With the end of 2020 in sight (finally!), business leaders are turning their eyes on 2021. With all the changes that have come to the ways we work, it is more vital than ever to take advantage of technology to help your business thrive. Business technology strategy adviser Garry Adams joins us to list easy things you can do right now to get your technology—and business—ready to take charge and make your mark in the coming year. Don’t miss this episode, which is packed full of action items and must-do tactics!
Speaker 1: Welcome to the JMARK Business Innovation Technology Experience.
Todd: Okay, welcome once again. We have another exciting topic here today. We know this has been quite the roller coaster of a year and a lot of people are thinking just let it be over and that is about to happen. And we are going to roll into 2021 and unfortunately hoping that 2020 ends is not a great strategy for having a successful ’21, still sounds weird saying ’21. There’s a lot of people that are living right now in uncertainty and fear and that’s understandable. There’s just a lot of chaos in everything that’s going on, in the economy, in politics, and Thanksgiving coming up, and lock downs, and coronavirus, and everything. So the danger is that we’re sitting at point and we’re hoping for things to maybe shift back to normal at the beginning of ’21, but the truth is as we’ve talked before, the shift is not going to happen like we hope it will or the shift is not going to go back to just the way it was pre-2019.
Todd: So we have to start innovating, we have to start preparing, we have to start making sure that our organizations, our teams are set up for success. There is no better time than now if you haven’t started to get ready and make sure that 2021 is successful. The one thing that we’ve talked about a lot on this podcast is that technology is the driving force for the transformations and for the changes that are happening. We’ve seen this across almost every industry out there and when you embrace the changes in technology, when you embrace the risks that technology can bring also, and you work on those exercises and those strategies that can make your organization successful you’re going to be way ahead of your competition. You’re going to be way ahead of where you thought you could be. You’re going to be providing a better customer experience for your customers and your organization is going to be more successful.
Todd: So what we wanted to talk about today was this idea of what are some things that can be done now? Between now and the end of the year that aren’t super difficult, that will help to set an organization up to be more successful with their technology in 2021. And not really successful with technology, but help their business be more successful in ’21 by embracing technology and all the benefits that it brings to enable transformation and innovation.
Todd: So one of the things that kind of pops out to my mind is this idea of risk, when you’re down in the gutter you don’t want someone to step on you even more. You don’t want to get hit by something else and a lot of people feel like that’s where they are, they’re down in the gutter. And we have seen a massive increase in security threats over the last six months. Gary could you talk a little bit about this and how you see some of our clients preparing and mitigating this risk? And then also, what are some of the exercises that people need to do right now to mitigate that risk so that, that is not something they have to think about as they’re innovating and changing things for ’21.
Gary: Yeah, absolutely. Excuse me. So some of the things that are… As you mentioned Todd, the threat landscape is just so very different than it has been in the past, even just in the last six to 12 months the threat landscape is always ever evolving and changing, but one of the key things that you can do to shore up your cybersecurity and that whole mentality is just making it something that’s top of mind. Employee awareness and training, as an example, is something that you can do with your people. It’s a very real, relatively easy thing that you can do to keep cybersecurity top of mind because it doesn’t matter what systems you put in place, what firewalls, what anti-virus, what tools you’re using to check and validate from a system’s perspective, your weakest link is always the human element.
Gary: You have the ability as a user of technology to override many of those security protocols by simply putting in your password to an unauthorized site and now you’ve just given someone the keys to the kingdom, so to speak. Employee awareness and training your people is not a terribly difficult thing to do and it helps keep that security top of mind and it helps your organization keep security top of mind as a whole. So… Yeah go ahead.
Todd: Yeah, I was actually talking with SPJ, I think it was yesterday, in Springfield about this topic and one of the things that helped to kind of display this point of security is, I send a lot of emails to prospects. We send a weekly email and in the end of 2019 I was getting maybe one email a month, one or two a month, that was from a prospect that had gotten hacked and then that hack proliferated into their list of whoever had ever emailed them and I was on that list. So I get a phishing attempt maybe once a twice of month. And in the beginning of 2019, as COVID started to progress a little bit more that went up to maybe three or four a month, and then of course, let’s remember too this was the time when hackers were all saying, “We’re going to take the high road. We’re not going to hack healthcare organizations,” and things like that. And then over the course of March to now, it’s slowly increased and now I get at least a phishing attempt, on average, every single day from a prospect in our database.
