IT Case Study Podcast – Machine Shop in NH
Dave Hodgdon, CEO of PCG, talks with John Maher about how PCG’s managed IT services and cybersecurity support helped a machine shop in NH improve operations. They talk about machine shop’s IT challenges. Then, they explain how PCG created a roadmap and provided IT services to meet these challenges, and they look at how managed IT services have helped this company to grow and land valuable government contracts.
TRANSCRIPT
Case Study of Managed IT Services for a Machine Shop
John: Dave, today, we’re doing a case study of a machine shop in New Hampshire that you’ve worked with. I should just start at the beginning we’re not going to give the name of the company, just because we’re talking about their network, and their security, and things like that, so they would prefer not to be named, but why don’t you tell us a little bit more about this machine shop in New Hampshire and how many employees they have, where they’re located, things like that?
Dave: We’ve known this client for about 10 years. They’re predominantly a break/fix client. Again, a machine shop. Approximately 35 employees, many on the floor, and they had 16 PC users. They were two buildings put together with some fiber, and they had been struggling a little bit for business, but recently had some compelling events to reach out to us.
Why the Machine Shop Needed IT Help
John: Okay. Talk a little bit about that. What were some of the issues that they were having that prompted them to reach out?
Dave: As mentioned before, John, the business had been off for a while, so the network was definitely aging. It had been neglected, not invested in, they had had some machines that been around 12, 13 years with no support. But then, the magic bullet happened for them. They recently had landed some major contracts with the Department of Defense and military, and that changed everything for them, but they were lacking in many of the IT requirements: their hardware, their operating system. From a security standpoint, they did not have a security plan. They did not meet the compliance, or had the proper cyber insurance in place, or the documentation. They were always trying to do this in-house as much as they could via their office manager, and I think they knew they… Besides always just using us in the past, John, as a break fix, they thought it would be in their best interest to reach out to us.
Developing a Roadmap to Meet IT Challenges
John: Right. Then, when you hear from them and you hear the issues that they’re having, what is the place that you start? What is that strategy, and how do you begin?
Dave: A great question. I think, where we didn’t really have the visibility to them, it was very difficult to make any recommendations. During our first call with the owner was, “Let’s break this down to two specific tasks. There’s a compliance issue that you need to meet for some of this work, but you also don’t have the necessary hardware or operating systems in place.”
We broke that down into two tasks. We said, “Let’s do the risk assessment,” and then, secondly, “Let’s do the network assessment.” Our goal was to get a baseline of where we were in each one of these. Where the gaps were, the IT needs from server switching, and then really take a good look at the security vulnerabilities through the risk assessment. And then, at that point, we would come up with an IT plan for the network, as well as a security plan, giving them a budget and a timeframe to meet, and because they did have a timeframe on their end that they want to be awarded this business. They definitely had a timeframe on their end, and it was a compelling reason for them not to wait on this.
What Is an IT Risk Assessment?
John: And let’s start with the risk assessment. What are some of the things that are involved in doing that?
Dave: That was a very detailed one. Based upon their industry, dealing with the government and the military, they had to fall, what’s known as the NIST 800-171 and the CMMC Level 2 for compliance requirements. Just so people understand what NIST is, NIST stands for the National Institute of Standards and Technology.
This model follows five key principles, John. It’s number one, identifying, “Where are our problems?” Then, two is protection. How are we going to protect? Number three is the big one: our world is detecting you. You have the police, or motion detectors, or your fire alarm. How are you detecting there’s a problem? Then, from there, we have four, how will you respond? And the last one, number five, is, how can you recover? That was the big one on the NIST side, that the NIST 800-171 dictates how contractors and subcontractors of federal agencies should manage the controlled unified class information, which is called CUI.
And this is designed specifically for non-federal information systems and organizations. So the NIST was one part of what they were required by their vendors. And the second big one is what’s known as C M M C. That’s a pretty common term. Now, John and industry stands for cybersecurity maturity model certification. So CMMC security, cybersecurity, maturity model certification. This requires your organization to establish in a document, various practices and policies to guide the implementation of the CMMC efforts. This documentation practices enables your employees to perform them in a repeatable manner. So those are the two biggies that were part of the risk assessment.
