The Handbook: The Operations Podcast

Dan Timmiss: How to get your agency IT ready for scaling

Harv Nagra Season 1 Episode 13

Share episode

As an Ops person, the role of IT expert is often part of the job. So how can you ensure your agency’s IT infrastructure is set up for scaling? 

That's the focus of our discussion with Dan Timmiss, Technical Director at Kaizen IT Solutions. With over two decades of experience, Dan has helped hundreds of creative agencies optimize and manage their IT setups, from audits to complete IT overhauls and supporting scaling teams.

In this episode, Dan shares essential best practices:

  • The importance of implementing single sign-on (SSO) and multi-factor authentication (MFA) for security and ease of access
  • How cloud storage can complement on-premise servers if you have heavy media files
  • Using mobile device management solutions like Jamf to manage your fleet of computers, including ‘zero touch deployment’ and easy on-boarding and off-boarding
  • Seeking security accreditations like Cyber Essentials Plus, CIS Benchmarks or ISO 27001 to help secure contracts with global clients
  • How newer services like MDR (managed detection and response) and XDR (extended detection and response) go beyond traditional anti-virus solutions to monitor your systems for threats
  • Why to educate your team on ‘social engineering’ scams that could cause financial and reputational harm


Follow Dan on LinkedIn: https://www.linkedin.com/in/dan-timmiss-486ab517/

Follow Harv on LinkedIn: https://www.linkedin.com/in/harvnagra/

Stay up to date with regular ops insights. Subscribe to The Handbook: The Operations Newsletter.

This podcast is brought to you by Scoro, where you can manage your projects, resources and finances in a single system.

Harv:

Hi all, welcome to the show. Before we get started, I wanted to mention that I'll be taking part in a webinar with Agency Hackers on Thursday, 19th September 2024. It's all about productivity in the workspace. I'll be sharing some tips that I've seen work really well to maximize a team's ability to do focus work and get into flow. I would love to see you there, so please sign up for that and get it in your calendars. Again, that's on Thursday, 19th September, 2024. You can sign up for free at bit.ly/thehandbook24. That's bit.ly/thehandbook24. We'll put a link to that in the episode notes as well, but do sign up. Now, back to the show. Hi all. As an Ops person, one of the hats you might find yourself wearing is IT Expert. I do think it was taking control of IT issues once upon a time that no one else was taking responsibility for that started my journey into operations. I started getting involved in getting better internet service brought into the workplace. I started setting up Macs for new starters because I disliked that people would be plonked down in front of an iMac with hundreds of files on the desktop on their first day. I had the RAM upgraded across our entire fleet of computers at one point to give us a speed and efficiency boost. And eventually I started getting involved in other aspects of behind the scenes, which grew and grew and grew until I was able to make a case for a role in operations. If you're looking to scale your business, then IT is one area you need to ensure you have fully under control. In today's episode, we're going to be looking exactly at that. The IT considerations an agency should have in place in order to be ready to operate efficiently at a larger size. We'll be talking about the areas that you can proactively address so that you're not having to rush to shoehorn this stuff in because things start creaking or clients start refusing to work with you. Those areas that we're going to talk about today as a preview are is there ever a reason to switch from Microsoft 365 to G Suite? We're going to be talking about data storage, cloud based versus on premise servers. We're going to be talking about managing your fleet of computers. How do you efficiently set up and manage your team's devices? We're going to be talking about data security. How do you ensure your data is safe? And what standards corporate clients might be demanding that their agency partners align with? Next we're gonna be talking about how you can support your internal teams with IT issues. There's a lot to cover. Our guest today is Dan Timmiss. Dan is the Technical Director at Kaizen IT Solutions, an IT solutions and service provider for the creative sector. Over the past two decades, Dan has assisted hundreds of creative agencies in optimizing and managing their IT infrastructure, from IT overhauls to team expansions and relocations. He has also helped agencies implement best practice solutions for hybrid and remote working; ensuring their creative teams stay connected and productive regardless of where they're based. At Kaizen, Dan's responsible for keeping on top of new and emerging solutions and technologies and helping his team understand how to best advise and support their agency and creative clients. Let's get into the discussion. Dan, thank you very much for joining us today. Our audience, as you know, is agency ops folks and Kaizen have a lot of clients in that space. Was that a conscious decision on Kaizen's part to specialize on this market?

Dan Timmiss:

It was, really. So Kaizen started as an internal IT company for an agency, basically. A large agency, probably about 120, 150 or so at the time. That agency got bought out. They had their own IT when they got bought out. So the IT team were effectively not necessarily made redundant, but they were going to have to be repositioned. And they thought, let's start our own IT company. We'll specialize in Macs, we'll specialize in media, we'll specialize in creative industry. We're very lucky at the time to get funding from the owner of the agency who was a partner at that particular time.

Harv:

Mm hmm.

Dan Timmiss:

and we just took it from there. So it kind of was a bit of a conscious decision. Yeah. It was made out of the fact that we were there already.

Harv:

Super interesting.

Dan Timmiss:

Yeah.

