IT Support Blog for Small Business Owners

ShellShock Assessment Scan: Assess your Unix & Linux Servers Now

Posted by David S. Mulvey on Wed, Oct 08, 2014

ShellShock Bash BugJust after we have worked our way through the Heartbleed vulnerability a new software vulnerability has been found that might affect any versions of the Linux and Unix operating systems, in addition to Apple Mac OS X within your business.  The vulnerability is referred to as the “Bash Bug” or “ShellShock,” which might allow a remote attacker to gain control over a targeted Unix/Linux computer.

The vulnerability affects a software language called Bash, which is the common part of the Unix Operating System shell that appears in almost all versions of Linux and Unix. Bash is a command shell interpreter, or in other words, it allows the user to type text based commands into a window, and then Unix will run the command.

Bash can also be used to run commands passed to it through another application and it is this Application-to-Bash feature that the vulnerability affects. Environmental values can be sent to Bash using this Application-to-Bash feature. The problem here is that setting environmental values on servers is a powerful way for an attacker to deploy malicious code into the target Unix server and essentially remotely take over and hijack the server.

The governments NIHT regards this vulnerability as critical, since Bash is widely deployed in Linux and Unix operating systems running on Internet-connected servers, such as Apache Web servers. With a successful Bash exploitation, the Attacker can enable remote code execution. This could not only allow an attacker to steal data from the compromised Unix server, but enable the attacker to gain control over the server and potentially provide the hacker with an infected server to launch attacks onto the devices sharing the same LAN as the infected Unix Server.

Has it been exploited yet?

There are limited reports of the vulnerability being used by attackers in the wild. The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.

Computers running Mac OS X are also potentially vulnerable until you deploy Apple's patch for the vulnerability. Again, attackers would need to find a way to pass environmental commands to Bash on the targeted Mac. The most likely avenue of attack against OS X would probably be through the Secure Shell (SSH), a secure communications protocol.  The Internet of Things (IoT) and embedded devices such as routers may be vulnerable if they’re running Bash.

How would this bug affect your business?

Most IT departments are unlikely to see any immediate impact relating to this bug.  This stems from the fact that an overwhelming majority of these impacted servers are not connected to the Internet.  In order for an attacker to exploit this bug, they would have to have external access to these affected systems, either through SSH, web or publicly-accessible service endpoints. 

What is ANP doing about this?

At ANP we have ensured that our internal infrastructure (much like many of our customers) is not exposed in such a way that would cause concern.  We are continuing to monitor our vendors’ updates & patch releases, and as we receive and digest this information, we will (as necessary) work to address these individual impacted systems with our customers individually.

Bottom Line

Any Linux/UNIX-based device that publishes Internet-facing web pages and/or services may be vulnerable to the ShellShock bug.  This assumes that these websites and/or services are calling direct system functions through commands issued on the web site Application (widely considered to be a no-no from a security perspective) -or- are vulnerable to a remote command execution vulnerability. 

Therefore, a successful ShellShock exploitation of this bug requires three things:

  1. A Linux/UNIX-based device that…
  2. Must be Internet-accessible via public-facing website
  3. And the Unix server will execute remote commands

Here is a breakdown of popular IT manufacturers:

Apple Products

Apple has released a security advisory, for OSX so apply their patch through their standard update process.  ANP believes that implementing the OSX patch is the best approach to lower your potential exposure to attack.

Cisco Products 

Cisco has released a security advisory that details the impacted products.  ANP is continuing to monitor this security advisory as Cisco continues testing & validating fixes for each impacted item.  You can expect updates from ANP as we identify impacted products and customers.  As is the case above with Apple products, unless your device is publishing web pages or services to the Internet (i.e. is publicly-accessible), the risk factor of an Attack is limited.   These devices will however, show up on a security audit if the audit scans the internal network and (as such) should be patched prior to the audit.

Unix/Linux Servers

All of ANP’s Linux/Unix servers have been patched to protect against this bug.  If you have an internal Web Development team that manages your own company-owned Linux/Unix servers, we would highly recommend following your Operating Systems vendors advice on patching. 

Free ShellShock Assessment from ANP

ANP would be happy to perform a free ShellShock assessment scan of your IT environment to look for the ShellShock vulnerability in your Unix/Linux servers and IT equipment.  We will look at your IT systems and let you know if you have anything at risk. Call our office and ask for the free ShellShock assessment at (800) 572-3282. Or click on the Free Assessment button below.

 

Request A Free Network Assessment

Topics: ShellShock Vulnerability, Bash Bug, ShellShock Assessment Scan

When Data Disaster Strikes will Your Company Data Backup be Ready?

Posted by David S. Mulvey on Thu, Sep 18, 2014

data problems resized 600Most IT experts will agree that in order for a business to survive a data disaster, they need some sort of data backup plan or business continuity plan in place. Regardless of the type of plan, or systems integrated, all of your IT systems need to have at least one backup copy. In the last blog, we took a look at the first four tips to help improve your data backups, let’s continue in this part 2 blog with the final four tips.

5. Automate your backups

It can be challenging to remember to back up your data files by memory, especially if your business can become hectic at times. Therefore, you should look into an automated data backup solution. At the very least, you should set a schedule as to when the data backups are conducted and set-up what is backed up. While this is not complete data backup automation, a schedule will insure the copy is created even if you or your IT personnel become busy and forget to make a backup copy.

If you are using data backup solutions like a Cloud Service Provider or NAS (Network Attached Storage) within your office, you can usually automate the process by selecting which files and folders to back up and schedule when they are backed up. The software that powers these solutions will then do this automatically and will often send an email out after the job is run notifying you if it was successful or not. There have been cases where employees have become frustrated by an unsuccessful backup process and simply turned the backup job off. The business owner, thinking their data was being backed up would be in for a bit of a shock when systems crashed. Automation also insures that your backups begin to have reliability and a higher likelihood of a successful restoration if needed.

