FAQs: Business IT Questions

Outsourcing simply means to fulfill a function from an external resource instead of an internal team or staff member. When it comes to the outsourcing of IT services, this can take a couple of forms.

First, there is outsourcing IT projects when you hire a vendor or contractor to take on a specific IT project or component — such as a cloud migration, after hours help desk or a set number of support hours per month. These are what we refer to as “break fix” solutions. They are designed to fix a problem or fill a specific need, but they are not proactively serving the IT and cyber security needs of your business.

Outsourcing your IT support with a managed service provider (MSP) is more encompassing. It includes the help desk and project expertise, but also actively works to keep your network free of problems. When you outsource your IT needs to a managed service provider, you get a highly efficient IT team that literally works constantly to prevent breaks or breaches from happening so that your business can continue its goals seamlessly.

MSPs provide 24/7/365 coverage and also keep up with the latest trends in IT. You have the benefit of an entire team of IT experts and cyber security specialists. Plus it typically costs less per month than hiring in-house resources. Learn more about the different approaches for the outsourcing of IT services.

IT help desk outsourcing is when you hire an external vendor to provide 24/7/365 tech support for your team as a standalone service. Managed service providers (MSPs) offer help desk services as part of their comprehensive solution. But when the term “IT help desk outsourcing” is used, it typically refers to only help desk support.

The help desk tech will take calls (or chats or tickets) and do their best to fix the immediate problem of the user. IT help desk support services usually include:

• Running diagnostics
• Escalating the issue to someone with higher level of expertise.
• Installing, repairing and/or making changes to computer hardware and software.
• Follow-up with customers to ensure issues are resolved.

As part of an MSP, the help desk team is extremely knowledgeable about your business and IT infrastructure. That’s because they are also part of the team actively working to prevent issues. As a standalone IT help desk outsourcing provider, the tech team assisting you usually does not have that level of insight into your business or the ability to help prevent similar issues from coming up.

IT project outsourcing is when you hire an external resource to accomplish a specific, limited scope IT project within a given period of time. It may include the development of products, services or solutions and involve multiple parties within and outside of your organization. Some typical outsourcing projects are migrating from an on-premises server to the cloud, migrating email from G-Suite to Microsoft 365 or integrating multiple systems together.

This kind of outsourcing is often a company’s first experience with IT outsourcing because internal IT teams don’t have the expertise or bandwidth to take on the project. Some managed service providers also offer this service while others only complete IT projects for existing managed IT clients.

Managed service providers (MSP) supports your company’s network, infrastructure and other technology needs for a flat rate monthly fee. It’s “managed” because the MSP proactively works to keep your network up and running without interruption. That means they’re not just fixing what breaks, but partnering with you to get the most productivity out of your business.

That’s a simple answer but it’s a complex job to monitor and protect all your endpoints (devices, computers), data and infrastructure (servers). The best managed service providers also proactively monitor and patch manage to prevent disruption as well as offering training to your team and technology leadership guidance to you.

The provider you choose helps your business, starting with the setting up of your ITIL (internet technology infrastructure library).

Cloud service providers are third-party companies that offer cloud-based platform, infrastructure, application and storage services. These providers are kind of like utility companies where you pay for the services you use, in this case cloud services. A cloud managed service provider bundles cloud services into a managed service agreement, meaning you are not just buying the cloud services, but getting the expertise and support you need to keep it optimized and secure.

Companies that offer cyber security to other businesses as a service are cyber security services providers. Cybersecurity Service Provider (CSSP) also refers to a set of specific certifications issued by the Department of Defense (DoD) to designate certain levels of knowledge and experience. When the acronym is used (CSSP) it is usually referring to the DoD certification.

With expert cyber security services, companies leverage a more robust set of security protocols than they could with an in-house team. A cyber security provider runs tests to find vulnerabilities, monitors networks for intrusions and responds to incidents. But not all cyber security service providers offer the same set of services and their methods and costs can vary greatly.

