3 Things You Should Ask Your IT Provider Right Now!
It’s time for a reality check. I would like to say that all IT providers are ethical and hardworking, but unfortunately, that’s just not the case. The problem is that most folks don’t know enough about IT to call their bluff. It can be like going to the mechanic and getting told that your flux capacitor is having problems. I’m going to draw back the curtain a little and give you 3 real world questions to ask your IT provider that will tell you if they’re doing their job or not.
Backups are a great place to start because they are easy to check on, and they’re really important. Hopefully you know if you have a backup on your servers, but if not, you should find out. If your IT provider says that you do have a backup, you should ask what it is and how often it runs. While you’ve got them on the phone you should also ask if they get notified when the backup runs, and what happens if a backup is not successful for some reason.
Not to sound untrusting, but once you have this info you should verify it to make sure they’re telling the truth. Here’s why.
Unfortunate Backup Story
I was recently contacted by a business that had been paying their IT provider to manage their backups for almost a year. A technician showed up on site to work on an unrelated issue, and the client asked them to check on the backups while they were there. After looking around the server room for some time the tech came to the client asking where their backups were being saved. (This should be a red flag! If they have to ask you where the backup is supposed to be saved they obviously haven’t been managing it properly.)
The client replied that they were supposed to be saved to a network storage device. They found the NAS a little later in the owners safe. It wasn’t plugged in, and clearly wasn’t operation inside the safe. The client asked if that meant backups hadn’t been running, and was told that there was a “cloud backup” happening.
What really happened was that they had not had a backup for nearly a year. The IT provider tried to say they had a “cloud backup” in place to save face. The client saw through this and actually checked on the server themselves. No backups whatsoever. Time to find a new provider.
How to check
Checking server backups isn’t as daunting as it sounds. Here are some steps to follow that will help you take a look.
Get the IP address for the server. You can do this by asking your provider. Alternatively, if you know the name of the server you can use that.
Once you’ve located the IP address/server name open remote desktop from the start menu. Most people don’t use it very often, but it’s built into windows.
That will pop up a box where you can enter the IP address/server name we just found. Hit connect.
It will prompt you for your username and password. Enter your credentials and it should launch a window that shows your servers desktop.
Once you’ve connected to the server open up add or remove programs. This will give you a list of all the software installed on the server.
Review the list for any backup software. If you don’t know what something is, run a quick google search to find out. If there is no backup software on the list it should be a red flag.
Once you locate your backup software go back to the start menu and open up the application.
Review the backup software’s logs to see the status of the backups. They’re almost always time and date stamped.
You should look to see that you do have a recent successful backup. You should also check to make sure they are happening on the schedule indicated. If the backups don’t complete for any reason, there typically is a log that indicates unsuccessful backups. If there are failed backups that weren’t immediately corrected that’s a red flag. If they aren’t running at all that’s a red flag. If they haven’t run and your provider didn’t know, or didn’t bother to fix them, that’s a red flag.
This is VERY simple, basic IT maintenance. It’s also a good indicator of whether they are paying attention to a lot of the other important items they told you they would be looking at. Best in class providers will have software that monitors backups and gives them automatic alerts that are quickly responded to. If backups aren’t happening, there is a good chance that nothing else is happening either.
Patches and Updates
Microsoft releases patches and updates every week for windows operating systems. The majority of these patches are security updates that help to keep your machine secure and safe from evolving threats.
Best practices typically indicate that they need to be applied within about a month of their release. Sooner is better, but you will likely want to test them before applying them to make sure they won’t break anything. That can frequently take a week or two.
This is another item that is a super basic IT function. Nonetheless, it is a good indicator of the overall care they are taking of your network. If patches are much more than a month behind, and their reason is “I forgot”, that should raise a red flag.
Why are they so important?
If you take a minute to read through the executive summary for some of the critical patches released by Microsoft, you’ll start to see a theme. Many of them are to protect you from remote code execution.
