Many Havoc Shield clients work with a Managed Service Provider (MSP) for their broader IT needs -- things like provisioning laptops, configuring telecom closet equipment, setting up VoIP phones, helping employees set up their bluetooth headset, etc. We love it when a client works with an MSP for those types of needs -- it accelerates our ability to help on the cybersecurity front, with penetration tests, security awareness training, endpoint security, dark web scans, etc. The collaboration between Havoc Shield and MSPs has been great, enabling each of us to focus on what we do best. And it's all a part of making sure that you don't have to be your own IT Director.
Along the way we've come to realize that different MSPs have very different philosophies when it comes to how they believe clients are best served. Here we'll discuss 7 crucial questions that you should ask when choosing an MSP. There is no "wrong" answer to any of these, but it's important that your preferences are well aligned with the MSP's services. With these questions in-hand, you'll be able to suss out whether a particular MSP is a good match for you.
You should be thinking about what kind of interaction model you prefer when it comes to you or an employee having a routine helpdesk type of issue that you need resolved. For example, a bluetooth headset that won't pair, a hard drive crash, or a licensing error message popping up in Microsoft Office. Many MSPs will have a ticketing system where any phone call or email to their helpdesk is immediately followed-up with an email to you with a ticket number. The purpose is that you can then ask -- without ambiguity -- what the status of ticket #523 is (for example). That's one way.
Another way is that MSPs take responsibility for keeping track of your requests and handling them in such a hands-on way that they are able to personally follow-up / return your call / return your email without the need for a ticketing system. The types of MSPs that take this approach often still have an internal ticketing system, but they try to keep the interaction with you and your team feeling less robotic and more personal, even if behind the scenes there really is a ticket number.
What do you prefer? It's worth asking how the MSP handles ticketing, to see if their approach feels right for your organization.
In the day-to-day of replacing hard drives, provisioning laptops, adding G Suite usernames, etc., it can get lost in the shuffle that there is an occasional need to pop out and talk at a strategic level. Examples of topics that might otherwise get lost in the shuffle, are:
Suffice it to say, there are topics that are easy to push off on a day-to-day basis, that do need occasional strategic-level discussions. Does the MSP anticipate having that type of discussion quarterly? Yearly? Monthly? Upon request? Make sure their answer feels right to you.
The majority of MSPs that we work alongside, charge clients on a per-workstation per-month basis. For example, an MSP might charge $100/workstation per month. Have 10 employees each with their own workstation? That'll be $1000/month. That structure (of course, the precise dollar amounts vary), is pretty normal in the MSP world. If the MSP you are working with has a different fee structure in mind (perhaps hourly for each/every thing you ask them to do), it's worth digging in to understand whether that's a fit. What you don't want is a billing arrangement that feels overly burdensome, or too difficult to scrutinize if you feel you are being charged unfairly.
Also ask about extra charges. Are there special charges for an on-site visit? Special markups when you order new hardware through the MSP? What else?
By asking these questions, you can have a meaningful discussion about whether the proposed fee structure works well for your particular preferences.
Acronym warning/alert! Many MSPs install RMMs.
Let me rephrase. Many of them install a small application on each computer/laptop in your company. The small application they install is called an agent -- or, to get technical, a Remote Monitoring and Management (RMM) agent.
Why do they do it? They do it so that they can remotely install additional software, help with investigating problems that you report about your computer, and sometimes allow you to share your screen with them if you want to walk through a problem you are having.
Ask the MSP if they install an RMM -- not just to impress them that you know the right questions to ask -- but also to get into a good conversation about how the MSP helps employees that have some problem on their computer/laptop. Whether their answer is that they use an RMM to help remotely, or that they have some other strategy involving either phone or in-person visits, you'll be better off knowing the gameplan in advance.
We're not afraid of controversy, so we'll walk right into this one. Some MSPs strongly recommend cloud backups, others recommend local backups, and many recommend both.
The group strongly in favor of local backups tends to advocate for the idea that a speedy data restoration process -- for large datasets -- can be hard to achieve when you have months or years of data to restore from a remote cloud service. And that with the right encryption settings, your local backup is extraordinarily low-risk in terms of the potential that a physical intrusion could lead to malicious access to your data.
The group strongly in favor of cloud backups tends to retort that there is no way you (or they) could have a more complete/sophisticated data backup redundancy plan than what exists in the very elaborate clouds hosted by Microsoft, Amazon, Google, or others. And that even thinking that you can do better than those large / sophisticated cloud providers can do, is foolish.
The group that recommend both (cloud and local) tends to see the value in both arguments, and suggests doing both.
Which argument do you buy into? When you ask MSPs about their data backup strategy and recommendations, we'd urge you to be open to hearing their perspective in detail. You might learn something you didn't know about the nuances of data backup, that sway you to consider a strategy you would not previously have preferred.
This is a biggie. Many MSPs keep their costs down by helping you and your employees remotely. And generally, we'd say that's the mainstream way that MSPs operate. Are you good with that?
Candidly, if you prefer frequent on-site help with very little remote help, please know that your preference is more of a niche preference that may require a greater breadth of search to find an MSP that is able to deliver on your needs.
SLAs are Service Level Agreements that help you and the MSP align on how quickly they need to respond when you report an issue or ask for assistance. There are a few "gotcha" things to watch out for, though:
Candidly, most MSPs operate on a model where they know that it is possible that a client can choose to replace them (often on 60-90 days notice). So, if you are working with an MSP that is genuinely appreciative of your business, you should be able to nurture a relationship where you can sometimes ask for help "even faster" than the SLA, and they can sometimes ask you for patience that is a little more generous than the SLA specifies. And we think that's wonderful, when the MSP relationship evolves in that manner.
When you are evaluating MSPs, please ask a lot of questions. When you are selecting an MSP, be aware that there are 6,000+ of them in the United States. You have options. You have choices. And you want to work with one that fits your preferences and needs. The above questions should lead to a very enlightening discussion with any MSP that you are evaluating, and give you a great sense for whether there is a mutual fit. And, don't forget to involve Havoc Shield as the "Plan to Proof" cybersecurity provider standing alongside your MSP. We'll be delighted to help.