Monday, May 31, 2021

Manifesto for a Modern IT Consulting Industry - Part 3

Manifesto for a Modern IT Consulting Industry - Part 3

It's Time for IT Consultants to Take a Step Up

This is Part 3 in a series on transforming our industry into a profession. Here are the previous installments:

Transformation of an Industry into a Profession - Part 1. Profit. Maintenance-Focused Support.

Transformation of an Industry into a Profession - Part 2. Education. Core Values / Statement of Ethics.

Part 3: Ransomware and How We Handle It

A great deal of this discussion about our industry, and where we want to take it, is triggered by the crises of ransomware, how we respond to ransomware, and how governments and insurance companies are responding to ransomware. And so far "we" don't have a response. Lots of vendors are selling lots of solutions. But none of them is really a solution: Each is a small fix for a small piece of a big, big problem.

As with so many things in technology, our response to problems consists of a big toolbox filled with various sizes of Band-Aids. But very little effort is put into taking a step back and looking at the big, big picture. 

Here's a great example: Identity theft or credit theft. On more than one occasion I have posted photos of my drivers license or credit cards online. People come screaming out of the woodwork because these things contain lots of information that can be used to "steal" my credit, open accounts in my name, etc.

But I don't care for a simple reason: I have made this information useless. Try to open an account in my name. You can't. Try to buy a house in my name. Try to take over my car registration. Try to use my credit cards. You can't.

You see, there are different ways to look at problems like this. "The data" genie is out of the bottle. I grew up in an era when my social security number was my student ID. I think it was published in the school directory. The birth dates and death dates of my parents are public information. My ex-wife worked for the State of California during roughly 1,000 incidents where all of our private information was stolen and sold on the dark web.

Your information is just as secure. So you are no more or less secure if you post your drivers license online. But you can take steps to make that information useless. You don't have to throw up your hands and say, "Oh well. If they want to break into my stuff, they will." And yet, that defeatist attitude is exactly what virtually everyone in IT says to one another - including MSPs, VARs, vendors, distributors, and even security companies.

I have written this many, many times over the last five years, but it's still true: There is absolutely no excuse for ransomware to take down a business or government agency today. The first time I created real-time data-mirroring between offices in Southern California and Northern California, the setup was about $100,000 and monthly monitoring and maintenance was about $10,000. I was happy to do it.

That exact site could be backing up to a BDR with images in the cloud for a fraction of that cost today. (I hope they are.) What was once nearly impossible and extremely expensive has become simple and very reasonably priced.

The question is no longer whether we can secure all data but whether we are willing to. And that "we" clearly includes the client. Next time, we'll talk about insurance and government regulation. Clearly, if a client cannot afford to be protected, the IT Service Provider should not be held liable for the results of a ransomware attack. And, clearly, if a client can afford but refuses to pay for the appropriate systems, then the IT Service Provider should not be held liable for the results of a ransomware attack. But that's next time.

Now let's look at the next two pillars for our emerging industry: Defending client systems and our consistent response to attacks.

The Fifth Pillar: Defending client systems and data is an ethical imperative.

I know a lot of people are not comfortable with the discussion of ethics and what's ethical. But I am. Maybe it's my "Arts and Sciences" education. But I think that professions do have some ethical requirements. For example, financial advisors should put their clients' financial interest first; they should not overcharge their clients; they should not steal from their clients. 

All of that is actually based on a clear difference in knowledge. When you know more than your clients, you have the opportunity to recommend "solutions" that don't really increase security. And you have a great deal of power to remove yourself from taking the blame when things go wrong. 

See the last post on an industry code of ethics.

In the first installment, I made the case that basic maintenance and backup are central to our profession. Here I would take that up a notch. I believe we are obligated to defend our clients' data once they have engaged us. And a huge piece of this is based on that same differential of knowledge. 

I've heard people make fun of clients who think that their data are automatically backed up because it's in the cloud, or with Microsoft. Similarly, they laugh about clients who think that mirrored drives or a RAID array are backups. 

But here's the hard cold reality: If we want to be a profession instead of a collection of really smart people who all just happen to work in the same industry, we have to draw a line and take responsibility when the client cannot make correct decisions for themselves. If a client doesn't understand backup, and you do, you have an obligation to look after their interests. When a client doesn't understand security and you do, you have an obligation to look after their interests. 

Your clients will never know what you know or understand what you do. They are professionals at dentistry, or law, or finance, or whatever. They trust you. They rely on you. They turn to you and ask, "What should I do?" You are morally obligated to give them good advice. Ultimately, what we do in this business is to help clients make good decisions about technology.

The funny thing about this discussion is that so many people immediately put it all back on the client: They refuse to secure their systems; they refuse to pay for it; they don't believe they're in danger. But that doesn't excuse you from your moral obligation.

This goes beyond you and the client. The "client's data" is often not the client's information to leave unsecured. The client's data probably includes their clients' information, medical records, financial information, intellectual property, etc. Your client has no right to wave their hand and decide that such information can be open to compromise.

We're seeing more and more compliance legislation all the time. It all boils down to this: Left to their own devices, many people will not secure their own systems or their clients' data. And further, compliance legislation acknowledges that society has a stake in securing that data - even if a specific company doesn't want to.

As an IT service provider, you don't have any choice. You are part of this mix. The players are you, your client, the government, and insurance companies.

So, protecting and defending this data is an imperative. What do you do when the client simply refuses to comply, for whatever reason?

Today, the best you can do is to have them sign a waiver of liability. But it is unclear whether such waivers are enforceable. As you probably know, almost every contract has limits on liability that are simply ignored. When lots of money is at stake, companies sue. Insurance companies sometimes pay out. And then they sue to recover their money. I'm not aware of any contract that has actually prevented a lawsuit.

And no matter what you do, you're still in the mix. Whether we like it or not, we need to work with governments and insurance companies on a formal process for removing ourselves from the mix. 

It begins with acknowledging that creating data security systems and business continuity are imperative. Then, the client needs to be educated, to the extent that's possible. But remember: Some clients will never understand or accept the danger.