Todd: And like you said Gary, all it takes is someone clicking on a link that can destroy and cause just innumerable costs in an organization. It ruins reputations, it ruins people’s lives, and that’s why it’s so important that you take the time to do this exercise of what do we need to do to train our employees? Have a one hour training session with your employees and show them what a phishing attempt looks like. Create some rules and some policies, if you ever see an email from the CEO, or from an executive, or your supervisor that looks suspicious, now don’t just act on it. Get verification, trust but verify. So this idea of just awareness and making sure that your employees are trained and know how to recognize these things will have a world of benefit.
Todd: And like you said too, the best email system in the world can’t stop this stuff. Yes, they’re helpful and yes they stop a lot, but stuff gets through. You just, you don’t know, and it’s dangerous.
Gary: Yeah, so awareness is key and there are other steps that you can take. In any security approach it takes a layered approach, no one solution is the magic silver bullet. So yeah, spam filters and things like that are huge, that’s an important part of it. Employee awareness is huge, that’s a big part of it. Something that we’ve done a lot with recently is shoring up the security around multi-factor authentication and those types of systems. Not just internally here at JMARK, but within our clients as well because even if someone does manage to get through that weak link, an employee who is maybe less vigilant, or… I say an employee who’s less vigilant, we’ve all been there, we’ve all clicked on that link, and instantly thought, “Oh, man. That was not something I should have clicked on.” Right? Even those of us that are in the industry find ourselves in that situation.
Gary: So it’s not just those that are uneducated and I want to make sure that, that stigma doesn’t exist. It’s a risk for everyone, not just those that are uneducated. Of course, the level of tech savvy of an employee has a bearing on your likelihood there to fall victim, but the point I was getting at is in that layered security approach another major, major step that you can take is multi-factor authentication. And we’ve all been there, we’ve all logged into our bank and they’ve asked for two or three steps to verify your identity before you’re able to get in and access that sensitive information. Our businesses, we may not be… Maybe you are a bank, maybe you’re a financial institution, maybe you’re a healthcare facility, maybe you’re just, and I say just, but maybe you’re a retail organization, but guess what? Your employee information, your client information, is sensitive, protected information and it’s vulnerable if not protected by systems like this.
Gary: So I hear that a lot from clients, “Well, we’re not a bank. We don’t need that kind of security.” Well, think about the kind of information that exists on your systems. Just because you’re not transacting dollars between other organizations doesn’t mean that there’s not important, sensitive information or take the other aspect of what would it mean to your business if someone were to ransom the environment and hold it hostage, lock up your content, and you can’t operate anymore. It’s not just that they’re maybe exfiltrating and trying to sell off that information, but holding that information hostage and preventing you from doing work. What would that cost you in a day if you were down for your operations for a full day? What if that’s a week? What if that’s a month? Right? These are very real numbers and multi-factor authentication is another layer that you can put in front of that to secure those credentials so that even if they are compromised it’s creating another barrier to those bad actors from getting in and actually doing bad things with that information that they’ve obtained.
Todd: Yeah, and Gary to go off of what you just said, the actual metric the last time I read it, was that 70% of hacks are on small business. So it’s not just big businesses, it’s small businesses too and that happens all the time. On this same vein, one of the things I was talking about the other day with Eric Langondorfer, our Director of Security Management, is tabletop exercises. We have a plan to do a tabletop exercise in the next month and the idea with the tabletop exercise is that you are bringing the parties together in an organization and you’re going through a scenario. Okay, so and so clicks on a link in an email and their computer is encrypted and this happens, and then you talk through okay, we need to shut the computer down. We need to contact this person in the organization, this needs to happen, this needs to happen, and you’re going through these things because as you go through those you’re more prepared for something actually happening. And you’re doing something else, is you’re helping to raise awareness among the people that are involved in that tabletop exercise.
Todd: And it can seem a little bit mundane to do this and a little bit weird because you’re just talking about these made up scenarios, but for years a pandemic was a made up scenario that nobody thought would happen and look what happened. So these things can happen and knowing what to do when a ransomware incident happens, or some other kind of breach, or disaster can set your organization up for a lot of success and can help mitigate what could be a really big problem and mitigate it into a much smaller problem. I mean, just the sheer fact of a single step can mitigate, shutting down a computer if there’s a suspect of it having been infected. So just going through this exercise can be literally a couple hours worth of time and can have great benefits to reduce your risk in the organization.