A managed cyber security service provider (MSSP) bundles cyber security services into a managed service agreement. So for a flat monthly fee, you get proactive monitoring, infrastructure expertise and response and remediation in addition to help desk, training and other managed service components.

A cyber security managed service provider is also called a managed cybersecurity provider or MSSP. They differ from a CSSP because the security services are provided as part of end-to-end IT coverage, including:

• Making sure your infrastructure is secure by assessing for risks/gaps and identifying other vulnerabilities.
• Closing any gaps and providing recommendations to implement specific security and productivity improvements.
• Monitoring your system and supporting your team 24/7/365.
• Proactively responding to attacks, usually blocking them before they breach your system.
• Ongoing training for your staff, which is the number one weakest link in any security chain.

With a cyber security managed service provider, these services and more are packaged into a flat rate monthly fee, so that you can better plan for meeting your company’s technology needs.

There are many cloud computing benefits for small business, including:

1. Better manageability. Cloud computing adds flexibility by expanding your technological infrastructure resources as it is needed. How much data storage will you need in the next year? From how many locations will you need to access that data? With cloud solutions, you don’t need to know those answers now, or months in advance. Your data storage size can scale up or down depending on your needs.
2. Lower IT infrastructure costs. Cloud services move your infrastructure costs from capital expenditures (purchasing servers) to operational expenses. This saves money because:
   • You only pay for what you use (usage-based pricing).
   • You need fewer IT hours to implement and manage your data.
3. Unlimited accessibility. Data on the cloud can be accessed from anywhere with an internet connection and multiple users can work on the same data simultaneously.
4. Less maintenance. Cloud applications are not installed on each user’s computer, so they don’t need updates and patches applied to every endpoint. All that happens on the cloud as well.
5. Better response during peak demand. Because resources are shared across a large pool, peak-load capacity increases and there is more efficiency for systems that are less utilized.
6. Backup redundancy. A well-designed cloud solution uses multiple redundant sites, so that your data is protected and available even if one site is compromised.
7. Security. If implemented well, cloud security is as good as (or better) than traditional systems.

Co-managed IT services, sometimes called hybrid IT services, involves keeping an IT staff in-house but also supplementing those internal resources with services from a managed service provider (MSP). If your business is large enough to maintain an in-house IT team, co-managed services can be the best of both worlds: You decide how much you want in-house and what you want from an MSP.
Here’s how it could work:

• Your in-house IT team handles day-to-day IT maintenance, while leaning on the expertise of a managed service provider for advice and assistance.
• Your MSP becomes your outsourced CTO (sometimes called a virtual chief information security officer or VCISO). Your internal IT team executes those plans and manages your systems.
• Your IT leadership is in-house but directs an outsourced managed IT team to execute those strategies.

Cyber security assessment services can refer to any number of tests performed to determine and address your cyber security risks. Which assessments you need for your business depends on your type of business, the size of your company and your risk tolerance. However, every business should conduct some level of cyber risk assessment.

The most common cyber security assessment services include:

• Vulnerability assessment to find potential weak spots both within and outside your network than threat actors may be able to exploit.
• Penetration test. A simulated cyber attack on your business by authorized cybersecurity experts (“white hat hackers”). This also identifies risks but are much more involved and expensive. These are rarely needed for most small businesses.
• Network audit and access review. Determines exactly what is on your network and who has access to what. This can find unauthorized software or hardware as well as performance or licensing issues. The access review looks at who has permissions to access and make changes to your network to prevent future issues.
• Compliance audit. This assessment looks at how well your company is obeying the rules, regulations and laws that relate to your particular industry. This can be as common as the PCI compliance required by any business that accepts credit card payments or a niche as defense contractor requirements. Compliance audits look both at what is happening inside your business as with any external partners or vendor relationships that impact your compliance.