In the world of finance, there's a thing called a sophisticated investor. A sophisticated investor is someone who has lots of experience and knowledge in a variety financial dealings. So, for example, you might only be invited to consider a certain investment opportunity if you can document that you are a sophisticated investor.

We experience a similar thing in technology. If you're reading this, you're probably a sophisticated technology consultant. You know and understand certain things at a level that most of your clients will never reach. So how do you educate them sufficiently so they can make an educated decision to not protect their data?

Ultimately, you cannot force any client to buy into a business continuity solution or to protect themselves from ransomware, extortionware, etc. Today you have three options when a client refuses to protect themselves: 1) Take the risk that you'll get caught up with them, their problems, and their insurance company. 2) Walk away and let someone else take the risk. 3) Stay and try to limit your liability.

There should be a formal process whereby you educate the client. And, if they choose not to protect their data, there should be a formal process - recognized in law - that removes you from liability.

This process cannot be haphazard. It needs to be a formal process. The insurance companies need to go along with it. And I expect they will, if it's done right. After all, the reason they're raising rates through the roof is that they're paying out massive ransoms because so many systems are simply not protected. 

We will return to this topic next time.

The Sixth Pillar: A strong profession begins with consistent, effective responses to our greatest challenges.

In 2020, the world of compliance took a huge step in the right direction. And somehow, almost no one noticed. Every time I mention that the US Department of Health and Human Services has blessed the use of NIST CMMC for attaining and documenting HIPAA compliance, I get several requests for links.

[Okay. Just to get this out of the way, here are the links to start with:



- ]

This is one example of the kind of thing we should be doing on several fronts. HIPAA (the Health Insurance Portability and Accountability Act) originally had no clear guidelines. It had no standards that could be built into a checklist. There was no way to document compliance. And, oddly enough, compliance could not be achieved without documentation.

As a result, "compliance" was simply determined by who sued or brought an action against a healthcare provider or IT professional. Finally, the DHHS move in 2020 made it possible to define compliance, create checklists, and demonstrate compliance. The documents above literally map CMMC actions to HIPAA requirements.

This is a great model that we can repeat in other areas. Again, with one eye on the government and the other on insurance companies, we can develop procedures that define appropriate responses. The basic formula is this:

  1. Define the challenge. For example, stop viruses and phishing attacks from allowing data to be compromised, encrypted, and exfiltrated.
  2. Define a set of actions and processes that define professional best efforts with regard to the task at hand.
  3. Define procedures and checklists which, when implemented, will meet the requirements for best efforts.
  4. Document the execution of these processes and procedures, and be willing to be judged by this documentation.

In a perfect world, we don't need the government to be involved in any of this. But, so far, our industry has spent more effort passing the buck and selling Band-Aids than solving the biggest challenges we have. We each come up with a set of different procedures, software, and services. And when it doesn't solve the problem, we confidently tell each other, and our clients, "There's no way to stop everything."

I go back to my original statement: There is absolutely no excuse for ransomware to still be a problem today. But instead of getting our arms around it and addressing the big picture problems, we spend our time playing whack-a-mole and making sure we're not the ones being sued for millions of dollars.

I see three obvious ways that action will be taken in the next few years. First, we can continue our uncoordinated attempts to apply patches here and there. This will result in the government taking action that solves some problems for the government but probably doesn't solve the actual problem. Remember: government agencies are getting hit at least as much as private businesses. They'll do "something" in response, even if it's not the best thing.

Second, the insurance industry will draft legislation and it will spread across the globe. This is actually the most likely response since the insurance industry is already well funded, well organized, and very experienced with lobbying. I assure you, their response will serve them very well. You will not find yourself relieved of any liability if the insurance industry writes the rules without input from IT service providers.

Third, we as a profession can begin to address the big problems with standardized processes and procedures that address the needs of our clients, government agencies, and the insurance companies. This approach might include getting some of these processes and procedures written into government regulations or legislation. It would involve engaging the insurance industry in discussions about what they need, and the role we play.

To be honest, a coalition of the IT service industry and the insurance industry may be the most powerful thing we can do. We could actually draw some lines around the obligations companies have to protect data, the liability that goes with that, the requirements for best efforts to protect that data, and the documentation required to verify where liability lies.

In many ways, we have accidently taken on liability for our clients' behavior by the response we have to security challenges. And now it's time to limit that liability and define the terms under which it can be lifted off of us and placed back on the client.

The only way to eliminate liability altogether is to eliminate risk altogether. Between ourselves, our clients, and the insurance companies, I believe we can define processes and procedures to reduce risks considerably, and therefore reduce liability as well.

I'm not saying it would be easy. But it could be done.

-- -- -- 

Next time: Legislation, Insurance, and Building a Long Term Path to Professionalism

-- -- -- 

Here are links to the entire series:

Part One - Profit and Maintenance-Focused Support

Part Two - Education and Core Values 

Part Three - Ransomware and How We Handle It

Part Four - Legislation and Insurance

Part Five: Building a Path to the Future


Friday, May 28, 2021

Transformation of an Industry into a Profession - Part 2

Thoughts on Revamping our Industry 

In the last post, I introduced the need to revamp our industry and step up professionalism. I proposed the first two pillars: Profit and focusing on backup and maintenance first. 

In this installment I address education, certification, and core values.

These are the natural elements of a profession. Think about any profession (teaching, accounting, legal, financial, etc.) and you'll find that the industry became professional when it adopted standards for continuous education, certification of experts, and adoption of some core values.

The background for all of these is the transition from amateur to professional. All industries attract new members from among interested amateurs. The road to professionalism starts with experience. But at some point, informal training and then formal education are needed to make the big steps in knowledge. 

Certifications follow from education and provide acknowledgement that certain standards have been met. The more evolved the profession is, the more standardization there is on the focus of this certification. And while our industry is typified by change, we need to acknowledge that other industries also deal with constant change. I always joke with my tax accountant that every change in tax law should simply be titled, "The Tax Professionals Full Employment Act."

The specific elements of our areas of knowledge will change over time. Ultimately, the definition of an industry is determined by values and standards that guide the industry. The only real moral difference between people who make a living from ransomware and those who make a living selling office apps is the underlying core values about appropriate behavior in the market. And when an industry evolves into a profession, it has to have a public discussion about values.