Gary: Yeah, that’s a great point Todd. The concept of having thought through the scenarios before they happen is becoming not just something that is important and essential for large enterprise. You mentioned that 70% of these breaches or hacks are happening within the small business space and that’s because more often than not these small businesses haven’t taken the time to think through these scenarios ahead of time or to put these additional layers of security in place because either there’s an assumption that I’m not big enough to be a target or in most small businesses you’re wearing a lot of hats. You’ve got a lot of stuff to do, you’re very, very busy. You’re running just barely keeping your head above water and to feel like, man, now I’ve got to take out time, carve out a portion of my very important, very valuable time that I could be producing revenue, or I could be training my team, or working on these types of things, to think through a what if scenario, but there’s power in that.
Gary: And taking the initiative before it happens to know what do we do in this particular circumstance it reduces the amount of time that it takes to react and the translation of that is it reduces the impact of an event like that on your organization. There are couple of metrics that we look at in security when it comes to a breach of security. One is what we call dwell time or how long the bad actor is in the environment before you correct the thing that’s allowing them in, whether it’s access, or a system that’s infected, or whatever that is, and the longer that dwell time the more opportunity they have to either exfiltrate data, or encrypt your files, or otherwise impact your business. Right?
Gary: So if you’ve got an action plan in place, you know when this thing happens we do this, or when this thing happens we do this, and your disaster recovery plan is in place, you’ve gone through the tabletop exercises and you know what happens in your workflow, so that it’s not a question it becomes almost muscle memory at that point, “Oh yeah, we talked about that last week. I know exactly what we need to do. We need to shut down this computer. We need to disconnect it from the network. We need to call our IT provider, have them look at the firewall logs, get logged into the server, check the anti-virus logs.” All of those types of things, but having that plan in place ahead of time is invaluable in reducing that dwell time, reducing the time that it takes to remediate and get back to normal operations. Again, that concept of days, versus weeks, versus months, the better planned for it, the smaller that gap time is that you’re going to have to deal with when it happens.
Dax: Yeah, I always think the thing is, if time is money right now, time is also money when you’re in crisis mode. And I think, what you’re talking about Gary, that time that spreads out in recovery time, if you don’t have these plans in place you slow down that recovery time and just the money you’re losing at that point, the opportunities you’re missing out on just grow exponentially with the time it stretches out before you can recover and restore your systems. And having these plans in place beforehand because inevitably, no matter how well prepared you are, if you haven’t really gotten that plan in place, you’re going to forget something. No matter how well prepared you think you are, you get into crisis mode and it’s just a natural reaction of the human mind that things are going to be missed and that’s why it matters so much to prepare ahead of time.
Todd: Yeah, what this reminds me of when we were talking is the military. The military trains, trains, trains, trains, trains on these what if scenarios all the time so that when it comes down to it they know exactly what to do. There isn’t confusion and people doing whatever they want. So when you think about the time, like you both were talking about, I mean, the time to perform a tabletop exercise, and to shore up security, and to train people is absolutely minuscule to having your entire company offline and not able to work because of a security breach that happened just because somebody clicked on a link in an email. That’s the mentality that we have to change, it’s not about these what if scenarios that may never happen, it’s these scenarios that are quite possible and if they do happen the investment of time we’re putting in to preventing it or at least training ourselves on what to do is what carries us forward and reduces that risk and that time that everybody’s not working.
Todd: And going to back to something you mentioned too Gary, is the backup and disaster recovery and continuity plan. Now is a fantastic time to update those. At JMARK, we’re actually updating ours in the next month. We do it every single year. We go through a three day event that we call a kaizen event and essentially it’s a very focused event with all of the right people in the organization that have anything to do with that plan. We document everything under the sun that has changed, contact info for key stakeholders in the organization, we update configurations of systems, servers, software. It is a very detailed plan it’s over 300 pages, but I don’t say that because you need to have a 300 page plan. We have a 300 page plan because we’ve been doing it for years and it’s slowly grown and we have substantial amount of technology.
Todd: Don’t be afraid of just taking a small part of it. Document some of these scenarios. Document contact information for people, when a disaster happens a lot of times the cell networks go down, internet networks go down, and so having just information on how to contact people and where that information is stored can be just a small step to preparing for the future and can help your organization be successful if that event were to occur.