Managed IT service providers come in all shapes and sizes, from large national firms to the “guy in garage.” Finding one won’t be a problem. Choosing the right managed service provider to partner with for your business might take a little time. Whether you are looking in Cincinnati, in Dayton or anywhere in the U.S., here is what to look for in a quality IT partner:

1. Monitoring and support 24/7/365.
2. Fast response times (e.g., “We got your message and are working on it”) and reasonable resolution times based on the level of impact the issue is having on your business.
3. A high average customer satisfaction rating (CSAT) over several years and client references to back it up.
4. Experience with your unique business ( industry, environment or requirements) and client references to back it up.
5. A business located in the Cincinnati/Dayton area (not simply a local address to attract businesses in the area). Your IT team should be willing and able to be on site in your offices when needed. Even better if they schedule regular onsite visits to review equipment or train staff.
6. No long-term contracts. You want a managed service provider who earns your business month after month, not locks you into a long-term contract. You should be able to cancel all or part of your services with them with 30 days notice.

Those are just the basics. Next you need to find out about their specific IT processes and protocols. Get more questions to ask potential managed IT service providers or download our Choose IT Support checklist.

Many times multi factor authentication (MFA) and two factor authentication (2FA) are used interchangeably. But they are actually different. Both authenticate that you are who you say you are, but 2fa requires specifically two forms of authentication while MFA requires two or more. So all 2FA is MFA but not all MFA is 2FA.
If you’re considering multi factor authentication vs 2fa, you are really considering how many forms of authentication you will require. Two is the minimum while more than three tends to get in the way of productivity.
Think of this in terms of your last log in. You were asked to provide a username and password. Those are both one factor of authentication. 2FA takes this a step further by asking for one more factor, such as answers to previously asked security questions. These all fall into the “something you know” category.

Most MFA requires that in addition to “something you know” you also provide either:

• “Something you have.” Most commonly, this something is your cell phone. The system you are trying to access sends you a text or push notification and you enter that code to access the system. There are more robust methods, such as using an authenticator app or token device, but these all provide an additional layer of security over simply providing information.
• “Something you are.” Biometrics like a fingerprint scan or face scan are the most common in this category.

It doesn’t matter as much whether you use the term multi factor authentication vs 2fa. What matters is that you are implementing more robust authentication methods to protect your business.

Knowing that MFA is the right move for your business and actually rolling out a multi-factor authentication set up for your team are two very different things. As with any change, there will be some fear and resistance. Here is an action plan to get through the transition smoothly.

1. Bring your IT team to the table. Whether it is an internal IT team or a managed service provider (MSP), let them know that MFA should be rolled out across your networks and systems for all users.
2. Make it clear that the transition needs to include end-user training and support for the entire team. The only way to successfully roll out MFA without stressing your team or impacting your ability to do business is with empathy and training. An MFA rollout can feel a bit like learning a foreign language to people when it first starts out. With training, they will understand why it is so important and get the support they need to feel comfortable with the new protocols.
3. Talk to your vendors and partners. Require that each also have MFA enabled. If any don’t offer MFA security, consider switching to a provider that does.
4. Establish a monitoring process so that invalid access attempts can be used to improve your cyber security. Monitoring is especially critical now that people are working from dispersed locations.
5. Provide quick support options for people who are locked out or unable to authenticate. This will minimize any attempts to “work around” the system and also make sure that your MFA rollout has as little impact as possible on productivity.

Many small and midsize businesses will need some help with multi-factor authentication set up from a trusted IT partner as well as ongoing support to train teams and monitor access attempts. Even companies with in-house IT teams often find it more cost effective to partner with a managed service provider (MSP) to support their internal teams.

There’s a simple way to remember what is a vulnerability vs an exploit. A vulnerability is a weak spot in an IT system or program. An exploit is the act of using that vulnerability to enter or compromise software or IT networks. You can’t have an exploit without a vulnerability but you CAN (and often do) have vulnerabilities that have never been exploited. These are called zero day vulnerabilities if and when they are exploited for the first time.

The weakness is the vulnerability vs an exploit, which is the act of using that weakness. Here’s a few examples of vulnerabilities:

• Weak passwords
• Software that hasn’t been patched or updated
• A weakness in a program or software code
• Human reactions to phishing attacks

Some vulnerabilities are well-known while others are discovered only after someone has exploited them. At Intrust, we work to help companies minimize their vulnerabilities with a combination of endpoint protection, system monitoring, event response and cyber security training for your entire team.

