Sunday, October 17, 2021

Forget HIPAA - Client Information Portability and Accountability is on the Horizon

I'm sure you've heard the famous line from T.S. Eliot's poem, The Hollow Men:

"This is the way the world ends
 Not with a bang but a whimper."

Well I'm here to tell you that sometimes major changes with profound effects also start with a whimper, or perhaps a whisper too easily ignored.



Great changes are coming to our industry. Not bad things, but big things. Things that will make it a little more difficult to operate. Things that will make your tools more expensive and your operations a bit more bureaucratic. What are these major changes?

Quite simply, we are quietly entering an era of data transparency and accountability that hasn't existed before. Which data? All the meta data and supporting system data that's used to monitor, update, access, backup, and secure your client's information.

This data includes everything client-related in your PSA and RMM tools. For example, the entire configuration of how you manage clients. Alert level settings. IP address information. Successful and unsuccessful checks. Logs of everything that happens inside your RMM tool.

The whisper came in one of the CISA documents I blogged about recently: "Risk Considerations for Managed Service Provider Customers." See https://www.cisa.gov/publication/risk-considerations-msp-customers.*

That document gives some very specific advice to your clients, including advice to require an MSP to provide . . .

  • "Direct access to security logging information, network intrusion detection, and anomaly analysis data telemetry from all systems managed by the MSP that support the service being procured"

and

  • "The ability for the customer organization to examine the systems that directly and indirectly support the contracted service on-demand by the customer organization with appropriate data handling considerations."

As I pointed out earlier, I don't know of any tools that currently exist in the SMB space that make this reporting and access possible. But if your RMM vendor isn't working to create this kind of reporting, you may find yourself looking for a new vendor.

Within about five years, I predict that MSPs will be reporting "data telemetry" to their clients on a regular basis. This will include a standard list of what you monitor, how frequently you monitor it, who has access to your dashboards, how one client's data is securely separated from other clients' data, etc.

All of this information has to exist somewhere inside your RMM or other tools. But you probably don't have access to it. That's why I call it meta data: It exists in support of the services you provide, but you don't have any way to back it up, print it out, or show it to clients (or government agencies) that ask for it. It's simply the bits and bytes that make the tools do what they do.


On a somewhat unrelated note . . .

I had a chat with a MSP owner last week who had a startling realization about her RMM, which I won't name. One of her employees accidentally applied a filter to a dashboard. So, when the owner logged in, she only saw her own company and two clients. Everyone else was GONE - or so it seemed.

She panicked. "How will I recreate every piece of monitoring, scripting, and reporting for every client?" She soon discovered that this was a filtering issue - but not before her brain went scurrying off to settle the question. She contacted the RMM vendor and was told:

"Sorry, you're out of luck."

All that information is somewhere in the cloud, controlled and monitored by the RMM vendor. But it's not backed up in a way that could actually be restored for one client or one MSP. In other words: You need to back up all that configuration information by hand.

She didn't give up. This can't be true. There has to be a way to access the settings for MY business, MY clients, and MY contracted data services. The response was only a tiny bit alarming: The only way to do that is to have an on-premise server. That way, you've got your SQL database. And however difficult it might be to get the data out, it will be on YOUR backup of YOUR database.

A-hem. Except . . . if I'm correct, ALL the recent "supply chain" ransomware attacks have involved on-premise servers and not cloud services!!! So how do I back up the client-related data in a cloud environment?

You can't.

You simply can't.

We don't make that available to MSPs.

You just have to trust us.

THIS, my friends, is going to change. Whether they like it or not, RMM vendors will have to make these reports, this data, and these configurations available to you (and your clients) in the next few years. And, in a less cumbersome challenge, PSA vendors will as well.

Ultimately, we as an industry will be asked to address a very important question: Who owns the data involved in monitoring and managing a client's network? Is it the RMM vendor? The MSP? The client? The answer matters!

If the RMM vendor owns this data, then what do they owe the MSP or end user? What reports are reasonable? If there's a ransomware attack or other cybersecurity attack, what should the MSP or their client expect? Like it or not, you should be able to document this information.

If the MSP owns this data, what reports do they owe to the end users? Should this information flow on a regular basis or just when there's an incident? (BTW, I fully acknowledge that clients will ignore 97% of this information until there's a cybersecurity attack.)

But if the MSP owns this information, it should be downloaded, separated by client, and backed up. For how long? You need to add this to your general data retention policies. Some things we keep for three years; some for seven; some forever. Where does client monitoring telemetry fit in the big data retention picture?

