Beware of customers signing MSP contracts
As an MSP or IT provider the best news in the world is when a customer asks you to “take care of all my IT and security for your regular monthly price.” The problem: what lurks on the workstations, in the server and perhaps even in the walls can be the key to security success or abysmal revenue failure. We have all done it. In the quest to get to recurring revenue we let our hard and fast standards and rules slip. That may be ok if it’s a small customer and you can afford to remediate through support tickets, or it can be a revenue pit-trap if it’s your largest opportunity yet!
I wish I had a 10’ Pole
Keep in mind the 10’ pole only works to cross (or get out of) a pit, less than 10’ deep. It’s critical to conduct an assessment of the customer, in advance of any contract for services discussion. That checklist-driven assessment is the first ticket template you need to create in the PSA. Those answers inform the remediation quotation and if you can’t execute an accurate and comprehensive assessment, you can’t execute a realistic quote on what the gap is between your ideal customer configuration and what the “fresh hell” of the customer's IT actually is.
ABB: always be billing
To end an argument which has raged in the IT provider and MSP community, assessments must have an NDA attached and must be charged for. You can credit the charge back for an assessment against an IT remediation project, but if you’re not billing for your services, you are devaluing your offering and potentially losing money after figuring out what the customer needs. No NDA in place means the potential customer is free to take your remediation plan and send it out for requests for quotation. That’s the worst possible outcome for an IT provider or MSP.
Layer one will kill you
The words “my aunt/niece/friend has done the cabling” should cause heart palpitations in any IT provider or MSP. Layer one of the OSI model is probably the most critical layer of your whole service offering. Poor cabling can lead to all sorts of intermittent, transient and strange support issues in the future; so, layer one needs to be the solid foundation. Take a look at the cables where they terminate, are there even wall jacks with patch cables? The best investment you can make for a solid assessment is a cable tester (person or device does not matter, test those cables!).
Lighting always strikes your new customer
Layer one includes UPS, surge protection and HVAC. If your MSP or IT provider is doing business in any country or region on earth, you need to have surge protection and UPSs on all the network, server and infrastructure things. It would be prudent to replace the batteries in any existing UPS the moment you have a signed contract for services; the batteries are quite possibly all “moogly” (technical term, the batteries test OK, but when under load they fail and it turns out they are swollen and nearly bursting in the case: moogly). HVAC is probably the number one overlooked (and super expensive) issue facing MSPs. Servers and infrastructure need to be within certain temperature ranges; too cold and you can get condensation forming on the warm components (that can be very expensive) too hot and it’s shutdown time till cool down time. Another investment to make is a “spot temperature reader”.
I’ll need the cash upfront, non-sequential bills, duffle bag, no cops
In an ideal world you get to start the remediation plan the day the customer wants to give you the opportunity to look after their IT. The reality is something different entirely. It’s incredibly rare you get to start from scratch (this happened once in the last 5 years of my experience running an MSP). Chances are you are inheriting someone else’s mess (which frequently includes a Microsoft Small Business Server) and you need to support that mess before you can remediate. This is the ultimate IT provider MSP revenue danger zone.
Service ticket or it didn’t happen
Any activity that happens while your firm is in the process of a remediation or onboarding project has to be tracked in the PSA. This is because you’re going to lose a lot of money providing support to the customer’s non-standard (ridiculous) setup, while at the same time trying to remediate the customer “in-flight”. It’s actually twice the work of just providing regular services. In a perfect world, you rebuild the whole thing in a weekend (true story: my MSP successfully rebuilt an entire law firm from layer 1 to layer 7 over a long weekend). If your customer is substantial you can’t disrupt them, a migration to Office 365 for instance may have to take place afterhours or over weekends and the integrity of those PST files, better be solid!
MSPs and IT providers need to track project hours versus support hours as one challenging customer can substantially impact your firms’ revenue. (true story: one of my MSP customers with several in-flight remediation projects is consuming nearly 100+ support and project hours per month. The target is 28 hours per month for this customer’s support requirements).
The light at the end of the tunnel
A new customer opportunity is always exciting, but do not become complacent and count the recurring revenue before the hard work is completed. You must maintain vigilance on the financial costs of servicing that customer in-flight, assessing the cost of onboarding that customer as well as executing the remediation project and tracking the hardware/software and billable hours. This must be done in order to avoid a nasty revenue surprise. For IT service providers and MSPs, I offer this one piece of advice: A new customer can be a great opportunity or giant catastrophe. Assess all the customer’s things, before you are responsible for all the customer’s things.
About the Author: Ian Thornton-Trump, CD, CEH, CNDA, CSA+ is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. In Canada, Octopi Managed Services Inc. delivers managed security services to high profile legal firms and in the UK, Octopi Research Labs Ltd. undertakes security consulting and threat intelligence engagements. As the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc. Ian has an in-depth understanding of the threats, small, medium and enterprise businesses face on a daily basis. Follow Ian Thornton-Trump on Twitter