Gary: Yeah it’s… Sorry [Dax 00:21:48], go ahead.
Dax: Oh, I was just going to give an example of that from before I came to JMARK of a time that I worked at a company where there were only three of us. And we actually, I mean, we were at the startup point where the famous story about starting it up in a garage, we literally did work in the owner’s garage. And he had gone off to a trade show and so it was just me and the one other guy there and all of our systems went down, and we had no plan. This wasn’t a big crisis where we had been hacked or anything just the systems went down and the owner was on the road. We didn’t know who to call. We didn’t know what to do and actually, I am wrong. He wasn’t at a trade show. He had gone hunting so he was up in the mountains and so we literally lost three days of work because we had no way to contact him to get the information we needed on the guy we needed to call to get our systems back up.
Dax: You think that these things can’t happen to you and it turned out just being one small thing. Once we finally got a guy, three days later, at the next Monday when everybody was back in the office and we got ahold of our IT provider, the fix took like 30 minutes, but for not having the information to get ahold of somebody for a 30 minute fix we missed three days of productivity, and work, and opportunities.
Gary: Yeah.
Todd: I’ll just say one quick thing and that is that we no longer can even go through the scenario of that probably will never happen, if anything we’ve learned from 2020, if you’ve learned anything is that it’s not an if but when. So we have to prepare for everything.
Gary: Yeah, these… We’re talking about disaster recovery business continuity plans, right? Most companies have some sort of a backup in place. Most companies have some sort of an anti-virus in place. We’re not talking about just simply implementing a backup solution. We’re talking about a business continuity plan, a written document that says, “This is how our business will react in these situations or in these scenarios.” And a documented disaster recovery plan or business continuity plan is something that is becoming increasingly important and insurance companies are asking about it. “What is your disaster recovery plan?” They’re not asking, “Do you have backups?” That at this point is almost a given. They’re asking, “What is your business continuity plan and please provide us with this documentation for how your company is going to recover in the event of fire, theft, natural disaster, or virus outbreak, cyber attack, those types of things.”
Gary: It’s gone from something that large enterprises do to becoming mainstream enough that it’s almost a minimum right to play in any line of business today.
Todd: I was just thinking about this. We’ve talked about, at JMARK, we had a flood come through our office, I don’t even remember when it was, 2014, 2015. And we talked all about this and many different scenarios, but we’ve never talked about actually what happened at the very beginning and I haven’t ever explained that. And what happened was, Tom calls me, or he sends a message, and Tom our CEO calls me and he says, “It’s getting pretty bad.” Or something to that effect and I said, “Do we need to activate the backup and disaster recovery plan?” And he said, “Yes.” And that clicked a bunch of things into motion. It wasn’t, “What do I do now?” It’s not what do you want to do? It’s not okay, let’s do this, let’s do this, let’s do this. It was one question, “Do we activate the backup and disaster recovery plan?” And that started off a whole flood of procedures, and processes, and communications that were all documented. We knew exactly what to do.
Gary: That’s powerful right there. I mean, when we’re talking about, again, circling back to the topic here, things that we can do to ramp things up for 2020 or to set your organization up for success in 2020, if you don’t take anything else out of this conversation that right there is majorly powerful. The fact that one question activated a whole sequence of events that, and to your point, we have talked about this on several occasions the outcome of that and the fact that JMARK continued to function, continued to operate, the impact to us as a business was… Yes, people had to invest additional times and yes we had to change how we did things, but the deliverables, the outcomes that we were providing to our clients didn’t change and didn’t have to be affected by this thing that was hugely impactful to us. But the fact that it was transparent to those that were consuming our service on the other end speaks to the power of that kind of a process.
Gary: And had we not had those processes in place and had that one liner not been triggered to say, “Do we enact the disaster recovery plan?”, or had that disaster recovery plan not existed it would have been as you said, okay, now what? And it goes to your point earlier Dax of, now you’re in crisis mode and now you have to think about all the things that have to get done and you are going to miss something because unless it’s muscle memory and unless it’s documented, those things don’t happen naturally. You think about the things that you’ve done recently and the things that are going to be the biggest impact, but there’s a whole host of things under the surface that you don’t think about in the moment that can have a substantial impact on the outcome of that type of a scenario.