6. Back up your backups

Copies of your backups are just as important as actually backing up your data. You should keep a second copy of your data backup image just in case something happens to your original backup. While this doesn't have to be carried out as often as the 'regular scheduled' backup, this should be done on a scheduled basis. In order to really ensure backup redundancy we recommend that if your main backup is kept on-site, then the secondary backup should be on another storage medium that is kept off-site. Here at ANP we make backup copies every 30 minutes to an on-location NAS and then copy all the data that changes each night up to our Cloud storage located in Toronto. This gives ANP many backup copies of the data dispersed across different media, and located at different locations.

7. Don't forget data stored on non-physical drives

What I am referring to here is the data stored on different Cloud services for example: your outsourced email, Drop Box files, and non-physical locations. This is especially true if you say have you own servers. It's highly likely that there is company data scattered around on these Cloud services as well, and should they go down and you haven't kept a backup, you may lose important company information.

Essentially, think about critical data that is used in the company, but isn't physically kept on computers. It may feel like this is going a step too far with backups, especially for businesses who use email services like Office 365 or Gmail, however, while the chances of these systems going down are incredibly rare, it could still happen. Therefore, you should conduct a monthly to bi-yearly backup image of the mail boxes just to ensure that Cloud based data is backed up should something happen.

8. Test the viability of your backups

Finally, it is beneficial to actually test your backups from time-to-time to ensure that they are not only working but the data is actually recoverable. If you are getting messages that your automated backups are running successfully, and as a result, you never test them. It would be awful to find out when you actually need to do a restoral, that although the backups were running perfectly, not all of the data that was needed was ever backed-up.

If you do a trial run on recovering your data, you can get a good idea of how long it will take to retrieve this information when you actually need to recover it and you will also confirm that you are backing up everything you need to have a successful restoration. Also, testing is a good way to discover any personnel problems, such as if someone has disabled backups, or someone doesn’t know how to get a successful restoral. This will ensure that your data is there when you need it, and you have trained people ready to recover it.

This completes our two part blog on small business data backups. I hope this was interesting and valuable to you. Want to learn more about small business data backups, disaster recovery plans, and disaster recovery services? Sign up for our Free IT Webinar this month HERE. Not ready to meet yet? You can download a great free white paper about disaster recovery planning HERE.

Topics: backup plan, Data backup, Data Recovery, business continuity plan, data backups, backup solutions

When Data Disaster Strikes, will Your Company Data Backup be Ready?

Posted by David S. Mulvey on Mon, Sep 15, 2014

data disaster resized 600While there are many different and important tasks a business needs to do, one of the most important is to back up your company data. Your data is important often impossible to recreate.  I promise you the day will come (if it hasn’t yet) where you will have catastrophic loss of data. Most business owners realize this and do back up their data, but it can be a challenge to an owner on how to setup and operate a really reliable and low cost data backup plan.  In order to help, I have come up with eight data backup tips, four of which we will review in this blog.

1. Pick the data backup solution that works best for your business

When it comes to backing up the data on your company's PCs and Servers, most small businesses will choose from these 5 options.  In my last blog I discussed how a company could possibly lose (even though they are backing up) and also how much time a company could possibly wait to recover their data while running on manually systems.  The choices below really affect how much data is potentially lost and how long it takes to recover. Let’s look at the choices ranked from least expensive to likely the most expensive:

  • Internal hard drives on A PC or a Server - You can either use another hard drive installed in your computer or partition an existing hard drive so that it functions as a separate drive on which you back your data up. This is a quick option, however should your computer or the hard drive fail - two of the most common computer failures - then you will lose this data.
  • External portable hard drives - These drives are essentially separate hard drives that you connect to your computer via a USB or other connection. Many of these drives allow for one touch backup and can be configured to back up data at certain times. While these can be useful, especially if you want to keep data backups easily accessible, they are prone to the same potential failure as internal drives.
  • Removable drives or media - For example, USB flash drives, DVDs, etc. These are great for backing up work you are doing at the moment or for transferring small files from one machine to another. These options are limited by smaller storage sizes however, so backing up even one computer will likely require multiple disks or drives.
  • Cloud-based backup - This is the act of backing up your files to a backup provider over the Internet. Your files are stored off-site and can be restored as long as you have an Internet connection. For many businesses, this has become the main form of backup employed, largely due to cost and convenience - files can be backed up in the background. The biggest downside of this backup option however is that you do need an Internet connection for it to work and you will see more bandwidth being used, which could result in slower overall Internet speeds when files are being backed up.
  • NAS - Network Attached Storage, is a physical device that has slots for multiple hard drives. You connect this to your network and the storage space on the hard drives is pooled together and delivered to users. This solution is like a mix of cloud-based and external backup, only the device is usually in your office. While it is a good backup solution, it can get expensive, especially if you have a large number of PCs and Servers to back up.

ANP uses a combination of NAS and Cloud based backup; the reason why we choose this solution is twofold. One, by using a NAS in our office we can essentially snap shot our data backups in a real-time mode (so we will never lose any data between a failure and the last backup.)  The last successful backup before a failure typically would be seconds before the outage. This allows ANP to recover all of our data AND because the NAS is on our LAN we can restore applications very quickly (measured in minutes.)

We also use a Cloud-based backup to insure if our office building had a fire or flood, and our NAS device was destroyed, we still have all of our data off site.  The cloud back up restoration would take us a long time to recover, but at least we would have all of our data intact. 

There are a wide variety of backup solutions available, so it is a good idea to sit down and figure out which are best for your business. The vast majority of companies integrate multiple solutions in order to maximize the effectiveness of their backups and spread the risk of losing data around a bit.

2. Split your backup locations

In order to ensure that your data backups are available for recovery should you need them, you should split up the locations where the backups are stored. Should you keep all of your backups on hard drives in the office and there is damage to the premises, you could potentially lose your data. One of the most effective strategies is to have one set of backups on-site, and another off-site which will ensure that should there be a disaster in one location, the other will likely be safe and you will still be able to access your data.  Despite all of the backup technology options available, you can narrow these down to two categories, the fact that the backups are kept in two locations

  • On-site - Data backup solutions that are kept in your office. This could include internal hard drives, or NAS, and even tape. The idea here is that the data backup is kept in your office. Some like USB drives may leave the office, but the main idea is that they are used primarily in the office.
  • Off-site - Data backup solutions are stored off-site, or out of the office. The best example of this is cloud-based backup where your data is stored in a data center, most likely in another region of the country. Another example is backing up to hard drives and storing them in a secure location outside of the office in another branch location or at the owner’s home.