Harv:

Cool. I didn't know that about your story. So what kind of agencies in terms of size do you work with?

Dan Timmiss:

We look after anyone from kind of one man band, someone starting off that's got a MacBook starting away, all the way up to kind of a thousand devices, fifteen hundred devices.

Harv:

Wow.

Dan Timmiss:

The largest company that we look after is about four thousand devices. It's a huge range of people that we look after, I would say the average is probably gonna be about a hundred to 150. So

Harv:

Okay.

Dan Timmiss:

a, a normal kind of medium agency size, if

Harv:

Hmm.

Dan Timmiss:

Yeah.

Harv:

Right. So when we think about agencies requirements versus any other kind of business, is there anything that makes those unique?

Dan Timmiss:

There is, a lot of things that make them unique. A lot of the times it's the stuff that they work on and the apps that they work with a lot of time, it's very Mac based. A lot of the time it'll be things like creative cloud is very important in agency business. Stuff that you don't get in other businesses that you have to deal with. Things like fonts are a big thing. Things like image management, video management is a big thing. Stuff that you're not going to get a, an accountant or,

Harv:

Yeah.

Dan Timmiss:

like a, an admin office or something like that. So yeah, it's really important that we have to know, all the tools that agencies are using.

Harv:

Yep. And with those apps that you're mentioning and those media files, heavy files are a big factor. And uh, good internet connection, no matter where you are, always, comes into play as well, just to make sure you can move that stuff around. So, I, I suppose it might be those agencies on the larger end of the scale, a hundred plus that might have in-house resource for IT. But I wonder if many of the agencies that you deal with have in-house IT people, or if you end up interfacing more with operations people directly.

Dan Timmiss:

We interface with, with kind of everyone, the larger an agency gets, the more we recommend there is a lead iT person in there, whether they use us or not. When you're about 40, 50 people, we can pretty much do everything. When you start getting larger; a hundred, 150 people, it starts getting quite difficult to manage that amount of devices, as well as things like onboarding and offboarding. Because we can't be there every second of every day. Well, you can be if you want us to be, Yeah. most of the time we're not there for every second of the day, you know, so

Harv:

Yeah.

Dan Timmiss:

important for someone on site to, to be able to know, to answer kind of the small niggly questions. And also it's important for us as a business to have someone on site who's aware of what's happening with IT. Cause a lot of the time, if you're kind of 10 or 15 people, if you're just starting up as an agency, you won't really bother that much about IT. You're focused on getting the job done. You're focused on the creative side and you're focused on helping your clients. You don't want to be worried about the IT stuff, especially things like the security stuff that comes down a lot later. When you get to 150 people, when you get to 200 people, it starts getting quite difficult for, for us to know the full ins and outs of the business. So it's really important to have a liaison team within that business to be able to, to help with IT and with ops and with apps and things like licensing and new hires and, and all that kind of stuff that a normal business has to deal with.

Harv:

Good point. So Dan, when you're coming in to support a new agency, I suppose you need to do a bit of an audit to understand how they work, what they have in place and what they might need. Does anything interesting come up in terms of the issues you see or any red flags?

Dan Timmiss:

A lot of the times, mate, it's, it can be so different. Every agency is different. Every business is different.

Harv:

Mhm.

Dan Timmiss:

I've gone into places before when it's been absolutely perfect, but the reason that we're coming in is because the person that was running it has left, they've gone on to a different position.

Harv:

Mhm.

Dan Timmiss:

And i've come into places where people have been running something and it's It's complete chaos and that people are asking for us and they're saying it's so chaotic. We've grown. We used to be 10 people. We're now 50 people because we've got a couple of big contracts and all of a sudden what was easily handled is not easily handled anymore. So I need your help to look after it.

Harv:

Mhm.

Dan Timmiss:

It's so different, every single one. But a few of the key pressing points we normally see are things like security. We get brought into to have a look at a lot. We get brought in to look at, help with onboarding and offboarding people because as an agency grows, people just don't have time to, to deal with new devices being rolled out or devices being migrated or moved or, or that kind of stuff.

Harv:

Mhm.

Dan Timmiss:

But, yeah, we, we see all kinds of things, all kinds of messes and all kinds of good things when we go into places.

Harv:

Okay.

Dan Timmiss:

But yeah, we always, we, we, we never pull any punches. We always kind of lay out a report and be like this is what you've got. This is what you want to do. And people can take it from there.

Harv:

Excellent. Like I said, in the introduction, there's five key areas we're going to be focusing on in the discussion today. So let's get right into it. One of the most fundamental decisions any agency needs to make is whether they're going to be powering their agency with Microsoft 365, Or G suite. We were chatting before the show and you brought up a good point that it's usually one of the first things a business might make a decision on and it tends not to shift. But my question is, is there a reason why someone might pivot from one to another or does that tend not to happen very much?