Dax: Correct me if I’m wrong here Todd, but part of what happens is that you’re also spreading all of that action throughout the leaders of the organization and everybody knows their role already. Everybody knows okay, these are the people that I get ahold of, this is my part, here’s what I do, and on down the line so that there is no question. You don’t have a whole bunch of people in crisis mode. You have a whole bunch of people in action mode.
Todd: That’s exactly right. That’s exactly what happened. It wasn’t just me implementing a bunch of processes. It was me starting a bunch of processes and then many other people throughout the organization working on those things and communicating with their people. So that’s very powerful for sure. The other thing that it reminds me of with the backup and disaster recovery plan is policies. The reason why that’s interesting is because when we became SOC compliant, which we’ve talked about many times, it’s a very difficult regulation to get. We do a lot of stuff internally. We have a lot of controls that we have to abide by. Part of that was you have a documented backup and disaster recovery plan and along with that there are these controls that have to happen in the organization.
Todd: So one of the controls that is in a policy that we have called a backup and disaster recovery policy, the control states that JMARK will update the plan every single year. It’s kind of the rule on top of the procedures. So we know that every single year according to our policies that we’ve agreed to we have to hold this kaizen that we call it and update the backup and disaster recovery plan. That’s where policies are so important. A lot of people think of policies just in the sense of HR and setting those rules, but IT is vitally important because that is where you state the controls that govern everything in the organization. I mean, we have policies that govern the encryption that we use, the level of encryption that we use, what we do with the encryption keys. We have policies that govern the use of computers, and working from home, and how long backups are retained, and what kind of data is retained for different periods of time.
Todd: I talked about the backup and disaster recovery plan, we talked about… I mean, there’s just so many different things that our policies they are essentially the governing body over all of the processes and procedures that our organization has, and when you don’t take the time to get those policies in place you just have a bunch of ideas but you don’t have anything to keep it maintained and keep it going. That’s why those controls are so important. So as we’re moving into ’21, that’s another thing that can be done right now is to update policies, get your IT security policies in place, and more than that get them out to everybody in the organization and have them acknowledge the policy so that they understand what the controls are.
Gary: So Todd, as you’re talking about this, if I’m a small business owner and I’m hearing you talk about the security policies, and the controls, and this very mature level of documentation that exists within the organization, and I’m going, “I don’t have any of that.”
Todd: Okay.
Gary: “I’m starting at ground zero. What’s the first thing that I can do as a small business owner to get myself that direction?” Because doing what you’re talking about, although a very worthy end goal is probably not something that most people are going to have the wherewithal, or the time, or the ability to bite off all at once. And I think it’s important for people to recognize that, that’s not the expectation here that may be an end goal, but where do you start in getting down that road?
Todd: That’s a great question. The thing about policies is… First of all, the best course is to start with somebody that understands the industry, understands what policies you need to be in place, understands IT and technology, and that somebody is somebody like JMARK. But apart from that, there is so much out on the internet about security policies. There are free templates out there on different things and when we implemented our policies, granted we know a lot about technology, but we didn’t exactly know what level of controls we wanted. Every single year we update our policies. That’s actually one of the controls in the policies that we will update the policies once a year, but we actually go through and go, “You know what? This didn’t really work. We need to modify this a little bit.” But the point of me saying that is, it doesn’t have to be perfect. We’re not looking for pie in the sky. We’re looking for controls that maintain the health of the organization, that maintain the health of the technology, and having controls in there guides the initiatives of an organization.
Todd: So for example, if you have a control in a policy that states, “Everybody will go through annual security training,” when you’re in your quarterly planning, your annual planning, that is one of those things that needs to get down on the books as an initiative to get that done. If you have something that states you have to do an annual inventory of your technology so that you’re making sure to keep track of everything, then that goes into your initiatives of what you’ve got to get done, but if you don’t have those controls in place then a lot of times these things are just not happening.
Todd: So I would say from the standpoint of where do I start, it’s either one, get ahold of somebody like JMARK that can really help you to get your policies in place and two, if that’s not in your timeframe or budget just start somewhere. Look at… Get an acceptable use policy template, privacy policy, work from home policy. Start at the things that are top of mind for you, work from home policy is a big one right now that’s top of mind. How do we control the security of computers when people are at home, things like that. So we tend to make things more complicated than they are and a lot of people too, like myself, if I’m going into a plan to review policies or to write a backup and disaster recovery plan in the back of my mind sure, I want it to be the best possible plan, the outcome.