Here, then, are the next two pillars.

The Third Pillar: Education

Education and certification are central to professionalism and continual renewal.

We all start out knowing nothing. And we all become masters of a few things. And, if we're lucky, we become excellent at several things and good at many things. No one can be a master of all knowledge. For almost any technology, there are many layers of knowledge. There's the one paragraph description, the 1,000 word discussion, the 350 page book, and the library filled with books.

One of the not-so-secret dirty little secrets in our profession is that people over-use Google to pretend they know more than they do. At some level, this is the very definition of an amateur trying to work their way into "semi-pro" status. Amateurs know just enough to figure stuff out. They are slower than professionals. Their solutions are less elegant. Sometimes they break more than they fix. But, ultimately, they figure it out and figure out how to do it better the next time.

All professions grow because hobbyists become amateurs, and amateurs (apprentices) grow to become professionals. Experience is one big piece of this transition. But education and certification are another. Anyone can stop growing at any point and simply stay where they are (amateur, apprentice, or professional). But for the true professional, "staying where you are" means sliding backward. The technology and business processes keep evolving. Without continual training, you cannot keep up.

At some point, there is a real limit to what an amateur can achieve. And you cannot be a master of all things. So when you choose something to get good at, you need to dig in and educate yourself. That might include books, classes, or even formal schooling (a collection of classes).

Think about how we naturally learn technology. Take firewalls for example. You can dig in and "figure out" a lot about setting up a firewall. But you will never get beyond the "figuring out" level without some real education on TCP/IP, ports, protocols, routing, and so forth. And there are multiple levels of education in each of these. 

There is a fairly obvious period of being aware of your amateur status. At some point, you decide to either be amateur, semi-pro, or dig in and really become good with firewalls. Or at least one brand of firewall. But even if you decide to specialize in Fortinet or Sonicwall, formal education includes a great deal of generalizable knowledge. At some point, you learn a great deal about routing, filtering, and traffic management that goes beyond the brand of a specific product.

Some people tend to dismiss education and certification. Their argument sounds something like this: Anyone can spend a bunch of money, go to a "bootcamp," and get all their certifications in one weekend. Okay. There was a time when people did that. 

But here's the reality: I've never met someone who passed seven or eight exams from Microsoft or Cisco who didn't also know a great deal about a variety of technology. Even if you cram for such exams, there is a moment in time when you knew the topic well enough to pass the exam. We all know that the real work of "knowing" something involves the daily application of what we've learned.

I've taken lots of Microsoft exams. Most of that information was never useful to me. But that arcane and archaic knowledge is still rattling around in my head. And I could apply that knowledge with just a little tune-up.

There are two kinds of education and certification in our industry - technical and business. Technical education is widely available. Vendors provide education on their own products and services. Some of it is free and some is for a price. Of course, Microsoft is the big example for most of us. If you are willing to dig around on their web sites and train yourself, you can get virtually all the knowledge they have to offer for free. Or, you can pay for officially-sanctioned training and get a good chunk of that data distilled into a day or a week.

There are also third-party training opportunities, but they are fewer. CompTIA probably has the most well-known training and exams. Third Tier and other independent organizations provide great training, but on a limited number of topics. Happily, almost all community colleges (and some high schools) provide a wide variety of technical training.

Business training is a little different. Vendors only train you on processes that promote their view of the world. You should be leery about adopting a business model based on the needs of your vendors. As brutal as it sounds, they only care about you to the extent that you use and sell their products and services. 

Business-focused training is harder to come by. Many coaches and organizations provide training on the business side, but we have yet to see a really large organization offer business-focused training on a grand scale. Most of the coaches or communities you've heard of offer business-level training (myself included). But our industry could use some serious standards and increased consistency on this front.

As an industry that wishes to become a profession, we could advance a lot by agreeing on some standards for education and certification. At a minimum, we should focus a lot more on the training that's already available. If I had to propose a slogan for this campaign, it would be:

Google less. Read more. 

In isolation, anyone can watch a YouTube video and see how to export a PST file. That's a far cry from understanding all the elements of migrating a client's entire operation to cloud services securely with zero downtime.

Read more. Google less. 

The Fourth Pillar: Core Values / Statement of Ethics

Ethics and principles ultimately define an industry and build the path to the future.

Here and there throughout our industry, you might find a Code of Ethics or a statement of core values. But there are three common problems with such statements. 1) They tend to be very long, overly detailed, and therefore go unread. 2) They tend to be too vague and end up repeating a few meaningless phrases. 3) They tend to be hidden away.

At some level, we all have a vague sense that we share a set of values. I love to quote Bill and Ted's Excellent Adventure: "Be excellent to each other." And while we would all love to live in that world, it's just not real (yet). There are people in our industry who will undercut your quote, lie to prospects, and then bully them into paying a higher price even thought they promised a lower one.

I'm sorry to say that I have only appeared in court as an expert witness on three occasions, and ALL of them were to evaluate the appropriate behavior of other technology consultants. People in our industry do lie. They do steal intellectual property. They do take move from clients and not provide the services promised. Not you, of course. But you have to live with the fact that these people represent themselves just as you do - and clients have no measuring stick to compare the difference.

We need to adopt a handful of key values that we agree to be measured by, and which we can use to hold one another accountable. And while there's great value in something like Ray Dalio's Principles, a usable code of conduct needs to be brief in order to be effective.

Many dismiss the need for a common code of ethics, but our industry is surrounded by behavior that makes the need for such a code greater than ever. Money has an amazing power to increase the flexibility of some people's ethics. And, today more than ever, money is flowing through our industry in vast amounts.

When I first started consulting in the small business space, I felt like I had stumbled onto the wrong profession altogether. Again and again, I met prospects who had been ripped off by their previous IT consultant. Very often, hardware and software were registered in the consultant's name and not the clients. Eventually I discovered that this was done to take advantage of distributor spiffs, or because both hardware and software had been resold more than once, always sold as new. 

The first time I ever met a Microsoft MVP, he casually mentioned that you can always "flip" an MSDN license and install something a client needs. There was a total disconnect between stealing in general and stealing software.