3. Establish a standard naming and filing system

Have you ever seen how people organize their hard drives on their own PCs? Some like to use folders and subfolders that are organized neatly, while others tend to throw files into one general folder or leave them on the desktop. The same can be said for the way files are named.

Because of these differences, in the event you do need to restore the data, it can be difficult to back up and recover files properly. We recommend that you pick a naming and file system that every file and folder will follow across all systems. This means backups will be quicker, you will be able to see what is new, and you will spend less time organizing files.

At ANP we have a written file naming convention that we educate everyone on and enforce the use of.  A standardized file naming and file organization structure goes a long way toward making it easier to find files and recover them should your systems go down. 

4. Determine, which files need to be backed up and protected

While it may be tempting to back every file and folder up, in an effort to maximize efficiency of your solution, it is better to not back everything up. Because you are going to want to be able to restore a backup quickly, it’s worth investing the time to identify what files and folders are to be backed up.

The same can be said for non-work related files. While these may be important to your personal life, they likely aren't to the business so should not be backed up onto your business backups.  Look at each file and folder and see if it has something to do with business decisions, or is in anyway tied to your business. If it is, then it is probably a good idea to keep it and add it to your backup rotation.

In my next blog I will share four more tips regarding your data backups. In the meantime if you want to learn more about small business data backups, disaster recovery plans, and disaster recovery services sign up for our Free IT Webinar this month HERE.  Or if you are not ready to meet yet, you can download a great free white paper about disaster recovery planning HERE.

 

 

Topics: backup plan, Data backup, Data Recovery, business continuity plan, data backups, backup solutions

Disaster recovery planning, ask questions before disaster strikes.

Posted by David S. Mulvey on Wed, Sep 10, 2014

As a business owner, I suspect you wonder if your company could survive a fire, flood or a data disaster. The US Small Business Administration came out with some scary data last year; 90% of small businesses do not survive a fire/flood disaster.   Certainly it is impossible to predict what the next disaster will be, but it's easy to prepare for, especially if you have an effective data backup plan. When it comes to data backup planning there are a few key metrics that you as the owner need to be aware of.  In this blog I will show you what questions you need to be asking and why you need to know the answers.  The survivability of your business might depend upon it.

There are essentially two key questions you need to be talking to your IT employee or your outsourced IT Managed Service Provider about when it comes to data backup plans. The first is how often are the files being backed up: measured in weeks, days, hours or seconds?  This is important because it will give you a sense as the owner just how much data could be LOST if your server failed at any given moment and you had to go back to the last good data backup copy to restore the server and it’s applications from that point in time.

If you are backing up on a per minute basis, you stand to lose very little data.  But on the other hand if you are backing up daily, once a week or once a month, you could lose up to a whole month of company data. Take a look at this graphical representation: 

 RPO Lost Data resized 600

Note the slower the backups occur typically there is a longer amount of time between the backups. A slower back up media (tape) could possibly equate to losing more data.  The inverse of that statement is also true; the faster your backup media (disk based backups), the more often you are likely to be backing up.  With more frequent backup copies, the less company data you can possibly lose during a disaster.  The takeaway point here is the time between your last successful back up and the disaster is the time in which company data is at risk and will be lost.

The second question you need to know is once a data disaster does occur, how long will it take to restore your most recent backup copy on a new server?  It’s important to remember that during the restoration time line, your business applications will not be available.  So ask yourself, “Can your business run for a prolonged period of time without your ERP application or your CRM or accounting software?”  Do you need all of your applications immediately or just a few key apps?  Can you manufacture or provide your company’s service without your software applications up and running?

There are three related questions you need to ask: First, where will a new server come from and how long will it take to get it? You can’t begin to restore a backup until you have good hardware to restore to.  Second, how long will it take to restore the basic Server Operating System?  Finally, how long will it take to restore your application and data on top of the operating system?  Unfortunately the restoral process is completed in a serial fashion: first the hardware, then the operating system(s) and finally the application itself which stretches out the time it takes to recover.  Bear in mind, your business is running in a manual mode during the recovery time.

If you choose to place your backups on a slow media like Tape, your restoration process could take weeks, or if you decided to spend more money on a faster media (on location disk or cloud based disk) the recovery process will be much faster.  But the point is you need to know how long it takes, and then decide if that time line is actually appropriate for your business.  Plus you should plan ahead and determine the logical order in which you want to restore your applications. 

 RTO or lost time and mannual processing resized 600

There are some great business takeaways here: my clients often want to dive into technology discussions.  I prefer to hold a business conversation first.  How much data can you afford to lose if there is a data disaster? How long can your business be without your key applications? Have your employees been taught how to work without their key application in a manual mode?  Data backup planning is much more about your business approach than it is about selecting a backup media technology.

Start Today Idea: As part of your business continuity plan, you need to figure out how much company data you can afford to lose should you have a data disaster.  Then calculate how quickly you need to recover the last backup.  With this planning completed; you can begin to design a data backup task list, a backup rotation schedule and a backup restoral test schedule.

Want to learn more about small business data backups, disaster recovery plans, and disaster recovery services? Sign up for our Free IT Webinar this month HERE.  Not ready to meet yet?  You can download a great free white paper about disaster recovery planning HERE.

Topics: data backups, disaster recovery planning

Data Backup Technologies for your small business

Posted by David S. Mulvey on Wed, Sep 03, 2014

Data BackupsThis month I am going to focus on your company’s data backups/data restoration and the importance of protecting your company data.  When you take a moment to consider the various data backup solutions, it is easy to recognize there are a number of different data backup technologies.  From traditional tapes to on premises disk and data-streaming to the cloud; it can be a challenge to figure out what you need. Let’s take a look at the three main approaches to data backup services with the hopes of helping you choose which one is right for your company.

Three common data backup media types 

When it comes to backing up your IT systems, there are three common technology media types that are used:

  • Cartridge Tapes
  • Disk Drive Arrays
  • Off Site Cloud

Some businesses use all three, while others stick to using just one or two. While each of these technologies deliver the same result - backing up your data - there are distinct differences between each media type.