How to Meet IT Security Compliance Standards
John: All right. And then, what else is it that you do with the risk assessment, in addition to following those two compliance standards?
Dave: That’s the guideline they had to do in order from our end to do things. We’ve invested in various vendors and security tools to do these processes, John, and allows us to get the results and reporting. The key component of this, especially from a security side, is the ability to run a third-party external vulnerability scan to see if there’s any open holes that the outside bad actor can get into, as well as run internally, where there could be some issues.
We spent a significant amount of time with their leadership team, and we’re basically asking 75 key questions about how their business handles their data, both internally as well as externally, with their clients and vendors. And we were able to gather all the needed information, and fill out the risk assessment report and scores.
And they were to meet with our leadership team to come up with our findings and recommendations. This allowed us and them to come up with a cybersecurity plan. And then, we knew the additional costs to put the necessary services in place to help meet our objectives, give them a clearly defined roadmap and timeframe and budget, so they can consistently stay up with the desired outcomes for their security practices.
We worked on other things, John, such as passwords, the complexity and timeframes to change, how file access and permissions would happen, how they handle remote access, people working from home or remotely over secure VPN, and a big part of any practice is having a backup. What happens to my data should something not be there need to recover. we talked about retention, and also talked about how people are… In the past, all their users were saving their documents locally, John, which were not being backed up. The new policy was to have these users save to a server that had the right permissions in place, and then we’re able to back that up, not only locally, but to a secure cloud.
IT Challenges for Government Contractors
John: And these were all requirements that the military that wanted to work with them was requiring of them, right? If they didn’t get all of these things in place, that could actually put their contract with the military and in jeopardy.
Dave: Bingo, right there. In order to follow this, the NIST and the CMMC compliance, you have to follow certain procedures, and again, it’s doing the external vulnerability scans, running through the necessary questions, and getting their network to where it should be. That vendor now sees that this company is making efforts to button up their ship, and able to do business with.
What Is a Network Assessment?
John: The next thing you mentioned was the network assessment. What’s involved in that?
Dave: We had one of our engineers go onsite and do an audit of the network. Again, they’re Right Click, so we really didn’t have any true visibility. We told them it’d probably be about two or three hours. Our engineer went out onsite and basically did a walkthrough.
We use Visual for a diagram, getting a diagram of the various equipment, take an audit of the switches, the firewalls, take a good look at the server, as far as the type of server, what it needs for space, what operating system, how they’re running their backup, going to check out their windows PCs to see, how are these machines… In today’s world, you can’t run Windows 7 anymore, it has to be Windows 10 for support. And all these devices talk to each other over the network, so we want to take a look at the wiring, the wireless, and the firewall. And, again, when you ignore a network for 10 years, you can imagine there was definitely some big gaps there to address.
Tactics to Improve IT Networks and Cybersecurity
John: Absolutely. Yeah. Then, once you’ve done this risk assessment and the network assessment, you find out all of the issues that you’re having, you know what goals you have in terms of meeting with compliance issues, and things like that. What are some of the tactics, then, that you employed in order to get them up to speed?
Dave: Great question again. We had planned a budget for each, so they were two distinct things. The network was one thing, but the reason the network was being driven was for their compliancies. But we came up with a plan and budget for each, as well as our managed services. It’s very difficult to put new equipment in and to have the security policies in place without managing it, so it was a key component to have three deliverables: the risk assessment, the network assessment of what it would take to replace the necessary hardware and software, as well as managing that on a daily basis.
1. Drafting a Statement of Work
Dave: We wrote up what’s known as an SOW, a statement of work, and this was a detailed description of what was going to happen for the server setup, the migration from their old systems, replacing the PCs, copying their profiles, make sure all the users could get to their files, get to their printer scanners, make sure if they work from home, they have the ability to have remote access.
