I started System of Systems, an IT consulting company, after 12 years of working in an IT Department (most of that time leading one) where I hired IT companies to strategically assist in company goals. Being on both sides of the fence, I can help you find out if your IT vendor is great. Here are three easy questions you should ask your IT vendor to see if they are great. They should have answers immediately.
1. How do you document change-management?
Your IT assets are critical to your company’s success and likely expensive. Changes to them need to be documented to hold the IT company accountable. For example, a group of people are having issues logging onto their computer and your IT company fixes it. How? What did they do exactly? Did they apply updates? If so, which ones?
If they’re not documenting the changes, then there is no way to roll back changes. Or worse, no one to hold accountable when you get hacked.
How we answer this question: Every project, issue, ticket or call, starts with a change-management document that lists the significant changes performed, such as a restart or reinstall of software. Our clients have access to this document upon request or when the project/ticket/etc is complete.
Get a new IT vendor if they can’t show an example of change-management on the spot. They are, after all, responsible for your IT assets and should show accountability.
2. What happens when I get hacked?
Sad to say, but it is not if you will get hacked, but when. Your IT company should have a formal disaster recovery plan available, as well as a business continuity plan. WPP, a large advertising agency, was hacked so severely in 2017 that they had to shut down all company IT assets because they did not have a disaster recovery plan for that type of hack.
How we answer this question: We create disaster recovery plans for our fully managed clients, as well as for any project. Our goal is to have the client understand how inherihant technology risks affect their business and our recovery strategy.
Get a new IT vendor if they don’t know the difference between a disaster recovery plan and a business continuity plan. Also, if you trust your IT security to an IT vendor, then ask them for examples of recovery from recent hacks. Everyone is getting hacked to some degree, which means all IT companies are dealing with protecting and recovering from hacks.
3. Who has access to my systems?
Your IT company should have one login for each of their employees. If you have a general IT admin account, then you have no idea who has access to it: perhaps old employees, consultants or stolen by hackers. Grill your IT company on their systems and how they keep access to your systems safe.
How we answer this question: We’re a small company and each of us have an unique login identity on our clients’ systems. We change passwords (our own and those on your system) every 90 days. If we work with a contractor, then we create a unique account. Reports are ran that show who logged in and when, which we then share with clients why they logged in. Our goal is to be transparent with the client.
Get a new IT vendor if they have one login to your systems that are shared by their staff. Fire them on the spot if they can’t show who logged on and when. It only takes one disgruntled employee at your IT vendor to take down your IT systems.
Andre Preoteasa is the founder and CEO of System of Systems IT Consultants in Newark, NJ.