Cartridge Tape data backups

Cartridge Tape-based backup is the oldest forms of data backup available to businesses, and has been in use since the 1960s.  All large mainframe data centers relied on tape for decades; from large reels, to the more modern cartridge tape assemblies.  While tape media may seem a little anachronistic, there are still manufacturers creating backup tapes.  Sony recently introduced a new tape system that can store up to 185 TB (terabytes) of data on one tape. That's about equal to the storage capacity of approximately 11,800 16GB iPads.

The vast majority of businesses using tape do so as a secondary backup.  They use another system to back up their data, and then back up this backup data onto physical tape which can then be moved off-site and stored in a safe location, should disaster strike.  When the tapes are left on-site the business loses the greatest advantage of tape, which is portability.

There are two serious drawbacks to tape data backups which must be accounted for.  The first issue is that it takes longer to back up data to tape than it does to a disk.  So if you have a lot of data to backup, often, tape is not an option because you don’t have a large enough back-up window to get all of your data on a tape. And the second issue; the tapes themselves are also more fragile and can be prone to failure, leading to corrupt data and unreadability.  This mechanical failure of tape cartridges forces a small business to always test the viability of their tape backups, otherwise, you might be inclined to use a tape for year, and when a failure actually occurs and you go to restore your data from the untested tape cartridge, you discover the tape copy is no longer viable to recover your data.

Finally, if you do need to recover from a tape backup, you are going to have to do so in a specific manner, which means it will take longer to recover your systems than using disk backups. Typically you need to read a few tapes in a specific order to recover a whole server: its applications and data.

Disk Drive Data backups

Disk-based backup solutions use a variety of sizes and styles of disk storage units to copy, archive and recover backups of your data.  The most popular forms of disk storage used are hard drives, often, connected through software into an array.  Because these systems use more modern storage methods, backup and recovery can generally be carried out far quicker than with tape systems, and can be more reliable, especially if you take care of your systems and the disks the backups are stored on.   The added benefit with these systems is that hard disks are constantly dropping in price and increasing in capacity, meaning you can fit more data on fewer devices. This helps keep costs manageable, and may result in reduced costs over time. 

Because disk-based systems are picky about their environment, it is not common to move these devices off site.  So many small businesses will deploy a disk array for local high speed copies and recovery, but in the event of a flood or a fire, the data needs to get offsite.  That’s where tape or cloud storage can come into play.  To get around this, many companies have duplicate systems. They back up to different devices which are kept off-site. This redundancy can help ensure that your data is available, but much like business insurance, it can be expensive to purchase multiple backup solutions.

Off Site Cloud data backups

Cloud solutions are becoming popular because they are inexpensive, and they help a business owner regularly get their company data out of their office.  Cloud, or streaming data backup, utilizes off-site technology to host your backups in a remote and secure data center.  Most small business solutions work with data backup service providers who host the backup servers in the cloud and the business then connects their servers via a secure network connection to the Cloud storage facility.

The biggest advantage of cloud systems is that they are generally inexpensive and much more reliable than tape.  This is because you don't need to have the systems in your office, which means you don't need to pay for the data systems and the upkeep associated with them.  Cloud systems are also less labor intensive because they can be managed by your IT service partner.  Aside from being easier to manage, backup and recovery is usually quicker with the cloud because you can set up a solution that continually backs up your data.  As long as you have an Internet connection, you will usually be able to restore your systems in a matter of hours.

While the cloud is becoming the most popular backup solution, there are some drawbacks.  You need a higher bandwidth Internet connection if you want to be able to back up while also working. This may require you to invest in a better network infrastructure.  

Each data backup technology has its place.  Each data backup approach will work, although one is often more appropriate than another.  If you are considering reviewing or creating a data backup plan and need some help you can reach out to us at ANP.  Or if you might be ineterested in outsourcing your data backup service to an IT service provider like ANP, please dont hesitate to call us.  Would you like to learn more about ANP's data backup solutions which are either in your office or in our data center, click here. ANP is also offering a 30 minute free webinar regarding data backup and what every CEO should know about thier data backup, register here. Or if you are not ready to meet or talk, you may download these two great white papers regarding data backup:

 

5 Steps To Prepare Disaster Recovery12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security and Disaster Recovery

Topics: Data backup, data backup services, Data Recovery, data recovery services

Small Business IT Outsourcing Economics

Posted by David S. Mulvey on Wed, Aug 20, 2014

outsourcing economicsAs a small business owner you should evaluate if you should hire your own IT employee or consider outsourcing your IT to an IT Service Provider or Managed Service Provider (MSP).  Nine times out of ten, Owners take the more traditional approach and hire a single IT employee, and unfortunately that decision to hire one IT employee rarely works out.  If you are curious why I feel a single IT employee rarely works out take a look at this blog

Today I will focus on the economic comparison of IT in-house (doing your own IT) versus outsourcing your IT to an MSP.  Let’s consider the cost for a typical small business initial IT employee.  If we can agree on an annual salary of $45,000 for someone in the Philadelphia region with one or two years network administration experience, and we add on all of the burdened costs (Employer Social Security, Federal Unemployment, Medicare, a 401K contribution and a single persons health insurance) is it fair to add an additional 25% to the salary? Your first IT employee is costing your firm $45,000 X 25% or $56,250 a year. Of course your mileage may vary; I think this is a fair estimate and will be useful for my economic analysis.

The next set of costs is the proactive IT tools that should be purchased by your IT employee to insure you have a good result with your IT systems.  If you are interested in a more in depth look at what proactive IT effort is and why it’s important take a look at this blog. The two most important proactive disciplines that your IT employee must do are Anti-virus and Spam/Malware.  For the sake of simplicity let’s assume you can license the software for $15 per PC and Server per month for an annualized cost of $15 X 12 months or $180 per device per year.  Ideally, your IT employee has also purchased a service incident ticketing system and an automated toolset to insure your PC’s and Servers are being patched every week, but lets keep these costs outside of our analysis to keep the comparison simple. 