What that means in English, is that there are tons of bad guys out there that are creating phony websites, writing java script hacks, and creating sneaky word and excel files. They run fake email campaigns or use other methods to get you to click on them. When you do, it gives the bad guys full access to your machine. They can make changes to your machine, view or delete data, steal your personal information and more.
Windows updates can offer you additional protection. That makes them pretty important.
How to check
Checking to see how current you are on patches and updates is pretty simple.
Open Settings, and click on the Update & security icon.2. Click on Windows Update on the left side, and click on the Check for updates button.
Click on Advanced Options
Click on View your Update History
This will tell you when your last patches were applied, and give you an idea if things are up to date. It’s important to check your servers as well to ensure they are being updated. Server patches are even more critical than the ones on your workstation, and just because one is up to date, that doesn’t mean anyone has cared about the other. Check them both. If they’re not current it should be a red flag.
I’m not talking about fort knox here. I’m talking about very basic business network security. Your particular business may have compliance or other regulations that you have to meet that require more stringent security. That’s not what I’m addressing here. I’m talking about as basic as it gets no brainer security. Here’s what to ask.
Do we have a firewall? If the answer is no to that question it should be a huge red flag. If your provider hems and haws about how the router from your internet provider might be considered a “type” of firewall, that’s also a huge red flag. It’s not.
Is the firewall password protected? This may seem like a dumb question, but my experience indicates that it is absolutely worth asking. Most firewalls and routers have a default password when they come out of the box. Those default passwords are available online, making anything left with a default password extremely easy to hack.
Those 2 things are only the tiniest part of what you should be doing for network security. However, they will be pretty good indicators of the overall state of things. Typically, if your IT provider can’t be bothered with the most basic items they won’t be doing anything else either. There are other things to look for, but this is a good place to start.
I’m guessing that the why with security is pretty apparent. You don’t want confidential business data, financials, or customer information stolen. You don’t want to get sued. You don’t want to pay huge amounts of money in damages because you didn’t bother to protect your data.
According to a recent study conducted by IBM, the average consolidated total cost of a data breach grew from $3.8 million to $4 million in 2015. The study also reports that the average cost for each stolen record has risen to $158. I’m pretty sure you don’t want any part of that.
How to Check
You’ll need to get the IP Address of your firewall. This can be easily found by following these steps.
Press Windows key and R. This will bring up a little box that says run at the top.
In the run box type cmd and press enter.
This will bring up a black command prompt. Type ipconfig and press enter.
It should spit out a bunch of data. The thing we’re looking for is default gateway. It should give you a string of numbers that look like this – 192.168.168.1 or similar. That is the IP of your firewall/router.
Once you have the IP address pull open a browser such as IE or Chrome. Type the IP into the browser and press enter. It should bring you to a login page for your firewall. Frequently the login page will have the model number of the firewall in question. If not, go look in the closet and find the model number on the actual hardware.
Do a quick google search online for the default login info for that particular model of firewall. Try that login info on the login page. If it works, that’s a huge red flag. If it doesn’t, that’s good news.
Any quality IT service provider should be able to easily meet all parts of the very basic competency test that I’ve outlined here. I’ve noted multiple red flags worth looking for. If there is a red flag on any of these VERY BASIC items, I recommend doing a careful review of everything. It’s also probably worthwhile to get a professional to do an IT audit. Many firms will do this free of charge as a way to show how they can provide value as a potential partner.
IT is an industry that has a lot of very hardworking trustworthy people, and like most industries, a handful of bad apples. Protect yourself by doing some basic checks, and you could save your business from significant hardship.
About the Author: Mike Herrington is a 10-year veteran of the Managed Services Industry, and works currently as Manager of Business development at i.t.NOW. He has led i.t.NOW to year over year growth for the last 6 years, and multiple industry awards. More of his writing is available on his blog at www.itnow.net/blog