PCG Case Study: Engineering Firm in NH
Dave Hodgdon, CEO and founder of PCG, talks with John Maher about how PCG’s managed IT services helped an engineering firm in NH to improve its network performance and security. He explains why the company left its existing service provider, and then, he covers how PCG stepped in and improved the company’s IT environment.
John Maher: Hi, I’m John Maher. I’m here today with Dave Hodgdon, CEO and founder of PCG, a managed service and IT provider with headquarters in Portsmouth, New Hampshire. Today, we’re doing a case study of an engineering firm in New Hampshire. Welcome Dave.
Dave Hodgdon: Good afternoon. How are you doing today, John?
Background of the Engineering Firm
John: Great. So Dave, tell me a little bit about this engineering firm in New Hampshire and what their background is, how many employees they have.
Dave: Sure, they’re in the Seacoast area. They got 30 to 35 employees. They have been in business for some time. They do a lot of their work all up and down the east coast and some are up to the Midwest, so a pretty versatile group. A lot of them are on various job sites, having access in a reliable manner is a big thing for this engineering firm.
Why the Firm Contacted PCG
John: Okay. Yeah, so tell me a little bit about what prompted them to reach out to you and some of the issues that they were having.
Dave: Yeah, it was right around the holidays, and we got a call from the owner, and I think probably a lot of it was based on the timing that the current IT was managed by another managed service provider. They had been with them for a while. That managed provider had been acquired about two or three years ago. And over the last few years, it had been slowly slipping the touch, the attention to detail, but it finally hit the ceiling with him when he realized that the files or permissions of all the personal business folders that had very private information were open for anyone to look at, so that really got pushed to the edge.
It was one of the fastest turnarounds ever that… Usually when you talk to people, it’s a fairly long cycle, because when you’re with someone for a long time, it’s tough to make a change, but it came pretty quick when they had the discussion with us and did the assessment that it turned around pretty quickly.
They were also just struggling with the response times. One tech didn’t know what the other was doing. The PC subs were inconsistent, and I think they just dealt with it, and they didn’t realize, is this the standard way that MSPs deal with?
John: Right.
Benefits of PCG Versus Other Managed Service Providers
Dave: And what they really just looking for some better guidance and response times, and we pretty much checked off all those things that were on his list and gave some references, followed up on those, and it looked great from there.
Network Audit and IT Security Assessment
John: So once you were on board, what was the strategy that you implemented and what were some of the first things that you needed to address?
Dave: As with any, you got to know what you’re dealing with, so you do the network audit, the assessment of understanding what’s in place, what’s documented, how is the other managed service provider doing certain things, and we had a difficult time getting that from them. Sometimes, that’s the case, John, sometimes, it’s not, but it’s always easier to have a graceful exit of the other company to give you what’s there. We got most of the information. There was an internal person that knew a lot, so we’re able to get actually more from the internal person than we were from the MSP, which is sad, but that’s how that one worked out. That was one of the first things.
The second thing was to do the risk assessment. In today’s world, you have to know, the risk assessment is going to give a good idea of how that business is being set up to protect its assets, its data from its compliancy, anything from remote access, because we all know, over the last 18 months with the COVID, more and more people are working remotely, and a big part, especially in engineering, you require high end machines to do your work, so people working from home in their notebooks had to take over the CAD machine at work, and it required performance. It required a good pipeline. It required a good firewall. It required proper setup of the remote systems. We also knew from the original background of reviewing the files and permission to what was set up there, and we clearly went through those of who would have access to what.
And the other complaint they had made, John, was very inconsistent setups, so we spent a significant amount of time in understanding what each CAD… In the CAD, there were three departments of CAD users, and they each used different software, so we documented each and created a template or a blueprint. That way, when someone gets hired, we know if they’re on this team, we know it requires X, X, and X for software, this person needs permissions to X, and they really liked knowing. That really helped them. That was one of the big decision-makers. They really liked that we had a blueprint in place for that, John.
What Happens During a Network Assessment?
John: Okay. Tell me a little bit more about the network assessment and what was involved in that and what came out of it.
Dave: Of course, you’ve got to have one of your senior engineers that gets the big picture. We had two of them go out there just to verify the infrastructure, understanding what was in place in the rack for the systems for servers, getting access, how many were in place, were they virtualized, were the switches good? You always want to know if things have a warranty. If something breaks, who can we go to, John? If something breaks and there’s an unknown, you’re going in circles. Similar to your car, it’s nice to know I have a warranty in place. I know I’m going to get my loaner car. I have a little bit of peace of mind.
John: Exactly.
Documentation to Support the Help Desk
Dave: With all the passwords, for all the setups, had to get all the vendor information from the CAD, the licensing key to confirm, because when you set up a new CAD machine, you need to know the licensing keys are there, if there is access to that, you needed them, so that was a big part of it. We went through their PC set up process, and we did as much documentation as we could, because we knew they wanted to go live with the help desk. Without documentation, it’s very difficult to be successful in the help desk. We pride ourselves on our documentation, because the more you know, the easier it’s to help the users.
John: Right, and in that PC set up process, what does that involve, setting up certain software on user’s computers that they’re going to need for their job and that sort of thing, so everything’s all in place when they get started?