Todd: But one of the things that we have learned to accept, for example on our backup and disaster recovery plan, is we have three days and what we don’t get done at the end of that third day doesn’t get done. We accept that we just can’t do everything. It’s not ever going to be a perfect plan, just do what you can and keep going on because having something is better than nothing.
Gary: Yeah, I think that’s a critical point here and I’m glad you brought that point up because we oftentimes get so caught up in having something that’s 100% perfect. And maybe you’re not the type of person that gets all wrapped up in the perfectionist mindset and can’t release something until it is at 100%, but sometimes when it comes to policies and procedures as you said, having something is better than having nothing. Getting a process, getting a policy, a disaster recovery plan to 80%, that gives you 80% of those things that you have to think of in the moment that you no longer have to think of. You may still have another 20% of things that oh, we forgot about this. Well, great you can deal with that but guess what you don’t have to deal with? The tip of the iceberg that’s up above that you’ve got to worry about and then you’ve got all the stuff that’s down under the water that just happens because it was part of your policy.
Gary: So maybe to answer a bit of my own question and to dovetail with what you have said is the best place to start is, to your point, anywhere. Take whatever’s top of mind, maybe it’s acceptable use, maybe it’s a work from home policy, maybe it’s a mobile device policy, whatever it is. Right? Maybe it’s your backup and disaster recovery plan, but take the thing that you feel is either top of mind or you feel will have the biggest impact on your business and put it on paper, sit down with the leaders within your organization, run it past the smell test, make sure everyone else gets a chance to weigh in on it, provide some feedback, and then put it into practice because having something documented and having something that’s part of your business operation is not necessarily the same thing. Right?
Gary: You can put it in black and white, and you can put it in your binder, and stick it up on the shelf, and never look at it again, but if you’re checking those policies annually you’re regularly running through those tabletop exercises that you mentioned before, making it part of your business process, then when it happens, like Dax talked about being… It’s natural, it’s muscle memory, it’s just something that gets executed on because that’s what you do. We’ve already talked about it. This is not an issue because we’ve already decided what’s going to happen here. So starting small and making sure that it’s a regular part of what you do and not just something that gets put on a shelf when you’re done.
Todd: Yeah, one of the things that comes to mind is what’s so important right now is speed and we talked about this a week ago. And the idea is with so much changing in the world consumer behaviors are changing, employee behaviors are changing, new parts of industries are starting up, the way we buy things is changing, and that is why this is important. It’s about speed, it’s not about perfection. So when it comes to procedures, or processes, or policies, or backup and disaster recovery, or tabletop exercises, it’s about speed, getting the best possible protection in place, getting the best possible plan in place with the time you have so that you can move forward, innovate, change, adapt, and help your organization be more successful in the coming year.
Dax: Yeah, I would add to that, that it’s not just about speed it’s also about just getting a head start. I mean, that’s what we’re talking about is… An imperfect policy that you’ve started is a head start. The things that you’re thinking about right now at the end of 2020 is giving you a head start for 2021 and giving you a head start because we know the things… Again, it goes without saying that 2020 has been a mess and has thrown unexpected thing after unexpected thing at all of us, but at some point things… We talked about the better normal, the new normal, at some point things are going to start becoming just this new world that we live in and if you’re acting now then you are going to be in a place when that begins to that happen that you are already ahead of those changes. So you’re able to start taking advantage of opportunities that are going to come up that other people are not because you’ve already laid the foundation for what you want to happen when those opportunities arise.
Todd: I think that’s very well said. On that same vein of speed, and moving forward, and getting things in place, one thing that comes to mind for me is our partners. JMARK does a lot of work every single year to review our partners, to vet our partners, to make sure that they are still maintaining their security. We receive SOC reports from our partners. We receive questionnaires on security and different things because we want to protect ourselves and our clients, but when you are going into a world that is potentially uncertain, when you’re going into situations that are potentially uncertain, you need people by your side that have the experience, have the expertise, have the tools, have the knowledge to help you. Whether that is a complete managed IT services partner like JMARK, or whether it’s a software vendor, or whatever it is, now is a great time to vet those partners and go, “Are we really set up for success? Are they the ones that are going to take us through the coming uncertainty? Are they the one that are going to take us through the coming chaos?” Because you need those people by your side.