In another form of stealing, I witnessed time and time again that people took jobs they were not remotely qualified for, gave bad advice, and simply walked away when it all blew up. Many, many times I took over networks after someone had over-sold the client, did a half-assed job of setting things up, provided zero documentation, and then simply disappeared.

Some will make the argument, "I'm honest. I act with integrity. Why do I care whether the whole industry has a code of ethics?" Well . . . because you work in that industry.

We make fun of the entire car sales industry, but we're basically in the same boat. If the perception is that "all" MSPs sell security management and then let ransomware attack their clients, that reflects on you. You might have had a perfect zero-bytes-compromised year. But when regulators and legislators are going after your industry, the actions of other players IS affecting your reputation.

One piece of the ethics puzzle is to simply have a code of ethics. But the more important piece is to agree to hold each other accountable (and to be held accountable).

Think about what a company values statement does within your company: It allows everyone to ask whether proposed decisions or actions are consistent with our stated values. A professional code of ethics is a public statement that says that we hold ourselves to these standards, and we invite the public to hold us to them as well.

I propose a few thoughts here as a place to start the discussion around a Professional Code of Ethics for IT Service Providers. Note that this is short enough to print on a single sheet of paper. I welcome your feedback and comments, especially if I left out some very obvious element.

A Draft Professional Code of Ethics for IT Service Providers

As a professional IT service provider, we pledge to:

- Be competent. IT Service Providers will work to stay educated and capable in all areas for which they represent themselves to be competent. They will not knowingly claim competence that they do not possess.

- Be honest. In presenting themselves to prospects, and in all engagements with clients, IT Service Providers will provide honest information about products, services, pricing, and related matters. This includes the accurate representation of work performed and the products and services offered for sale.

- Be forthright with clients. This includes registering client hardware, software, and services in the client's name and not the IT Service Provider's. It also includes providing the client with a reasonably useful copy of their network documentation. Implicit in this requirement is the fact that the client has paid for all of these things and that ownership or licensing should be in the client's name/possession. This also includes disclosing any possible conflict of interest between the IT Service Provider and the client.

- Be legal in all activities. IT Service Providers will follow applicable laws with regard to business operations, sales, data protection, privacy, and all other manners. 

- Be professional. IT Service Providers will sign contracts with clients that are reasonable in nature and not intended to give an unreasonable or undue advantage to the IT Service Provider. IT Service Providers will conduct all business with the highest standard of ethics.

- Be fair. IT Service Providers will treat everyone (clients, employees, suppliers, vendors, etc.) impartially without regard to ethnicity, age, gender, disability, sexual orientation, nationality, language, religious beliefs, or political beliefs.

- Be discreet. IT Service Providers will sign non-disclosure agreements with all clients and employees, and work earnestly to protect client confidentiality and intellectual property.

Ideally, a profession-wide code of ethics should become something we all post on our web sites and publicly agree to guide us.

Feedback welcome.

-- -- -- 

Next time: Ransomware and How We Handle It

-- -- -- 

Here are links to the entire series:

Part One - Profit and Maintenance-Focused Support

Part Two - Education and Core Values 

Part Three - Ransomware and How We Handle It

Part Four - Legislation and Insurance

Part Five: Building a Path to the Future


Richard Tubb to Join the SBT Roundtable June 3rd

I am very pleased to have Richard Tubb ( join us for the June Small Biz Thoughts Technology Community Roundtable.

Richard is a long time friend and truly great community builder. He is joining us from the UK. The last trip I made to the UK (2019, a few months before getting shut in), I visited Richard and had a delightful time getting to know Newcastle upon Tyne.

Richard is such a natural community leader that he can't help but get people together. Of course, there's always beer involved, now that I think about it.

Anyway, whenever I go to the UK, I ping Richard and we get together in two or three cities.

Richard is also a coach and a community leader with the Tech Tribe. 

We'll talk about the challenges for MSPs and other IT service providers in 2021. We're all familiar with the challenges, so I think we'll spend most of our time on the opportunities and how MSPs can make the most of these  challenging times.

Join us! It promises to be a good conversation.

Community member can Register Here.

If you are not a member, but would like to attend, it's easy: Join the Community! More information at


Wednesday, May 26, 2021

Transformation of an Industry into a Profession - Part 1

Thoughts on Revamping our Industry 

The Nine Pillars - Part 1


The IT Consulting industry has come a long way in the last twenty years. We are more professional, as a group, than we've ever been. We certainly have better tools, better organization, and better channel-focused vendors. I am honored that I have played some small role in the evolution or our industry.

But we also face greater challenges than ever before. I don't want to blame all of our problems on ransomware, but the explosion of ransomware in the last few years has forced us to shine a light on some long-standing problems within our industry. It has also sped up the inevitable march of legislation and regulation. And all of that has led to sky-rocking insurance payouts and premiums.

Unfortunately, the natural response to all of this is to address each element in isolation. But that is not the answer. We need to begin thinking about the maturity of our industry in a more holistic manner. Our response to ransomware, for example, is clearly tied to our diligence in managing client systems. And to insurance rates. And to regulation.

I've been thinking about the big, big picture. So, in this series of posts, I present nine topic areas that I believe are all inter-connected, and related to the overall professionalism and maturity of our industry. Please comment, share, and join in a discussion of these elements at a higher level. I present these thoughts as a starting place. But I really want our industry to tackle these questions and begin working together on creating a united front to address our problems.

Some of these will seem obvious, but others may seem unrelated at first. But, remember, I'm looking at all of this from a holistic perspective. What does it take for our industry to take a big step up in professionalism and participate in a future where we can thrive while providing truly valuable services to our clients?

Warning: A lot of people will be angry at what I have to say. Please post comments, share this and comment, or email me directly. I want to start a conversation about raising the bar for SMB IT professionalism.

One requirement is very clear, but rarely discussed: We need to take responsibility for the bad things happening in SMB IT, and in our industry. I'm not saying we started it, or that we are perpetuating it. But the default position of pretty much everyone in the channel is to treat our problems as if they are happening to us - as if we play no role. Well, that's simply not true.