The IT Service Provider will have numerous service plans and pricing options. They will range from the simple and least expensive Time & Materials hourly rates, to prepaid block-of-hour plans.  Either of those approaches to IT are solely reactive in nature and don’t include all of the IT proactive disciplines that are necessary to insure your company gets a good IT result: read this blog if you want to learn more about reactive IT provider plans.  The best way to fairly compare an internal fulltime IT employee to IT outsourcing is to purchase a Fixed-Monthly-Fee, all you can consume, reactive & proactive IT plan.  These plans typically include a periodic meeting with an outsourced Chief Information Officer (CIO) to assist in budgeting, planning and reviewing the IT work that is being done on your behalf each month.

ANP’s fixed-fee plan is called Turnkey-IT and provides for everything (and more) that an internal IT employee would be doing for your firm. So let’s take a look ANP’s typical pricing model for Turnkey-IT and use it as a basis for comparison.  If a client commits to Turnkey IT for a three-year term, ANP would charge $50 per month per PC workstation or $50 X 12 months for an annual cost of $600.  A server (which in inherently more complicated than a PC) would be $195 per month or $2,340 per year. (There are additional charges to manage a Firewall or Internet connection that can vary from $90 to $180 per month, which I will leave out of this comparison for simplicity.)

Using our pricing information let’s compare monthly payroll costs of IT in-house to the monthly IT outsourcing prices and try to determine a breakeven point using five typical small business IT infrastructures.  I will project out the small businesses annual costs with 10 PCs all the way up to 200 PCs.  Choose the business size that most closely represents your company. Or better yet use my numbers and determine your own annual IT in-house and IT outsource pricing.  Our next blog will focus on businesses that have yet to hire a single IT person.

Small Business with 10 PCs and 1 File server:

 

Fulltime IT

AntiVirus/Malware

PCs

Servers

Total

In-Sourced

$56,250

$1,800

-

-

$58,050

Outsourced

-

-

$6,000

$2,340

$8,340

 

Small Business with 25 PCs and 3 Servers:

 

Fulltime IT

AntiVirus/Malware

PCs

Servers

Total

In-Sourced

$56,250

$5,040

-

-

$61,290

Outsourced

-

-

$15,000

$7,020

$22,020

 

Growing Business with 50 PCs and 5 Servers:

 

Fulltime IT

AntiVirus/Malware

PCs

Servers

Total

In-Sourced

$56,250

$9,900

-

-

$66,150

Outsourced

-

-

$30,000

$11,520

$41,520

 

Growing Business with 100 PCs and 6 Servers (need to add 1 additional IT employee):

 

Fulltime IT

AntiVirus/Malware

PCs

Servers

Total

In-Sourced

$56,250

$19,440

-

-

$75,690

Outsourced

-

-

$60,000

$14,040

$74,040

 

Larger Business with 200 PCs and 12 Servers (added 1 additional IT employee):

 

Fulltime IT

AntiVirus/Malware

PCs

Servers

Total

In-Sourced

$56,250

$36,000

-

-

$148,500

Outsourced

-

-

$120,000

$28,080

$148,080

 

Did you notice that at no time was IT in-house less expensive than IT outsourcing?  IT outsourcing for a small business is always less expensive than doing IT yourself! But I feel there is much more to this story. Remember we used a single IT employee to model out our internal IT costs? There is no way a single IT employee is going to successfully support 100 or even 200 PCs by them self. Your employees get sick, they take week long vacations; once you are large enough to have 75, 100 or even 200 PCs you and your employees are not going to tolerate having no IT support in place during your single IT employees’ week long vacation. So the truth is as you grow through 75 to 100 PCs the IT payroll would most likely double (which we did not add to our analysis.) As you grow through 100 to 200 employees IT outsourcing becomes even more compelling because your internal IT costs to successfully deliver reactive and proactive IT support will cost two to three times more than we have modeled here.

We have just compared your potential IT payroll costs versus outsourcing your IT from a simple economic standpoint.  There are even greater operational benefits to IT outsourcing: your IT Service Provider should have 20 or more IT experts, each with unique, deep expertise in very specific IT disciplines such as Routers, Firewalls, VoIP phone systems, Virtualization, Back up and Disaster recovery.  Hiring a single entry level IT employee pales in knowledge and expertise that an IT Service Provider can bring to your company when needed. When you outsource your IT, you will never have another IT sick day, or IT vacation day or even an IT employee asking for a raise or quitting with just two weeks notice.  IT outsourcing is the perfect solution for a growing small businesses that need to focus their employees and payroll on the growth of the core business and not become distracted with ineffective and costly IT employees.

I would love the chance to talk to you about your business and your IT needs, click here if you would like to meet and discuss IT outsourcing.  If you were not ready to talk, perhaps you would like to download one of our IT outsourcing whitepapers here.

Topics: IT Outsourcing economics, Economics of IT outsourcing, IT solution economics, MSP IT outsourcing economics

Building an effective IT support department and when not to.

Posted by David S. Mulvey on Fri, Jul 25, 2014

Three person IT DepartmentChoosing the right IT organization structure or the right IT organizational chart, are common issues within a growing business. They are also issues filled with many traps. I have shared my thoughts with you before this blog on the types of work that must occur in an IT department (Reactive & Proactive); today let’s talk about how you should staff the IT department to get the work done.

Gartner (an IT think-tank) has suggested CEO’s should not think in terms of an IT organization model or in other words an IT org chart. Instead, CEO’s should think in terms of an IT Operating Model. I completely agree and the reason is simple. An IT Operating Model defines IT service delivery ownership and responsibility for each IT employee. In this way the IT Operating Model is an accountability framework, not a service delivery model. Each IT employee has specific things they must deliver, and if they are delivered, the company will have a great IT experience.