Creating Checklists for PC Users
Dave: Correct, yeah. The form pretty much, who’s the user, their department, their email, who they’re reporting to, what permission should we follow, what licensing do they need? We know what it needs for CPU and memory and hard drive. How many monitors do they need? Are they working remotely? What security needs to be in place? What printers are they going to, what 365 plan they need to be on? Once you get the checklist in place, it just makes it much easier to get the system set up and to turn it around.
John: Tell me a little bit about some of the tactics that were set up for them or that were involved in getting them all up to speed.
Switching to a New Managed Service Provider
Dave: Well, first thing, we created a letter for the off-boarding, which they were able to give to the current MSP and determined when the cut over would be. Again, we struggled to get a lot of the information, but we got as much as we could. Our goal is to do… When you do a cut over, it’s got to be timely, it’s got to be efficient. When you’re removing tools, agents, you’ve got to make sure, you don’t want systems unprotected, John, so we looked at the security tools in place. It was important to do that. We customize the plan to what they want. They did want 24/7 support. We do offer both 8/5 and 24/7. It was important that we trained them on that. We became the partner of record for all the necessary 365 and CAD licensing, so we had access to that.
We went through the PC setups, because we knew that was a big part of what had to be done there. We did the risk assessment with them. As any time you onboard something, you’re always becoming familiar, and after 30, 60, 90 days, we’ve got a pretty good idea of what’s going on and where some of the critical issues need to be addressed. After 90 days, we’re able to meet with them, let them know where they were in good shape and some of the areas that needed to be addressed, and then get on their radar and their roadmap to take care of.
Outcomes of Working With PCG
John: And then what was the outcome of the project? How long, again, have you been working with them? What’s been the result or outcome or successes that you’ve seen since then?
Dave: It’s been about eight to nine months now that they’ve been a client of ours, so we successfully are onboard with them. We worked with our point of contact there. He was definitely an engineer and had the insights of how to help us, which people need a little more hand holding, where some of the issues were to deal with, so we’re able to train the staff.
Updating Security for Microsoft 365
Dave: Once we became the partner of record, we were able to easily update the 365 and update the very necessary security add-ons. One of the big things that came out was the risk assessment. They had some concerns. By us doing the risk assessment, definitely added validity in what they thought and what we knew, but until you actually run the risk assessment, it’s nice to know that they know we’re not just trying to sell them something they don’t need. They’re able to see it, John, through the risk assessment that these were the gaps, and here are the options to reduce that risk.
Certain things, like a lot of people use the standard 365, email spam filtering, it’s good, but it’s not as good as adding a third party that does a better job, so when there was a lot of noise about cleaning up the spam, so we had a proof point. We put the web content filter in place to minimize the risk of websites or links coming in. We were able to do the dark web services that email compromises.
Security Training for Staff Members
Dave: We did security training with the whole staff. We did a “lunch and learn” session, and then we’re doing phishing campaigns to consistently train their staff.
One of the big things today is always turning on your multi-factor authentication. We turn that on, on all of the 365 users, and that was a big one.
Setting up Endpoint Detection Response
Dave: And the other big buzzword, John, today, especially with all the ransomware, is to make sure you have a good EDR. An endpoint detection response, think of it as a kind of a glorified antivirus on steroids, looking for that odd behavior of someone trying to manipulate files, someone trying to put a little kernel or bait in there to change the backup, change the administrative password. We’re able to add a layer of security that gives them a little more peace of mind. We train them on how to use the 24/7 help desk.
Providing a Dedicated Engineer and Client Success Manager
Dave: They have their dedicated engineer. We’re a big believer that with each of our main clients we give them a dedicated engineer that’s responsible technically. And then they work with our client success manager that does the monthly or quarterly calls with them too… Here’s how we’re doing. Here’s the tickets. Allow them to give us feedback, good, bad, neutral, as we’re always trying to improve. You might do 30 tickets, great, and one ticket goes bad. It’s difficult to make everyone 100 percent satisfied on every ticket, but our goal is, at least we understand what’s there, communicate with them, and then make a good on both sides.
Establishing a Technology Roadmap
And it all comes down to, John, at the end, once things are in place is to now get a roadmap in place. Here’s where we’re at, get feedback from them. Where do you guys want to be in one, three, five years? Let’s find out your goals and issues. Let’s get the roadmap, and let’s have those quarterly discussions, and have a seat at the table with you, and let’s help you drive some more revenue.
The Importance of Staff Security Training
John: Right, absolutely. One of the things that stands out to me, too, is what you said about doing the lunch and learns with the security training for staff, because you can have all of these tools and firewalls in place and antivirus and things like that, but it can all be undone if somebody clicks on the wrong link from a phishing email or something like that, I think a key point that you sit down and really discuss that and talk with all of the staff about that to make sure that they’re not clicking on bad links in their emails.
Dave: That’s a good point. We recommend doing security training as the whole group at least once a year. It’s like, oh, that’s why we went to school for all those 12 to 16 years is that it’s repetition. You’re always telling your kids to do something, you just can’t tell it once. As individuals, we’re busy, we’re doing our job. These ransom guys are getting more creative, but if you’re consistently showing them what to look out for, they know next time, before they click, they’re emailing us or calling our help desk, is that something I should be worried about? Absolutely, yes, thank you for calling. If we can get them not to make that one click, we’ve helped reduce their risk.
Contact PCG About Your Business’s IT Needs
John: Right, absolutely. All right. Well that sounds like a really successful project, Dave. Thanks again for speaking with me today.
Dave: My pleasure.
John: And for more information, you can visit the PCG website@pcgit.com or call 603-431-4121.