A zero day attack is a cyber attack that takes advantage of an unknown or unpatched vulnerability for the first time. This could mean that the vulnerability is completely new and that no one was aware of it previously. Or, it could mean that the vulnerability was known, but there was no known way to exploit it, so it wasn’t considered a cyber security risk and prioritized for a patch.

Examples of zero day attack (also called zero day exploits) are:

• New or previously undetected malware (including ransomware).
• A known vulnerability that had never previously been exploited (zero day vulnerability).
• An unknown vulnerability that is exploited.

Once an organization or software provider releases a patch for the vulnerability, it is no longer called zero day. It is possible to have a zero day vulnerability that has never been used for an attack and even that it is unknown how it could be used to exploit a system.

An IT service management (or ITSM) company uses a process to plan, support, create, deliver, operate and implement your IT technology to best serve you and your customers or clients. An ITSM’s scope of work covers all technology services and devices. Laptops and laptop applications, printers,  servers, all software applications and even your passwords.

ITSMs oversee all workplace technology, including all technology and technology services. ITSMs reduce costs, which leads to better service, which leads to more customer satisfaction.

An ITSM company will:

• Help to streamline your infrastructure to assist in better delivery of the high-quality internet technology needed for your business.
• Ensure your company data is only accessible through an authorized current endpoint user (staff, client, etc.). As a bonus, the ITSM will purge the system of former employees or clients who can still access your network because someone forgot to block their entry or change their passwords when they left the company.
• Examine every endpoint (computer, phone, scanner, etc.) and every application to ensure they are up to the latest system requirements (and update them if they are not).
• Advise you on the optimal type of backup to handle any possible data breaches whether they come from criminal activity or natural disasters.  
• Review your cybersecurity plans and processes to reinforce them or replace them with safer ones.

IT service management benefits include:

• Reduced IT costs (scopes out redundant or obsolete assets).
• Improved service.
• Improved customer satisfaction.
• Enabling teams to share knowledge.
• Reduced risk factors.
• Help with preventing breaches and planning strategies for natural disaster situations, as well as criminal ones.
• Reduced downtime when breaches occur.
• Improved efficiency.
• Adaptation to your needs.

IT service management achieves the above benefits by:

• Enforcing the right process for your company.
• Constructing and carrying out IT infrastructure. 
• Educating your staff about the newly built technology and sticking to the process, as well as re-educating coworkers when circumstances arise.

Aside from the benefits above, using an ITSM  provides solid day-to-day conveniences that better help your business run efficiently and effectively.  

ITSM handles multiple issues, including solving recurring problems (i.e., “this application is stuck again”) and all service requests, whether they are incidents that affect the system (i.e., “my computer is down”), requests for a new piece of equipment (i.e. “I need a new computer”), or implementing a change to the system (i.e., “I need to add/remove/modify the database.”)

An insider threat in cyber security originates from someone who works in your organization or has inside access to your networks, such as a vendor, client or former employee.

Insider threats account for an estimated one-third (33 percent) of all cyber attacks. This type of threat is becoming a growing concern, increasing as much as 47 percent over the last couple of years. Recent cybersecurity surveys show that 66 percent of organizations consider insider attacks to be more likely than external ones.

Insider threats can be broken down into two categories: intentional and unintentional. Intentional insider threats primarily come from employees who feel they’ve been wronged in some way. They might leak sensitive information, harass associates, sabotage equipment or even perpetuate violence against those they’ve perceived to have been malicious towards them. 

Unintentional insider threats happen through negligence or by accident. Negligent threats come from employees who might not follow common security protocols, including not using multi-factor authentication (MFA), allowing someone to piggyback through a security point, ignoring messages to install new updates and security patches, or even using insecure public Wi-Fi. An accidental threat comes through an employee who may mistype an email address and accidentally sends a sensitive business document to a competitor, or inadvertently click on a hyperlink, opening an attachment that contains a virus within a phishing email.