Let’s break-down the IT Operating Model into employment roles that need to take place in an IT department to insure a great IT outcome:

 

  • Reactive IT Support: This is essentially anything that breaks and needs to be reactively worked on. These are Users issues, server issues and network issues. The work is never scheduled and because the issue affects IT systems it must be repaired quickly. Reactive support work always trumps all other kinds of IT work and that is why there is a second role in addition to Reactive support.
  • Proactive IT Tasks: This type of work is scheduled and planned for. Staffing it separately from Reactive support allows you to be assured the proactive tasks will actually get completed. By completing this work you can be assured that Reactive support will decline. Proactive work is focused on maintaining IT best-practices most of which is under-the-covers for all users. Work like patching, antivirus, malware, active directory policies, and managing and testing backups are all Proactive tasks. As you successfully implement a Proactive strategy, you should expect your Reactive work load to dramatically decrease.
  • IT Automation Toolsets: Ideally an IT department will purchase, deploy and actively operate an IT automation tool that will automatically insure that all Proactive tasks are completed, and will notify an IT employee when they don’t work. The idea is to automate as much of the IT Proactive drone work as possible and reserve the available IT labor for the things that didn’t work as planned. Without an automation toolset, the Proactive IT employee must do everything manually, which is boring and tedious. Without an automation toolset, ultimately the IT infrastructure will break down as IT settings begin to drift away from best-practice-standards.
  • Workflow & Service Ticketing: Once you have the team in place, you need to organize the work and manage response times and labor utilization. By purchasing a service incident ticketing product you can enable a secure portal. All of your employees enter tickets through the secure web portal. Then the system assigns the work to the appropriate IT engineer. This approach also works for the Proactive tasks; each repetitive IT task should be scheduled and assigned to the proactive engineer as the work is scheduled to be accomplished. A ticketing program also helps the IT team learn what the repetitive issues are so that the engineers can begin to become proactive and determine what the root cause issues are underlying all of the reactive incidents. Once these root-cause issues are isolated and proactively fixed under-the-covers, reactive support will go down and the User community will enjoy higher up-time.
  • IT management or oversight: At this point you have hired two ITemployees: a Reactive and Proactive IT tech serving entirely different but both necessary roles. So who manages these employees and provides oversight to insure the work is really getting done and getting done well? An IT manager will provide the oversight and the vacation and sick day coverage for the other two technicians. But the IT manager will also serve in the role of holding strategic IT meetings with the CEO and CFO of the business. The IT manager should learn and understand the executive team's business goals so that the IT department can work towards those goals. And the IT manager must also provide meaningful dollars and cents reports about the effectiveness of his department. Data like: application up-time, network availability, reactive support desk incident numbers and the average time to remediate an incident. Proactive tasks should also be discussed and reviewed. The IT manager should be able to measure the daily and weekly utilization of his team so that management cans see where the investment in IT payroll is being spent on.

From this IT Operating Model a small to mid-sized growing business could easily support 2000 + PCs and 100 servers. If the IT manager was paid $90,000 and the two IT engineers were paid $70,000 each the departments burdened cost would be approximately $310,000 annually. Or look at this another way, each PCs support is $155 a year. I would go so far as to say, if your business is smaller than 2000 PCs and you are not really interested in hiring three people into an IT department, you should consider IT outsourcing versus in sourcing. Many of our clients are never satisfied with a one-person-IT department because the balance between reactive support and proactive tasks is difficult to maintain with a single employee. That is not to say that globally it can’t be done, I’m simply stating it’s unusual for a single IT employee to be able to strike a balance between reactive fire drills and methodical proactive planning and work. Would you like to learn more about IT outsourcing or running your own IT department? Here a few links you might find interesting:

The Benefits of IT Outsourcing click HERE

Small Business Support IT Solutions click HERE

The Seven Signs to Help you Know when to Call for Help Click HERE

What A Business Owner Should Expect From Outsourcing

Topics: Reactive IT Support, IT Solutions, IT automation, IT department, Proactive IT tasks, IT Outsourcing economics, Economics of IT outsourcing

Why a Single Employee IT Support Department Rarely Works Out

Posted by David S. Mulvey on Sun, Jul 20, 2014

Single IT PersonWhen people talk about their single employee IT support department, they always discuss the things they’re not getting, the applications they can’t run, and the long time it takes to get anything supported or completed. If a business had as many gripes with an external vendor, that vendor would’ve been dropped long ago. But single person IT departments have endured as a necessary evil because they are set up as a forced internal vendor.  The problem is rarely the person sitting in the IT seat; it’s the structure in which the IT department has been set up.

From the start a single person IT support department has a monopoly on the “computer problem” – such monopolies have a tendency to produce the customer service you’d expect from a Government agency. The IT department (the single employee) has all the power, they’re not going anywhere (at least not in the short term), and their customers (other company employees) are seen as mindless idiots. There’s never a feedback loop in place for improvement.

I’m a business owner and I can see over to the other side of the fence. IT departments are usually treated as a cost center, a necessary evil, just above the shipping department and office maintenance in the corporate pecking order. The IT department never wins any bonuses or accolades when the IT infrastructure just works, but they face the wrath of everyone when email is down!

So why are millions of small business IT departments set up to fail? And why do they often underwhelm their fellow employees? One reason is they are set up using the same logic as any other department, “If I hire an employee to do a duty, everything will be fine: put a check mark next to that need, we have it covered.” The tragedy is that the single IT department comes from the mind of a non-IT manager. Often hiring one employee to cover a single business role has reinforced the small business owners behavior.

I have shared in another blog; there are essentially two types of work that must be completed for successful IT outcomes. Both of these work types compete for the attention of the single IT employee, and unfortunately, even tragically in my opinion, one type of work wins out and the department is never able to achieve and deliver  IT success.  There are Proactive and Reactive work types that must be completed. Reactive IT support, such as “my PC has a virus,” or “I need a new password I am locked out,” or “I cant print,” always take precedence over the Proactive IT support work that ensures your network runs quietly. Proactive tasks are running anti-virus updates, quarantining viruses, updating Microsoft patching, checking Active Directory and security settings.  Proactive work should be scheduled and completed in a methodical fashion.

The challenge is that as the Proactive work is deferred because the Reactive IT support is screaming to be done by the Users and the longer the Proactive tasks are deferred the more likely Reactive issues will crop up.  It is a vicious cycle; the single IT employee is doomed to fail, because he is unable to control when a Reactive service issue will occur.  By there very nature, the Reactive service issue demands the IT employees time NOW. So the proactive work goes un-done day-after-day and finally the department is smothered by viruses and a lack of patching and everyone in the company seems to have an IT issue.