If the end-user client owns the data, then the picture changes considerably. If the client owns the data, they should be able to take their "monitoring profile" to another MSP and get equal (or very similar) service based on the devices being monitored, the thresholds for alerts, the automated responses or scripts being run, and the reports being generated.

NONE of this is possible today. Even at the enterprise level, I don't think this kind of data portability exists. But once someone (e.g., CISA) lays the groundwork for expectations, I think you'll see these kinds of requirements finding their way into to requests-for-quotes.

Perhaps the closest analogy for most of us is HIPAA - Health Insurance Portability and Accountability Act. In this case, maybe it becomes CIPA or Client Information Portability and Accountability. If someone has a better term, I'm open to it. 

What data, or meta data, should be made available to clients with regard to the monitoring and management services you provide? Aside from merely making useless information available, what USEFUL information should be made available? Ultimately, there should be some standardized reporting made available to law enforcement and insurance inspectors after a cybersecurity incident.

What can a client reasonably expect? Again: I fully acknowledge that most clients won't care. But more and more, their insurance company will care. What actually-useful information can you provide to clients who dutifully pay their bill every month and expect your to just take care of their network?

. . .

I almost started this post with an apology. I'm sorry I have to write this post. And I'm sorry you need to read it. But you need to read it.

The details will be worked out a bit at a time. But, in the big picture, I think this is the world you can look forward to. Luckily, this is an evolving world. And that means you can join in the conversation and help mold the future as it emerges.

PLEASE leave comments and questions. I'm happy to respond.

-- -- --

* I previously blogged about the document itself (https://blog.smallbizthoughts.com/2021/09/the-government-is-telling-your-clients.html) and some things you should be doing right now in response to this (https://blog.smallbizthoughts.com/2021/09/three-things-you-should-do-in-response.html).

:-)


Tuesday, October 12, 2021

5-week class - Financial Processes for the IT Services Firm – Starts October 19th

Financial Processes for the IT Services Firm – 5W07

Taught By: Rayanne Buchianico


Five Tuesdays

October 19 - November 16 - Register Now

All classes start a 9:00 AM Pacific


You're guaranteed to learn something that will make or save you the price of admission!


There are few things more important than the finances of your business. But most technology consultants didn't get into business to run balance sheets or figure out cash flow.

This class provides unique content from a unique teacher! Rayanne is a managed service provider from Tampa, FL. She is also an accountant and an Intuit certified ProAdvisor. In addition to her MSP business, Rayanne helps I.T. consultants to take control of their finances and understand their own business at a deeper level.

Topics for this class include:

  • Learn to read and understand your Balance Sheet and P&L Statements
  • Create a chart of accounts that makes sense for your business
  • Separating out information on the P&L for management decisions
  • Entities and tax considerations - understanding how your entity is taxed. Handout is a tax projection worksheet for this year's taxes
  • Cash flow forecasting - Handout is a cash flow projection spreadsheet to forecast revenues and expenses
  • Understanding margins and ratios - Deep dive into the P&L and Balance Sheet to understand how the numbers work together to make decisions. Handout is a worksheet on calculating and understanding the ratios & margins.
  • Use margins to price your services for profit
  • Calculate billing and burden rates
  • Action plans for success

. . . and More!



Week One: Introduction to Your Company’s Finances

Week Two: Cash Flow Forecasting

Week Three: Margins, Ratios, KPIs, and Breakeven points

Week Four: Jobs, Budgeting, and Internal Controls

Week Five: Planning for Taxes

-- -- --

Delivered by Rayanne Buchianico, Financial Coach and QuickBooks Advisor. Rayanne has been an MSP - managed service provider - for many years and advises MSPs on how to get the most out of their QuickBooks and PSA integrations.

Includes five weeks of webinar classes with related handouts, assignments, and "office hours" with the instructor.

Each class is 50-60 minutes, although we often take extra time for questions.

This course is intended for business owners and managers. It is particularly useful for the Owner or Operations Manager.

Only $299.00 

Register: Financial Processes for the I.T. Services Firm



Friday, October 08, 2021

BIG Changes Coming to Our 2022 Training Program


Thousands of you have already taken classes over at Great Little Seminar since 2013. Thank You!

Now we have some major changes coming.

We are re-branding and doing a major upgrade to our training program for 2022. 

We now have twenty classes we are rotating through. We offer ten "live" classes per year - which means we have two years worth of classes! And we are adding at least two new classes in 2022. Maybe four.