We've all met people whose life seems to consistent of a Series of Unfortunate Events (to paraphrase Lemony Snicket). You've met them. One tragedy after another. In each case, they are the victim. No one could have foreseen this or that. Bad luck is everywhere.

The older you get, the faster you recognize this pattern and learn to run away from these people. Every bad thing in their life was someone else's fault, and all the bad things happened TO them.

Let's look at our industry. We don't create ransomware. It happens to our clients. We just fix it. We're not responsible for higher interest rates. That happens because clients click on stuff, ignore training, and get ransomware. We're not responsible for government regulation and legislation. That happens to us because no one can do anything about viruses, malware, phishing, and ransomware.

In other words, the default is: We're not responsible for anything. Sh*t happens and we have to deal with it.

Except . . . 

Lots of people in our industry cut corners. We try to save clients money and end up selling incomplete services. Lots of people sell "managed" services and delivery break/fix. Lots and lots and lots of small businesses have no real protection. Some consciously refused to pay for good tech support. But many of them have IT service providers who don't force them to do things the right way, or simply don't deliver the kind of preventive maintenance that will protect them.

From one perspective, we are totally caught in the middle with no way out. But I encourage you to consider another perspective: Figure out what role we can/do play. And then figure out what we can do about it. Legislation doesn't have to happen TO you. You can choose to get involved and shape what the future looks like. High insurance rates don't have to happen TO you. You can engage and find out the specific things we need to do to lower those rates.

Let me be crystal clear: YOU might do everything right, have great processes and procedures, and have a perfect record of avoiding ransomware for your clients. But you are still affected by the fact that our industry as a whole is doing a very poor job on this front. 

If you want to sit back, collect auto-payments, and do nothing, that's fine. But you will then be choosing to let participants in the conversation decide the future of the industry, and your business.

Let's dig in.

Part 1: The first two building blocks - Profit and Maintenance

The First Pillar: Profit

Profit is not the only measure of success, but it is a necessary one.

Depending on who you talk to, about 20-25% of IT Service providers are not profitable. At a minimum, they're breaking even, which is to say, "scraping by." I recently talked to a friend who is a member of the Institute of Management Consultants. When I told him this statistic, I thought he would be surprised. Instead, he said he doubts the numbers are that low. He says that most industries have more like 25-30% who fall into the category of unprofitable.

I know it sounds very hard to believe, if you're struggling, but there's no reason for this. If you have an unprofitable business model, that's fixable. If you have trouble with sales, that's fixable. If you lack skills, that's fixable. Basically, unless you are simply unwilling to make changes, your problems are fixable.

To be honest, when I talk to people who are struggling in this business, they are working very hard to figure things out. Very likely, they are working ridiculous hours and not charging clients for their time. So that loops back to the business model - which is fixable.

I believe it's important to talk about profit first because unprofitable companies tend to make bad decisions. When people feel they have to take certain clients, or have to take every client, they spend their time focusing on money to the exclusion of service, security, and what's best for everyone involved.

Unprofitable companies have lots of problems not directly related to money. They cut corners. They give in to clients who want to make bad decisions. They leave themselves open to problems, and therefore leave their clients open to bigger problems. They don't invest in their employees or see them as valuable resources.

If you're having problems with profit, you obviously cannot snap your fingers and become profitable. After all, no one is unprofitable on purpose. It takes a lot of discipline and focus to turn things around. You have to make hard decisions - like cutting staff and reducing expenses. 

I address profit as the first pillar because it is truly the first building block to creating a solid base on which to build a successful, professional industry. Only a profitable industry can effectively tackle the rest of the elements addressed here. 

As individuals, we must do what needs to be done to build successful businesses. As an industry, we need to work together to help define profitable standards and procedures. And one important piece of that is to avoid competing on price. Making yourself and others unprofitable just to gain market share provides no positive results to anyone.

The Second Pillar: Maintenance-Focused Support

Backup and Maintenance are the foundation of all IT service.

One very bad trend we've seen over the last five years or so is the failure to focus on preventive maintenance. When I wrote the first edition of Managed Services in a Month, my assumption was that all IT service providers had a "maintenance first" or "backup first" approach. That assumption turned out to be very wrong.

I stand by my original belief: Managed services *should be* focused on maintenance first. For me, that includes a fundamental focus on testing backups. In the big-big picture, testing backups is the single most important thing we do. If you test backups every month, you know two things: 1) The backup is working; and 2) Your team knows how to restore data when the day comes that a restore is necessary. 

The second most important thing we do is apply all the patches, fixes, and updates. There's no secret here. No genius-level certification needed. Unpatched hardware has problems; unpatched software has issues; unpatched operating systems have troubles. Viruses and ransomware take advantage of unpatched holes, primarily in software. 

So, no matter what else you do, you need to apply patches, fixes, and updates on a regular basis. If you track the news about the latest big ransomware attack, it almost always turns out to be a new attack on an old vulnerability. In other words: A properly patched and maintained system would not have been compromised.

I've posted before, but I'll repeat it here: Most people who call themselves "managed service providers" are not providing managed services. Many of them love the flat-fee subscription model, but they are not providing the backup services or patching services that clients are paying for. Instead, they are providing reactive break/fix support and charging a flat fee.

This is very bad for all of us. You might be focused completely on preventive maintenance, but you are severely affected by the fact that many people in this industry are not taking preventive maintenance seriously.

Every single time there's a new story about ransomware taking down a city, a county, or a company of any size, I am stunned that this is still a problem. These stories only make the news because of one thing: Their IT support failed to provide effective patching AND their IT support failed to make sure they had a working backup. A BDR should be able to recover a system in 1-24 hours. Even an old, slow backup should be able to recover everything within a week. 

But paying a ransom due to failures in IT support should never happen. Ever. We have solved this problem. Yes, I know there are new kinds of extortion-ware, but even those attacks can be virtually eliminated by proper patching. 

Now think about this from a State- or Provincial-level government. What you'll find is that they see exactly what Kyle Ardoin, the Secretary of State of Louisiana saw: Government agencies (which are essentially small businesses) are paying for "managed services" and are still not protected from the most basic attacks. Patches are not being applied. No backup or BDR is in place. Or, the backup isn't working, but no one knows that because it's not being tested regularly.