I can't tell you how many times I have met with a frustrated business owner who tells me how his IT employee is not getting the job done and everyone wants the owner to fire the poor guy.  Unfortunately few owners are trained in IT practices, and had no idea, when they hired a single IT employee the outcome was almost assuredly established.  If an Owner really wants a successful in-house IT department they need to hire for both functions.  There needs to be a full-time Reactive IT employee AND an additional full time Proactive IT employee.  It’s a classic division of labor. To be fair, I should note, there are IT techs that can balance between Reactive and Proactive work and in those cases a single IT employee is going to do a great job for a small business.  Once established reactive issues no longer trump getting the best-practice proactive work completed and over-time the business will enjoy a high performance and reliable IT environment!

Unfortunately how many small businesses can honestly afford to hire two IT employees and then manage their unique job roles? It’s unlikely in my opinion (I rarely see it) and that is why there is a change in the air: it is IT Outsourcing.  The change that is coming allows a small business with 10 or more PCs to outsource their IT department.  An Owner can hire a focused IT delivery company that employs the Reactive, Proactive and managerial oversight with developed and mature processes that are remotely deliverable.  Dealing with Technology has gone from something only for the techy geeks to something much more mainstream.

You no longer need a tech person at the office to man “the server room.” Responsibility for keeping the servers running has shifted away from the small business IT department. Now you can get all the services that previously required s full-time IT employee from a local IT Service Company such as ANP.

The transition hasn’t happened over night, but it’s long since begun.  At ANP we began offering remote IT outsourced services back in 1998. The companies who feel they can do without an in-house IT department are growing in number and size. It’s entirely possible to outsource the IT department for a 10 person to 2000 employee business. I see it everyday, and once the owner and the employees see that IT outsourcing is faster, better and perhaps most importantly cheaper: they never go back to their ineffective single employee IT department.

If you would like to learn more you may download a whitepaper on small business IT Outsourcing HERE or if you would like to meet and talk about IT outsourcing you can request an appointment HERE.  Or watch a webinar regarding single person IT departments by signing up below.

FREE IT Webinar The Secrets to Running Your Small Business IT Click Here to Get Started

Topics: IT Support, Reactive IT Support, Proactive IT Support, single employee IT support department

Apple is taking a Bite out of Windows: how about Your IT Solutions?

Posted by David S. Mulvey on Sat, Jul 12, 2014

Apple is taking a bite our of windowsIs it possible that Microsoft’s dominance in the Enterprise is coming to an end? The software company VMware thinks so. They recently wrote on their blog that in a survey they just conducted based on responses from 376 IT professionals on the challenges and relative advantages of utilizing Apple products in enterprise settings. In the VMware survey, 73 percent of IT professionals reported overall employee user preference for Macs over traditional PCs; even though Apple’s desktop offerings are not as compatible with application software as their PC counterparts.

Why should a business CEO take note of this shift? Well the reason stated in the survey is that Users believe Macs are just easier to use. Why are IT professionals throwing their support behind Macs over PCs? It's not about PC compatibility: 40 percent said their decision was based on having access to Mac-only applications. Increased enterprise security also wasn't a key decision criteria, as 75 percent of respondents said Macs take just as much effort as PCs to protect. In the survey 70 percent of companies said they currently support Macs in the workplace, the ultimate decision once again came down to Mac’s perceived “coolness factor”—users think they are easier to use, better designed and possess nicer displays than PCs.

Apple has done an amazing job in the last year assuring IT managers that Macs can be brought into a Microsoft LAN business environment. Macs can be locked-down with the same level of controls that are available for PCs. So Macs are certainly enterprise ready machines, and that goes for the whole product-line from the iPhones, to the tablet iPad to all of the MAC laptops and servers.

As a business owner, do you feel it would be advantageous to allow an employee to use any device they want, as long as you can control the device while it is on your company network? I can assure you that all of the younger Generation Y employees want to use their own Apple laptops and tablets at work, not your old company Windows PC. I would say many of my employees are using their Mac or an ANP owned Apple device at work every day. I feel as if offering the option to allow your employee to bring in their own preferred device to your workforce can be an HR competitive advantage. Nine times out of ten it’s going to be an Apple device.

Personally, my business and my family were longtime Windows users; I have converted completely over to Apple devices: 2 iPads at home, 2 Macs at home and I carry an Apple MacBook Air and an iPhone. I will never go back to Windows. Overall the transition from Windows to Apple has come with some bumps and bruises but I was an early adopter. If you and your workforce made the switch today, it would be painless. There is no question that the Apple devices are more expensive, but if you can get an additional year of use out of a Laptop, the premium you paid at first becomes a huge savings over the extended lifetime of the product. I see both HR and financial reasons to migrate away from Windows and towards Apple.

While the overall sales of PCs are still much larger than those of Macs because of enterprise purchases, Apple has seen some great progress in the desktop PC world where Microsoft has not. Gartner is reporting about 2.1 million Macs sold in Q4 2013 for a 28.5 percent year-over-year increase in sales, compared to PC’s meager 2 percent growth in the same period. Apple’s CEO began talking about the “Post PC era,” last year. Here at ANP, I have seen Windows operating Systems growth decaying; PC sales are being cannibalized by Apple. But to be fair, VMware’s survey said, while many companies support Macs in the workplace, there will still be a long way to go before Macs can claim full dominance over Microsoft.

It's important to remember that with such a small sample size (376 surveys) it’s difficult to gauge whether these statistics are representative of all IT professionals. However, as a self-proclaimed Apple watcher, I believe it is fair to point out that the survey does yield some interesting statistics on the starting shift in enterprise thinking from PCs to Macs.


So while Macs might not be the right fit for your companies because of their differences from legacy PCs, it seems users want to work on an Apple Machine in the work environment. It remains to be seen whether they will ever completely overtake PCs in the workplace, but it looks like the battle for the hearts and minds of enterprise users has begun to shift over when it comes to Macs over PCs. Would you like to meet to discuss how you can begin to allow your employees to bring in thier devices to work and then lock them down on your network? ANP would be happy to hold a free seven step strategic session with you register here. If you are not ready to meet yet, please consider downloading our whitepaper called, "Seven signs its time to call for computer support." you can download that whitepaper here.

