Ed. note: This is the latest in the article series, Cybersecurity: Tips From the Trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity, and digital forensics services.
MSPs in the Crosshairs
It is not uncommon for the words “Managed Service Provider” to evoke a groan. We’ll delve into the reasons why, but let’s start with a recent story that made us take note of how distressed clients can be with their MSPs.
Recently, we were called by a law firm to inquire about our MSP services. The conversation was pleasant and we offered to send over a contract, but first (and most unusually) they wanted to visit our office. They wanted to see that we had an actual physical office (apparently the former provider did not) and that there were a reasonable number of people in the office to answer the phones. They were very concerned about response times, because their previous MSP was erratic when it came to responding to requests for help. They also wanted to ensure that we weren’t outsourcing the work to people not onsite – or worse, abroad. It was fairly apparent that the practice of a virtual workforce didn’t sit well with these folks.
We got the client on board, and they are happy. But we are struck by how many clients we have heard about that are unhappy with their MSPs.
The Majority of MSP Customers are Looking for a New MSP
We recently read a report from CloudBolt Software indicating that 80% of MSP customers were so frustrated by their MSP that they were looking to replace them within a year. A lot of this has to do with complex multi-cloud architectures that cannot be internally maintained – hence, the need for MSPs.
However, the required expertise is hard to find. High level technology/cybersecurity experts are in woefully short supply. Worse yet, employee churn within the tech industry is extraordinarily common.
As a result, it might take hours – or days – to respond to requests for assistance. Once assistance is provided, it may prove to be faulty, sometimes requiring multiple attempts to fix the problem. This is frustrating and expensive.
Choosing a Managed Service Provider: A Roll of the Dice?
There are more than 40,000 MSPs – which one is right for you? Unless your firm is in the AM Law 100, you don’t need the pricey MSP titans. Finding a good fit is very important. We believe it can be very useful to ask your friends in other law firms which MSP they are using. Are they happy? Is the firm responsive and competent? Do they provide protection 365 days a year around the clock?
Pricing Models
Typically, you will encounter two basic MSP pricing models. A very popular model is the flat fee (per device or user) method. You pay a fixed monthly fee, which is easy for budgeting purposes. Make sure you understand what the fixed amount includes and read the fine print. You may pay extra for after-hours support, excessive support requests, fixing user-initiated errors, etc. In our experience, the fixed price model favors the MSP.
The other model is time and materials. In other words, you pay for what you get. Some argue that this model doesn’t encourage the MSP to be efficient. True to an extent, but they won’t be in business long if clients don’t see value in using the MSP’s services. This is another reason to ask your colleagues about their experiences with their MSPs.
Don’t Get Locked In!!!
Do you know what a good MSP won’t do? It won’t contractually lock you in. Not for three years, or two. A good MSP won’t lock you in unless it’s by a year or less. A small number won’t lock you in at all – that’s been our approach.
Happy clients don’t leave. And if they are unhappy, we don’t want to compel them to stay.
But as you will find, most MSPs will want to lock you in – and if the relationship sours, you are stuck. Many MSPs contract on your behalf with other companies that perform specific functions, such as backup, help desk, end point monitoring, etc. Are they saving you money or getting a cut of the action?
Besides a contractual obligation, many MSPs take control of your technology, which you should avoid at all costs. It is one thing to outsource management of your environment, but never hand over all administrative access. If you do, the MSP could hold you “hostage”
if you are unhappy with them and want to change providers.
Do MSPs Do It All?
That depends. If you have your own IT staff which performs more basic functions, that’s fine. As long as the lines are drawn, you can save money having your own IT staff and outsourcing the more complex functions to an MSP.
Your First Encounter with a Prospective MSP
Obviously, they are going to be nice. They want your business. But they should be asking a lot of questions about your law firm to ensure that they can serve you well. They should be transparent about pricing, length of any term commitment and any third parties they use.
They should also be open to all your questions – and they should be able to answer them in plain English. No obfuscation via techspeak.
Do the employees at the MSP have a broad range of certifications? How many employees do they have? Can you get help around the clock 365 days a year? What’s the surcharge for after-hours work?
Be Skeptical
Get references and check them out. Look up their ratings online. Ask about their cybersecurity. Have any of their clients suffered a breach? Have any vulnerabilities been rectified? What are the procedures in the event of breach?
Who has access to your data and environment? Does the MSP have employees doing all the work or do they contract with supplemental labor (such as a virtual workforce)?
Final Thoughts: Can the MSP Provide These?
- Proactive monitoring and management of your systems
- Cybersecurity solutions capable of protecting against the most current threats
- A helpdesk to answer any questions with clear instructions on how to reach support in the event of an after-hours emergency
- Backup and recovery solutions
- Regular maintenance for vital applications
- Strategic IT planning for the future
- Vendor management to ensure best pricing
Remember, selection of a good MSP is one of the most important decisions you’ll make. Be careful to make a wise decision.
Sharon D. Nelson ([email protected]) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek ([email protected]) is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke ([email protected]) is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.