Now consider this from the view of insurance companies. Businesses of all sizes are buying managed services, but they are still compromised. Ransomware continues to flourish. Patches have not been applied, so the attacks are successful. Backups are not working (or non-existent), so ransom has to be paid. Whether or not it's justified (we'll get to that), insurance companies want to hold the managed service providers liable for the damages.

Let me repeat myself: YOU might be doing everything right. But you are severely affected by the fact that so many IT service providers are not doing the most basic things necessary to protect their clients. You may have had a perfect, zero-incident year, but your insurance rates went up anyway. You need to care about the fact that our industry needs to take a step up.

-- -- -- 

Next up: Education, certification, and core values.

Please post comments. Engage in the discussion.

-- -- -- 

Here are links to the entire series:

Part One - Profit and Maintenance-Focused Support

Part Two - Education and Core Values 

Part Three - Ransomware and How We Handle It

Part Four - Legislation and Insurance

Part Five: Building a Path to the Future


Tuesday, May 25, 2021

Optimize Your Social Media Marketing and Advertising

All New Class for 2021!

Optimize Your Social Media Marketing and Advertising – 5W23

Taught By: Karl W. Palachuk

Five Tuesdays

  • June 1 - June 29 - Register Now
  • All classes start a 9:00 AM Pacific

Part of the "Social Media Super-Charge" Series for Small Business

This course covers the key elements of designing, planning, and executing a modern social media strategy in the Small Business environment. We cover the use of social media for both marketing and sales.

Most small businesses "use" social media, but don't really have a strategy for using social media effectively. That strategy starts with understanding the strengths and weaknesses of various platforms. And it culminates with a unified approach to branding and how your company presents itself across a variety of platforms.

This course starts with a business-focused overview of social media marketing and sales. We discuss taking control of your brand and managing how you show up on the web. We present a strategy for creating and managing your overall branding across all social media. Finally, we do a deep-dive into automating and managing your social media presence going forward.

This course is taught by Karl W. Palachuk, a social media influencer who "touches" over one million people per month. Karl has been using these social media for more than ten years, and has demonstrated mastery across all of the major social media that small businesses need to be successful.

Here are the specifics of what you'll learn, week by week:

Week 1: Introduction, Overview. Marketing vs. Sales

  • The Plan of The Course
  • Take-Aways And Goal-Setting
  • What is Marketing?
  • What is Sales?
  • Developing a Funnel System
  • Schedules – Manual and Automated
  • Which Social Media are Best for You? (Including Reddit, Instagram, TikTok?)
  • The Big, Big, Social Media Strategy

Week 2: Google, Apple, SEO, And Managing Your Company's Meta Data

  • Meta Data Basics
  • Taking “Control” Of Your Google, Apple, and Other Meta Data
  • SEO Reality
  • SEO Checklist
  • Data Maintenance
  • Organizing and Tracking Meta Data
  • Meta Data in the Big Strategy
  • Drill-Down: Choosing Social Media platforms
  • TikTok, Clubhouse, Twitter Spaces, Caffeine, Instagram, Houseparty

Week 3: Graphics Overview And Tools Management

  • Graphics Overview
  • Branding Basics
  • A Storage Strategy
  • Updates, Versions
  • Graphics in the Big Strategy

Week 4 Automating Your Social Media Marketing

  • The Benefits of Automation
  • Pacing – Creation and Publishing
  • Popular Tools
  • Free vs. Paid
  • Focus on Your Prime Social Medium
  • Strategy, Planning, and Tracking
  • Hiring/Outsourcing Assistance
  • Automating Social Media in the Big Strategy

Week 5 When to Pay for Advertising and Tools

  • Free - A Great Place to Start, and Often the Most Expensive Option
  • Comparing Tools, Features, and Prices
  • Start Small – Don’t Buy Everything You Find
  • Get the Most from as Few Tools as Possible
  • Avoid Trying to Do Everything and Measure Everything
  • Measuring Your Success
  • Social Blade
  • Social Bluebook
  • TubeBuddy
  • HootSuite, etc.
  • Paid Tools in the Big Strategy

-- -- --

You may also be interested in the other courses in the Social Media Super-Charge Series for Small Business:

Deep Dive Into Facebook, YouTube and LinkedIn (Scheduled for July 2021)

1. YouTube - Setup and Optimizing for Marketing

2. YouTube - Video Upload and Tagging

3. Facebook - Setup and Maximizing Results

4. LinkedIn - Setup

5. LinkedIn - Optimizing for Sales

Super-Charge Your Social Media Marketing (Scheduled for September 2021)

1. Twitter

2. Blogging

3. Podcasting

4. Email Marketing and Newsletters

5. Super Charge: The Magnifying Effect

-- -- --

Delivered by Karl W. Palachuk, blogger and author of the very popular Relax Focus Succeed blog at

Includes five weeks of webinars with related handouts, assignments, and "office hours" with the instructor. All classes are recorded for download. All classes include suggested "homework" that is totally action-focused and intended to move your company's marketing forward.

This course is intended for business owners and managers. It is particularly useful for Sales Managers and Marketing Managers.

Only $299

Register Now

A Few Details . . .

  • Each course will be five one-hour webinars
  • There will be handouts and "homework" assignments
  • If you wish to receive feedback on your assignments, there will be instructor office hours
  • Class webinars will be recorded and made available to paid attendees only.
  • All calls start at 9:00 AM Pacific Time

Questions? Email [email protected]


Thursday, May 20, 2021

D&H Ends Fiscal Year 2021 with 19% US Growth and Surpasses $5B in Revenue

I received this press release from D&H . . . after they had an amazing year!

HARRISBURG, PA – May 20, 2021 – D&H Distributing, a major provider of SMB, mid-market, and consumer technologies to the North American channel, announces it has finished its Fiscal Year 2021 on April 30th showing strong growth figures, with full fiscal year growth expected to exceed 19% in the US and 15% in Canada. The company also experienced 34% growth of business through its VAR customer base, and double-digit growth in its consumer sector. D&H Distributing’s combined US and Canadian revenue has now exceeded $5 billion USD. D&H’s proactive, demand-generation business model helped drive the strong growth, supported by the dedication of employee co-owners that own more than a third of the company. (D&H is an ESOP—employee stock ownership plan—organization).