FREE IT Webinar The Secrets to Running Your Small Business IT Click Here to Get Started

Topics: IT Solutions, Apple's post PC era, Microsoft dominance, Apple in the enterprise, Generation Y employees

Reactive IT Support or Proactive IT Support: What comes first?

Posted by David S. Mulvey on Tue, Jul 08, 2014

chicken or the egg resized 600What comes first the chicken or the egg? Much like that question, IT Support is full of conundrums-questions that don’t have clear answers. Two very different and equally important types of work govern IT support. It’s so important for a small business owner to understand the differences so you can manage your company’s approach to IT and expect the appropriate IT result based upon your approach that you choose. In 30 years of IT support I have never met a business owner that understands this basic concept (because they are not IT professionals) and as a result their IT solutions suffer.

The two competing support services in IT support are Reactive IT Support versus Proactive IT Support. Reactive IT Support includes things that have an immediate work stoppage and typically require human intervention.  They are unplanned events and therefor you must react to them. For example here are a few common reactive support issues: a printer has stopped printing, a workstation has a virus, or someone cannot log onto the network. All of these require an employee or a Time and Materials tech to work on to get the employee’s machine business process back up and running again. These unplanned events can easily consume the time of an IT department. Unfortunately working on and solving reactive issues never helps you get to root-cause of the issue and so the IT support issue is often likely to reoccur over and over again. Because Reactive IT Support can be so consuming, the IT employee never has a moment to break away from the drone of reactive service support to start to look at the root-cause of their issues.

The other type of IT Support is referred to as Proactive IT Support which as the name implies is work an IT employee does before something fails to insure that all of the under-the-covers technical things are set up correctly and operating as they are meant to be. Proactive IT Support is all about instituting and insuring that Microsoft best-practices are in place on your workstations, Servers, Active Directory and other technical settings. Proactive IT Support are technical things that you do to insure that reactive tickets don’t occur, for example: Windows patching, Anti-Virus definition updates, scanning, and guaranteeing. Applying Microsoft security best-practices to Exchange, Active Directory, and your Group Policies are great Proactive IT Support topics. Proactive IT Support also focuses on your backups, are they running successfully, have you tested a back up to insure your backups can recover a file, an application or a complete server? Proactive IT Support is always planned and scheduled.  It is always proactive never reactive. Proactive IT Support is always focused on setting up a list of technical things that must be completed and checked on.

I started this blog by saying that Reactive IT Support and Proactive IT Support compete with one another.  What I mean by that is Reactive IT Support always trumps Proactive activities. Reactive business issues will always trump planned proactive IT events.  For instance if Mondays are the day that you have planned to do all Proactive IT Support for patching, and there are Reactive service issues that occur all day long, you are going to handle and remediate the Reactive service issues before you would do the planned Proactive activities. In the mind of the IT employee, they are thinking I have to get these reactive issues solved so that the employees can get back to work and they are also thinking I can delay the proactive patching one day that will not impact anything. So can you see that Reactive IT Support always trumps Proactive IT Support?

When Reactive IT support is done at the expense of not doing your Proactive IT Support, you can imagine what happens? As the Proactive work is deferred and then ignored, the number of reactive issues dramatically increases. If and only if you can get all of your Proactive IT Support tasks competed reliably and on time, only then does the Reactive IT Support begin to drop off and you have a nice and quiet network. Conversely when Reactive issues increase Proactive planned work is not completed and the network slowly drifts away as best-practices decay. As best practices drift, system performance suffers and downtime increases. It is a vicious circle.  That’s why I ask is it the chicken or the egg that comes first? So too for Reactive and Proactive IT Support, which comes first that’s a real IT conundrum.

This complex interwoven relationship between Reactive and Proactive processes is the reason why almost every single IT employee department ultimately fails. You cannot place one person in an IT role and expect them to balance Proactive IT Support (that they fundamentally understand they should be doing) and have them doing 100% Reactive IT Support every day. Over time the network will become so unreliable that the owner will throw their hands up in complete disgust because they are spending money on IT payroll and yet getting unreliable systems and unacceptable downtime.

A business owner needs to understand that there really are two competing types of work that must be done in tandem within an IT department that two people are required at a minimum to get a reliable and good IT result.  No one person can perform both roles, but two people can each be assigned a single role: one focuses on user and system Reactive service incidents while the second focuses on Proactive IT Support tasks. And ideally, an IT manager is in place to inspect that the Reactive IT Support is being accomplished on time and the manager is also inspecting that the Patching, Anti-Virus and Malware and backups are also running and up to date. So there are three people and that covers someone getting sick, taking vacations or going to training. How many small businesses can afford to invest in three fulltime IT people?  I don’t see that payroll investment until you have 100 to 200 employees, and even then the IT manager doesn’t fully understand the need for Proactive IT Support delegation.

I believe this is why IT Outsourcing is becoming very popular with small businesses.  It is simply more cost effective to outsource your day-to-day Reactive and Proactive IT Support rather than self-staffing and doing it yourself. Here at ANP we have specific engineers that handle Reactive IT Support and different engineers responsible for the planned best-practice Proactive IT Support by dividing the labor types and then having strict measurement systems monitoring quality of the work. ANP (and other Managed Service Providers) can promise to you contractually that you will have a high level of network predictability and uptime all for a monthly fixed fee because both the Reactive and Proactive IT Support practices are all being reliably delivered.

In the end, who cares if it was the chicken or the egg that came first?  What matters is you have a reliable and cost effective IT solution. By understanding the underlying forces that compete for your IT employee’s attention, you can manage your way to a reliable and predictable IT network environment! Want to learn more about how to run your small business IT department? Sign Up for our Webinar below by clicking on the box.

FREE IT Webinar The Secrets to Running Your Small Business IT Click Here to Get Started

Topics: IT Support, IT Outsourcing, Reactive IT Support, Proactive IT Support, IT Solutions

Subscribe By Entering Your Email

Follow ANP



Latest ANP Blogs

Browse by Category