Gary: Yeah, it’s something that in business I learned a long time ago is, do what you are good at and find other people to do the things that you are not good at. Right? And that’s what having a good partner network is all about. It’s not just personally, it’s as an organization. What’s your core focus? What do you do and what do you do well? And find people to augment that with the areas that you are not strong in. Having strong partnerships and how often do we review those partnerships, right? And assess are there other gaps that we need to fill or are our partners filling the role that we need them to fill. Do we need to go back and say, “Hey, let’s improve this area here.” Or maybe even reassessing who some of those partners are on a periodic basis because businesses change, circumstances change, we all evolve over time, but that’s key having, whether it’s a fully outsourced partner, and you mentioned of course, in our industry this is what we do. We do IT services and so some of our clients may outsource all of that to JMARK.
Gary: You may be in a position where you want to outsource all of your IT leadership, IT management to someone like JMARK or you may be in an organization where you’re a little bit of a larger operation and you’ve got some of that running in house and you need to augment that team or you need some oversight for that team, whatever it is, figure out what those gaps are so you can find the right people to cover those gaps. And again, do what you are best at and find people to do the things that you are not the best at, and that really maximizes the effectiveness of what kind of impact you can have as an individual and as an organization.
Todd: Exactly, and on that vein of what you do best, Gary you have the privilege of working with our clients to develop strategic plans, to develop budgets. Could you talk a little bit about that?
Gary: Yeah, absolutely. So this time of year budgets are top of mind for everyone, right? We’re coming up at the end of the year, everybody already has a budget or is getting into the mode to start putting their budget in place, and we’ve talked about a lot of important things within your business. Some of these things are a time investment and some of these things are a dollar investment that needs to be made, and it’s absolutely critical to the success of your organization to know that you’ve got permission within your budget to do those kinds of things. 2020 has been a difficult year, a lot of businesses are struggling financially and you may be looking at your budget saying, “What do we have here that we can cut or we can eliminate?” And one of the messages, and we talked about this before the podcast, but one of the messages that I hope is clear to folks is that these cybersecurity and preparedness things that we’ve been talking about these are not areas that you’re looking at should we or should we not?
Gary: We should even be finding areas in other parts of the budget if necessary to squeeze out some room to make sure that these initiatives have a place in our 2021 budget so that when it comes down to it and getting it done, we’ve planned for it. There’s dollars set aside and we can execute on these initiatives because they can have a massive impact on your productivity and your ability to produce results today, and an even bigger impact on your ability to mitigate risk in the event that something terrible does inevitably happen. As has been said, if we’ve learned anything from 2020 it’s not if, it’s when. We say that with cybersecurity, with backups, with anti-virus, with all of these things.
Todd: Yeah it…
Gary: You name it right? These things will happen in your organization. It doesn’t matter how good your security strategy is, you will find yourself in a position at some point in time where those business continuity plans are being tested. So you asked the question, right now, this time, this season of budgets is the best time to look at where your gaps are. Do you have these things in place? Do you have a good backup and disaster recovery system? Do you have a plan in place on how to manage that? Are you training your employees? What is the status of your anti-virus? Cybersecurity in general, as a whole, what gaps exist that you need to slot into your budget for 2021 so that when 2021 comes around you’re not scraping to try and take care of these things that we know are essential, that are mission critical, but you’ve allocated for it and you’re ready to go, and you’re able to execute on these things and provide that security within the business.
Todd: Yeah, and the thing on budgets too I want to be clear about is, I’m 100%, 1000% for budgets, but a budget is great when nothing bad happens. A lot of people treat it that way. They treat their budget as, this is what we’re going to invest in assuming nothing bad happens and we’ll just cross that bridge if or when it happens. That has got to change. 2020 has taught us… I mean, we’re record hurricanes, tornadoes, earthquakes in Utah where Dax is, just everything, pandemics, and this isn’t about putting fear into everybody, but it’s about being real and being honest with the current situation. And when you take the time to go okay, yes, we are going to implement these policies, we’re going to implement a backup and disaster recovery plan, we’re going to outsource some of these services that we need help with, security and other things, IT. We’re going to whatever it is, these are vital, important things to make sure that ’21 is a better year than 2020 and that’s why the budget is just so vitally important.