See our current site/offerings at https://www.greatlittleseminar.com.


Here are the classes we currently offer:

  • Core Standard Operating Procedures for IT Providers
  • Project Management 
  • Financial Processes for the I.T. Services Firm
  • The Most Important Checklists for Any I.T. Service Provider
  • Managed Services in a Month
  • Managing Your Service Board – Setup, Core SOPs, and Daily Procedures
  • The Unbreakable Rules of PSA
  • Make the Most of QuickBooks Desktop in an IT Service Business
  • Building Appointment Setting 
  • Automate Your Accounting with QuickBooks Online and Integrated Apps
  • Service Agreements for IT Pros
  • Cloud Services in a Month 
  • Powerhouse of One: Be a Super Successful Sole Proprietor
  • Position Your IT Firm for Growth or Sale
  • The Absolutely Unbreakable Rules of Service Delivery
  • Business Strategy Made Easy – Your Ultimate Success Hack
  • MSP Professional Sales Training Program
  • Optimize Your Social Media Marketing and Advertising
  • Deep Dive Into Facebook, YouTube and LinkedIn
  • Super-Charge Your Social Media Marketing

See details at https://www.greatlittleseminar.com.


We're adding a class on Customer Service for MSPs and ITSPs in 2022.

But here's the important sneak peek: We are adding a certification program endorsed by me and the Small Biz Thoughts Technology Community brand. Tracks will include service delivery, financial processes, front office, management, and Sales and Marketing.

PLUS, we'll have a special certification just for service managers!

We'll have certification exams, of course. The "practice" questions for these will be added to the online classes that align with the exams. 

The really good news: If you've already taken one of our classes in the last two years, you can re-take the class for FREE, and access all the practice questions.

So, for example, if you've taken the class on Managed Services in a Month, you can re-take it (live or self-paced) and get all the practice questions. You'll still need to register for and take the actual exam, but it should be pretty straight forward.

More details to come.

The Best News of All . . .

If you are an annual subscriber to the Small Biz Thoughts Technology Community, you can take ALL of our classes at no additional charge. So, rather than buying twenty classes at $299 (that's $5,980), you pay only $1,099 for the year!

NOTE: The annual membership price goes up to $1,199 on January first. It's still an amazing deal. But you can save that extra hundred dollars by joining now.

Visit the SBT Technology Community at https://www.smallbizthoughts.org.

In addition to all these great classes, you'll get access to all my books, checklists, and training materials - plus weekly membership meetings.

If you're looking for a great resource for your business, start here:


:-)


Exclusive content: Killing IT LIVE - October 20th

Join us for Killing IT LIVE!

That’s right – One of the hottest podcasts for IT professionals is going LIVE!

October 20th at 9am Pacific


Get on the list now so you don't miss it.

Register now and don't miss it!

Karl Palachuk, Dave Sobel, Ryan Morris

No editing. No second takes.

Join hosts Dave Sobel, Ryan Morris, and Karl Palachuk for this special live event.

You’ll see behind the curtains as we prep and produce a live show. 

PLUS, we’ll stick around and answer questions so YOU can be part of the show as well.


We normally do three segments. But on this LIVE event, we'll record a 4th bonus segment exclusively for Killing IT Live!


A Big thanks to Cisco for making this possible!



It's free.

:-)


Saturday, October 02, 2021

Join us for Killing IT LIVE! - October 20th

 Join us LIVE online October 20th!!!



The Killing IT Podcast has been going for more than 130 episodes - and we are grateful for all of your support and feedback.


Here's what we're up to:

  • A LIVE version of our show.
  • You'll see a little bit of the "prep" work we do (such as it is)
  • We'll record FOUR topics. Normally, we air three topics. This means attendees will will get a bonus extra topic not available anywhere else.
  • And we'll stick around for questions and general networking afterward.

Your cost: FREE!

All you have to do is wander over to KillingITLive.com and register. We'll remind you on the day and time. Then come back October 20th at 9:00 AM Pacific for the live event.

October 20th
9:00 AM Pacific / Noon Eastern


-- -- --

In case you're new to the Killing IT Podcast, it's a weekly 30-minute podcast featuring SMB IT thought leaders Dave Sobel, Ryan Morris, and Karl Palachuk.

We generally cover three topics - about ten minutes each. We are honored to get a few thousand downloads per week. We'd love to have your join us. Search for The Killing It Podcast on Apple, Android, Stitcher, or wherever you get your podcasts.

Or just start listening here: Killing IT on Stitcher.


:-)