2. Using Image Based Backups to Improve Recovery Time Objective
Dave: They had a backup system that was old-school, was just backing up files, and part of the audit in security was to have what’s known as an image-based backup. And, John, we’ve always talking about having a business continuity plan of having a true image every 15 minutes. Should there be an issue, or the data is corrupt through a bad actor, we have the ability to go back in time and recover that data. We call that an RTO, which is recovery time objective.
3. Updating IT Hardware and Software
Dave: We took the time to come up with a plan to replace all the PCs and upgrade their versions of Office, which were all aging, and part of that strategy, the network assessment security, was to put the necessary Microsoft 365 in place, which also met some of our risk assessment requirements. We turned on what’s known as MFA, which is multifactor authentication, emails going outside of the building that had sensitive information turning on encryption.
4. Replacing the Firewall
Dave: And those are key parts. Another big part was replacing their firewall. They had a firewall that was not up to date, was vulnerable, and they were basically connecting through unsecure remote access to the machine, so we cleaned that up.
5. Upgrading Wireless Connectivity
Dave: During our walk through, they also mentioned the way things were changing with their equipment of how they could use what are known as tablets, or an iPad, to get various information on their network. We did a walk through the building and came up with a plan to upgrade their wireless.
6. Improving Cybersecurity
Dave: During this onboarding for the management, we’re able to get everything in place to meet the security. The server updates, security updates, getting the antivirus and other security services in place. And then, a key component to the security, John, was adding the necessary services in place. Security is very complex, and you have to walk before you can run in order to have security fully locked down. You just have to do one step at a time, and showing your people you’re doing business, “We’re making efforts and strides to do it.”
But we started off with a couple of key ones I’d like to speak about was EDR, which is endpoint detection and response. Think of that as a flight controller looking for the bad guys out there, moving data that should be part of your network. They also need to add a SIEM, an S-I-E-M, that’s for security, incident, and event management, tracking and logging who’s doing what and when. That gave us the ability to track if there’s any malicious behavior going on. We were able to track any email compromises through our dark web service. And, when we update the firewall, we gave them the ability to lock down traffic coming and going from the network, and gave their remote users the needed VPN services.
This was an important part to them, to have their network monitored truly by an outsourced cybersecurity operation center 24 hours a day, John. These managed detection and response services were a key point for them to meet their compliance objectives. Now, we’re able to give them the analytics, the reporting, and knowing there’s a backend system that is fully staffed by security analysts that can see if there’s any unusual behavior.
7. Leveraging IT to Improve Business
Dave: This was quite a project, but the end result was the customer upgrading their network. They were able to get the security in place. They landed some significant contracts. Business has never been better in their 10 years, and they were truly satisfied with getting them up to date, where they had to be.
Long-Term Benefits of IT Managed Service Providers
John: Right. Talk a little bit more about the results and outcome of this project. I know that you said you’ve been working with them for about 10 years or so now, so things must’ve gone well, and they kept their military contract, and just talk a little bit about the overall outcome of the project.
Dave: Sure. The key component is now, they meet or exceed the requirements to do business with the Department of Defense and these government agencies. They made the investments necessary to meet these compliance requirements. That’s now not only allowing them to win these current deals, it’s allowing them to go out and market for other, so they’ve really opened up their doors to the ability to get more business.
We provided the necessary documentation for them to give to these people to show that they’re compliant, and allows them to win these additional bids and contracts. Their network, now, they have a plan. Besides ignoring things until they really need a fix… The good news, they invested heavily, right now, John, to get everything up to date, but like anything, your car, granted, when it’s new, there’s nothing you have to do the first year or two, except basic maintenance. But now, they have a plan moving forward, and not ignoring for 10 years.
Now, when something happens, we have the ability to stay proactive and keep up with it. But, in the end, the users who were struggling to use their computers, struggling to get good access to their network performance, they’re all having a great user experience. The company leadership knows now that they’re secure, and a big part, they know they have a team with PCG that can help guide them and get them to where they need to be, compared to limping along and just dealing with it like in the past.
Contact PCG for Managed IT Services
John: All right. That’s really great information, Dave, and thanks again for speaking with me today.
Dave: My pleasure, John.
John: And, for more information, you can visit the PCG website at pcgit.com, or call (603) 431-4121.