As the company’s fiscal year closes out, D&H is positioned to become the third-largest broadline distributor in the channel since the pending merger of Tech Data and Synnex that was announced in March. Of those three remaining distribution companies, D&H is the only one to focus primarily on SMB and mid-market partners. D&H has seen double- and even triple-digit growth in key areas in its last fiscal quarter, including increases in cloud sales bookings (up 160% in fiscal Q4), and Professional Services (53% growth in fiscal Q4). This is in addition to strong growth from end-point devices and collaboration technology supporting work-from-anywhere and remote learning, and solid performances in still-emerging categories such as ProAV and esports. D&H also added a new team focused on PC gaming, esports, and components that add value for custom-built computers and integrations across-the-board.

D&H has seen double- and even triple-digit growth in key areas in its fiscal fourth quarter, including the above-mentioned gains in cloud and “XaaS” (everything-as-a-service). This has led the company to become known as “The XaaS Distributor,” helping business partners migrate to a cloud-provisioned services model where technology is consumed on a monthly subscription basis, delivered and managed over the internet by IT solution providers. 

The distributor is adding more than 100 personnel in the areas of sales, solution engineering, and sales support. This investment will help maintain the company’s commitment to delivering the highest and most personalized service levels in the distribution industry. 

“The impending merger of two of our largest competitors only demonstrates the distribution market’s inherent ability to evolve, cultivating new business practices in order to present new deliverables and opportunities for partners,” said D&H Co-President Dan Schwab. “D&H has consistently proven its unique agility over the decades, and the past fiscal year has been no exception. If anything, we’re exceedingly proud of the role our partners have played in maintaining stability in the business community throughout 2020, and we’re glad to have been able to facilitate their efforts.”

The distributor has made significant investments in the past several months to continue its momentum into fiscal year 2022, which began May 1, 2021. These include the formation of a new Components and Gaming Team, for which the company has appointed four new leaders dedicated to esports sales and deployment, especially in the K-12 space. D&H has also launched its Education Community engagement group, an exclusive peer engagement council that will work closely with D&H’s manufacturers to develop direction for programs and services. 

D&H is also preparing to grow its extension of $225 million in monthly downstream credit increases across the US and Canada, which will continue to expand to an additional $300 million per month, to support partners’ business needs. This will enhance purchasing power for key channel accounts over the course of this new fiscal year, so they can pursue higher-scale projects in the mid-market sector. The extensions can help D&H partners take advantage of an imminent infrastructure refresh, where companies will update technology for the many personnel who have adopted work-from-home schedules on a long-term basis. Upgrades will span high-performance computing devices, WiFi, security, printing and imaging, and software for use in remote and hybrid work environments.

“Through years of market highs and lows, D&H’s partner-centric model has been proven successful. There’s no better validation of our strategy and investments than the achievements of our partners,” said D&H Co-President Michael Schwab. “We’ll continue to develop credit offerings, educational opportunities, and enablement for the channel. As always, we’re here to support SMB and mid-market partners, delivering exceptional services, solutions, and resources that will help them add competencies and expand their practices.”

Investments for D&H’s Fiscal Year 2021 Include:

An Estimated $300 Million in Credit Extensions: D&H will extend the credit limits of between 1,500 and 2,000 of its partners starting in Q1 of its Fiscal Year 2022, offered to select partners on a rolled-out basis throughout the fiscal year. This level of additional credit in the channel will help to stimulate purchasing and prepare partners to take advantage of the technology refresh. 

D&H’s Education Community: This exclusive community represents one of the only solution provider engagement groups focused solely on the education vertical. The new “Education Community” is comprised of a maximum of 100 D&H partners, all of whom do a majority of their business in the K-12 and higher education space. There are no minimum sales thresholds or fees involved in joining the group. Membership is rather based on the quality and type of projects these partners are conducting in the field. The group convenes for quarterly virtual meetings to discuss trends and best practices, and provide real-world feedback to help shape D&H’s and its manufacturers’ programs and services. This member-led council will drive its own content, including subject matter experts on trends such as eRate, funding, and safety solutions. D&H’s field team will work closely with the group, including at regional events, creating promotions and programs that cater to the needs expressed by the membership.

A New, State-of-the-Art Harrisburg Distribution Center:  D&H will unveil a 750,000 square foot, cutting-edge distribution center in its home city of Harrisburg, Pennsylvania, in September 2021. The upgraded facility will feature expanded capabilities, increased warehousing capacity to support current and future business for the distributor’s growing partner base, and a fully modernized supply chain logistics program to support manufacturers.

Gaming and Components Business Unit: D&H has organized its resources around PC gaming, esports, and components, creating a new business unit to accommodate this growing space. The company has hired new leaders to spearhead innovative sales and marketing campaigns, including Senior Director of Components and Gaming Sales Chris Geiser; Sales Specialist Brandon Beyer; esports Consultant Bubba Gaeddert of the Varsity Esports League; and Program Manager Logan Hermes. D&H will proceed as a leader in this category, delivering the solutions, sales enablement, training, and professional services required to help partners add this area to their core competencies. 

“Fiscal 2022 is starting-off as a monumental year, not just for D&H, but for distribution overall. The market’s recent evolution could present new opportunities for partners to discover our value proposition,” said Peter DiMarco, vice president of VAR sales at D&H. “While our competitors are dealing with the shifts that accompany consolidation, D&H will be cultivating investments designed to help our partners move upstream and grow, generating new areas of opportunity and delivering an even greater range of services to augment their capabilities.”

D&H solution providers can visit, or visit the distributor’s Facebook and Twitter feeds, and @dandh. Call 800-877-1200 in the US or 800-340-1008 in Canada to speak to an account representative. 