Gary: And what good is a budget… What good is a plan, because that’s all that a budget right is a plan for how you’re going to spend your money for the next year. What good is a plan if it doesn’t have a contingency built into it? Yes, this is what we’re going to do if nothing bad happens, well that’s not a plan. That’s a pipe dream, right? What are we going to do? What are the non-negotiables that have to happen? What are the things when things get back or when things go sideways that we cut first? And building not just your want to have list, but putting some sort of priority to that. Right? So that you know these are the mission critical items, these are non-negotiables, we cannot cross this line, we can’t touch these items because they’re that vital to our business. We’re going to have to find other places to make those adjustments. That’s got to be part of that process as well.
Todd: Like we talked earlier, the budget, there can be a situation in an organization like a hacking event that can consume your entire budget, not just the IT part of your budget. So that’s why it’s important because it’s not about a technology company like JMARK, us, saying you need to spend more on IT. It’s about spending money in the right places to mitigate the risk that your organization faces and when you do that you spend a lot less money because you increase productivity of your employees, you increase your ability to adapt, you increase your ability to innovate, you mitigate the risk of security issues, and you’re doing all these things to help your organization be successful and not just go along with the ebbs and flows of the wind.
Dax: Can I change one word at the risk of making a lot of people roll their eyes? But I actually believe in this change of wording, is we keep using the word spend but I like to think of it as invest. Where are you going to invest the resources that you have for the most return? And again, I know that, that can seem like a quaint thing to say, but I honestly feel it’s true. That, that’s the mindset that you need to have especially when it comes to technology and the money that you’re putting into your technology.
Dax: The other thing that I wanted to mention when it comes to the budgeting is we already talked about partnerships, this is where your partners should be very valuable in helping you know… You might not know the best place to, what’s going to matter most as far as where to invest your money in technology, but your MSP, your technology partners, they should have the answers to that for you. They can help you understand the best prices for that because again, that’s their expertise.
Todd: Well said, and I agree 100% with you, invest is the right word. As we have invested the last hour of talking about these great investments, and priorities, and strategies, Dax why don’t you give us a little bit of a wrap up of some of the important topics that we talked about and some of the takeaways that people can take from this conversation.
Dax: Okay. I think the three big takeaways, and these are the big high level takeaways that I think people should walk away with this is, the first is simply doing something is better than doing nothing. Any of these plans no matter what aspect of things that we’ve talked about that you want to start doing right now, it might not be perfect but a start… Something is better than nothing. The second is again, back to the partnerships, the way Gary said it. Do what you do best and find people to help you with the rest of it. Find those partners and those vendors that are going to take care of you and help you achieve these things. And the last is just the question that you need to ask yourself is what can I do now? There’s something that you can do now, do that thing.
Dax: And then very specifically under that point we talked about a couple of areas that I’d like to mention. Some very specific things that people can look at, which they can do now is look at the risk and start doing what you can to mitigate the risk and especially when it comes to cybersecurity having a top of mind with your employees, employees awareness, and training. Looking at your approach to make sure that you’re taking a layered approach, no one solution solves everything, and focusing in on your backup and disaster continuity plans, and multi-factor authentication that’s happening within your company. And then Todd mentioned tabletop exercises, getting the people together in your company, and running through the scenarios that can happen, and what your response to them will be.
Dax: And then finally, Todd spent some time talking about policies and the big question that was there was, “Well, where do I even start with policies?” And four of them that were mentioned that if you don’t have a specific one to start with, start here, would be an acceptable use policy, privacy policy, mobile device policy, and especially based on the world we live in, in 2020 and going into 2021, your work from home policy.
Todd: Awesome and as always JMARK is here to help with any of these questions. We have a little over a month, a month an a little over a week to work on things and prep for ’21. So get started, have an awesome end of the year, and please head on over to jmark.com if you’d like us to help with anything and we’ll be happy to do that. Take care and have a wonderful week.
Speaker 1: Thank you for attending this podcast. We hope it has been informative and helped convey that at JMARK we are people first and technology second. To learn more and discover additional content relevant to your business, please visit us online at jmark.com, or at LinkedIn, Twitter, Facebook, and Instagram. You may also call us at 844-44-JMARK. Thank you for your time and we look forward to seeing you again.