assisting with the continuity of operations for small business contracting programs and small businesses with federal contracts. For more information on federal contracting, visit https://www.sba.gov/federal-contracting/contracting-guide

Local Assistance

SBA works with a number of local partners to counsel, mentor, and train small businesses. The SBA has 68 District Offices, as well as support provided by its Resource Partners, such as SCORE offices, Women’s Business Centers, Small Business Development Centers and Veterans Business Outreach Centers. When faced with a business need, use the SBA’s Local Assistance Directory to locate the office nearest you.

Other Sources

Your local bank or credit union.

Small business loans from third party lenders.

Other lenders that specialize in small business loans.

European Union

For European Union (EU) countries affected by COVID-19, the EU Commission has adopted a temporary framework for State Aid measures. More can be read here.

Australia

Support for Businesses | Treasury.gov.au

The Australian Government is supporting Australian businesses to manage cash flow challenges and retain employees. Assistance includes cash flow support to businesses and temporary measures to provide relief for financially distressed businesses.

Request My Demo

Developing Standards: How To Overcome Initial Hurdles

Nothing comes easy in the channel — that’s for sure. Developing standards takes up a lot of time and energy, but with the right steps and processes in place, an MSP can overcome many initial challenges and gain a significant advantage over its competitors.

What’s A Standard?

Authoritative bodies define standards to help solve particular problems. Typically, standards need to meet the following criteria: introduce a long-term solution to an existing problem; receive mass adoption by the majority; and be easily implemented by solutions providers. These specific qualities apply to standards across all industry types.  

Setting standards prevents fragmentation among clients and streamlines operations, support and the decision-making process internally. Other benefits include the consolidation of products and services offered to clients and more efficient management of each product due to their mass adoption across the entire board. Here’s an example to consider: Southwest Airlines’ entire fleet consists of Boeing 737 jets. Why is this so?

Well, the answer is fairly simple when you think about it: Southwest’s pilots can fly any plane on any route, and it’s the same exact plane (layout, control, feel); the airline only needs to know how to service and maintain a single model plane (efficiency, speed of repairs); and it’s easier for Southwest to replace or repair planes using the same parts.

How Should MSPs Develop Standards?

MSPs should develop standards around a framework or workflow. Standards should be based after a regulatory body, manufacturer recommendations or vendor information.

It’s best for an MSP to develop standards of implementation (such as installation or configuration of a product or service) around a manufacturer or vendor’s best practices rather than their own. Why? Implementation of these items becomes a “whisper down the lane” problem, where technicians keep passing down problems with adjustments. Eventually, the “best practice” is so separated from actual vendor recommendations that it’s merely a suggestion based off several opinions instead of an actual recommendation.

When crafting your own standards, consider the following: determine what items you support, implement, maintain, monitor and repair on a daily basis; organize all items into proper sections and categories that make sense; establish the proper reoccurrence for auditing your customers for alignment of those standards; if possible, don’t do it alone; and don’t forget to inform your customers customers of the standards you have.

There’s No One-Size-Fits-All Approach

Standards vary from MSP to MSP. Why? MSPs have different business models. Some MSPs focus on general technology and support for clients in a wide range of sectors, while other TruMethods members work with fewer clients in specific industries — such as medical or legal. This is why cookie-cutter standards will not work with every client within your portfolio. It’s always best to adapt your standards to your client’s industry.

Again, crafting your standards initially will be time-consuming (I can promise you that much), but after you set some of the above suggestions in motion, your life will become a lot easier. You’ll find the process to be a lot smoother than you had expected it to be.

Learn How To Implement Technology Standards