About D&H Distributing 

D&H Distributing supports resellers and MSP partners in the corporate, small-to-midsize business, consumer, education, and government markets with endpoints and advanced technologies, as well as differentiated services. D&H is ready to fill new market needs created by the recent consolidation in the marketplace. As the company enters its 104th year, its vendors and partners can be confident in its ability to provide a wealth of enablement resources, multi-market expertise, credit options, and consultative services. D&H is agile in response to the needs of its VAR and MSP partners, demonstrating resilience through decades of industry mergers and market disruption, overcoming everything from wars and recessions to pandemics. 

The company works to expand the competencies of its partners in areas such as cloud services, ProAV, collaboration, UCC, mobility, esports, digital displays, smart home automation, video surveillance, digital imaging, and server networks across a range of markets. Its value proposition includes highly lauded training opportunities and partner engagement events, dedicated Solutions Specialists, certifications, professional marketing resources, and an expanding digital Cloud Marketplace. 

The distributor is headquartered in Harrisburg, PA, in the U.S. and Brampton, Ontario, in Canada with warehouses in Atlanta, GA; Chicago, IL; Fresno, CA; and Vancouver, BC, Canada. Call D&H at (800) 877-1200, visit, or follow the distributor’s Facebook and Twitter feeds, and @dandh.



Monday, May 17, 2021

Trustifi Wins a Gold “Stevie®” Award for Endpoint Security in the American Business Awards®

My friends over at Trustifi forwarded this press release to me. Congratulations, Trustifi.

- - - - -

Trustifi’s Innovative, SaaS-based Email Encryption Got Top Marks in this Prestigious Competition, Recognizing its Effective Security, Ease-of-Use, and Productivity Features 

LAS VEGAS – May 17, 2021 – Leading software-as-a-service (SaaS) email security company Trustifi is proud to announce that its cyber security and email encryption solutions have won a Gold-level “Stevie®” in the 19th Annual American Business Awards®, an elite annual contest that evaluates business technology solutions from companies across the country in a wide range of categories. Trustifi ranked as the top Endpoint Security Management Solution in the Business Technology category.

The American Business Awards are the U.S.A.’s premier business awards program. All organizations operating in the U.S.A. are eligible to submit nominations – public and private, for-profit and non-profit, large and small. Nicknamed “The Stevies” for the Greek word meaning “crowned,” the awards will be virtually presented to winners during a live event on Wednesday, June 30.  The ABA received a record number of nominations for this year’s competition, exceeding 3,800 applications in categories such as Information Technology, Business Technology, Customer Service, New Products and Services, App of the Year, Executive of the Year, and a plethora of sub-categories.  

Trustifi’s unique cyber security solutions address a critical threat to the marketplace:  BEC (business email compromise). According to a new FBI report, BEC has surged ahead as a leading threat to businesses, deeming it “64 times worse than ransomware” and causing $1.8 billion in damages. Email is a frequent and vulnerable point of entry for hackers, who can typically infiltrate larger areas of a network once they compromise a user’s email infrastructure. Hackers are becoming more stealth and acutely effective in their phishing and malware techniques, carrying out shocking breaches at industry giants ranging from Microsoft and Solar Winds to service providers like GoDaddy and financial firms like Deloitte Consulting LLP.

Trustifi’s solution features best-of-breed, one-click cyber security solutions with encryption and protection for both incoming and outgoing transmissions. It utilizes complex algorithms and filters, applying sophisticated AR-powered tools such as optical character recognition to identify sensitive material, alerting users to risk levels and potential threats. The solution integrates seamlessly with Outlook, Gmail, and other prominent email servers, providing one-click encryption with a granular menu of rules and options, including compliance with various security regulations such as HIPAA, GDPR, PCI, and CCPA that can be accomplished with a simple click.

In addition, the company’s SaaS-based solution allows sent emails to reside on Trustifi’s proprietary cloud storage platform, giving the sender exceptional flexibility in redressing those messages after they are sent, including the ability to unobtrusively change the recipient list, set limits on how long an email can be retracted, or swap-out attachments. Trustifi’s Co-Founder and CEO Rom Hendler explains:  

“Trustifi is committed to delivering cutting-edge email encryption that changes the way people approach cyber security, putting superior control of email data into the hands of the user. The solution has a relay-based architecture as opposed to being gateway-based, which means that messages are encrypted before they reach the recipient’s email server,” said Hendler. “This results in an extraordinary range of capabilities for altering messages and attachments even after emails have been read. We’re thrilled that the ABA judges responded so well to our unique strategy, which can dramatically reduce instances of sensitive material being inadvertently transmitted via email. This is especially relevant for companies that send personally identifying data through cyberspace every day, such as retail, banking, accounting, and healthcare organizations. As a technology provider, we’re working to proliferate more secure and easy-to-use email encryption in business environments across-the-board.”

About Trustifi

Trustifi is a cyber security firm featuring solutions delivered on a software as a service platform. Trustifi leads the market with the easiest to use and deploy email security products providing both inbound and outbound email security from a single vendor. The most valuable asset to any organization, other than its employees, is the data contained in its email, and Trustifi’s key objective is keeping clients’ data, reputation, and brand safe from all threats related to email. With Trustifi’s Inbound Shield, Data Loss Prevention, and Email Encryption, clients are always one step ahead of attackers. 

# # #


Monday, May 10, 2021

Great DNS Training - a Primer for IT Consultants

This course is a primer for IT consultants. 

It’s not everything there is to know – Just the information you need to know to support small businesses.

DNS: What You Need to Know
May 27th
10:00 AM Pacific

You've heard it: All problems are DNS. That might not be absolutely true, but it’s true a lot of the time!

More Info and Registration Here

(Members: Sign in to register)

(Non-Members: Join us, so you can join us)

And if it’s true that DNS is at the core of so many problems, then it’s also true that your technicians should know how it works. They don’t need to become DNS super stars, but they should understand enough about the core functions and troubleshooting to solve the problems you are likely to see.

Note: This training webinar is being held immediately after the Thursday Community meeting. Obviously, we encourage you to attend both.

The training will be recorded. The recording will be posted inside the SBT Technology Community.

Note: This training is available exclusively to members of the Small Biz Thoughts Technology Community. Free to members.

Not a member? Now is a great time to join!

More information on the Community at