Dan Timmiss:

It doesn't really tend to happen that often. The main reason someone would pivot is probably down to some kind of regulation that they're getting asked to do by a customer. So Microsoft can do certain things regarding security. Google can do certain things regarding, kind of data storage and that kind of stuff. We work with small businesses who two or three people that have got Microsoft and we work with large businesses, kind of four or 500 people that are working in G suite.

Harv:

Okay,

Dan Timmiss:

So it's not like one is preferential to the other. It's really a personal choice to the users and the staff really more than anything.

Harv:

And, both of those platforms also come with single sign on and multi factor authentication, don't they? So that's, that's something an agency might want to ensure they have in place.

Dan Timmiss:

Yeah. So single sign on or SSL allows you to take one location for your users and be able to use that one location to log into multiple different websites. So you may have a file storage system like Dropbox or Box. You may have a CRM system, and you could tie those systems back to Google or back to 365 and just use your 365 login to access all of the systems or your Google login to access all the systems. There's a few benefits, ease of use is a big one. Your users aren't having to remember six different logons for different places. Security is another good, good one. So things like 365 do full auditing of the whole user trail, for example. So you can employ MFA. You can do things like conditional access. So only someone from the specific device that,

Harv:

Mm.

Dan Timmiss:

that you want to use are going to be able to have access to it.

Harv:

Mm.

Dan Timmiss:

and it just improves your security posture in general, having SSO turned on.

Harv:

Yep.

Dan Timmiss:

It's a bit of a no brainer. You do get something called the SSO tax nowadays. I mean, you've probably run into this mate, I guess, where you have to pay extra to, access certain SSO features.

Harv:

Mm.

Dan Timmiss:

But as you grow bigger as a agency or as a business, then, sometimes you're paying for that anyway, to get the

Harv:

Mm.

Dan Timmiss:

additional features. So SSO is just generally a bit of a no brainer, to be honest.

Harv:

Yep. Yeah, it just makes logins easier, like you said, and easier to switch off. If somebody leaves, you flick one switch and disable access across the board, right?

Dan Timmiss:

That's right. So yeah on boarding and off boarding as well. If you have a new hire, you can just turn them on in 365 and if it's all set up correctly, it will create a user in all your other places and the same again with off boarding you turn it off in one place, turns it off in everywhere. So yeah.

Harv:

And, two factor or multi factor authentication, I think we're all pretty familiar with what that is...

Dan Timmiss:

Yeah, so MFA is pretty much an industry standard now. It's using something to authenticate you. So not just a password. I mean, everyone's going to be used to getting codes on their phone.

Harv:

Yeah.

Dan Timmiss:

Or using the authenticator app, maybe. There's various ways to do it, to, to get a code through now.

Harv:

Yeah. All right. So let's talk about storage. There was a big move to cloud based storage during the pandemic. I think you kind of alluded to that a few minutes ago as well. That's when my past agency went from using on premise servers to considering platforms like Dropbox, Box.com or Egnyte. For us, this was because productivity was literally grinding to a halt. When we started working from home and working with those big, heavy Adobe files, you know, people, rather than being able to work on the server, like they were doing in the office. They were having to download gigabytes worth of files on their desktop. And then we'd have to wait ages for them to upload them back. So that didn't last very long. And it became apparent really quickly that we need something else in place. So, why you might choose one cloud based storage solution over another could be an episode in itself, so we won't get into that today. But do you still see many agencies with on premise servers rather than cloud based? And, are there any upsides to retaining on premise servers rather than moving to cloud?

Dan Timmiss:

Agency wise, we do still see a lot of on prem servers, mainly because of what you mentioned, the size of the files.

Harv:

Mm.

Dan Timmiss:

Something like Egnyte is a super popular kind of business facing one. And you have to pay, you get a certain amount of storage per user, then you have to pay for any additional storage over that. if you're an agency, if you've got a, if you're a large agency, and you've got a historical amount of data that you're wanting to keep, that can soon, you know, massively add up in any cloud platform. So what we often see is a bit of a hybrid solution So

Harv:

Mm.

Dan Timmiss:

you would have your work in progress based on your cloud platform that everyone can access wherever they are and that might be maybe 10 terabytes or so data depending on what you need to access. And then your archive data is gonna be probably on premise

Harv:

Mm.

Dan Timmiss:

on a NAS box or a server or something like that. you can back that up to a cloud or you can replicate it to another NAS box in a, in a data center for access, something like that. But yeah, it's, it is very much a hybrid. We, we kind of push cloud storage more than anything because it's so simple and people are coming to us saying, we want to be able to work remotely. We want easy access and it's so simple. Something like Dropbox, you download the app, you sign in, hopefully with your SSO and your MFA. And then bang, you've got access to your work. You don't need IT to set up a VPN connection or anything like that. You've got access to your work straight away. So it's, yeah, it's, it's super beneficial, I think, for agencies and to have something with a hybrid approach. So you've got the on prem for the archive and the WIP being in the cloud focus system, then yes, it's an option we see a lot of places take up on for certain.

Harv:

Excellent. So next we're going to talk about managing your fleet of computers. You know, MDM or mobile device management is one of those deeply unsexy terms like professional services automation, which doesn't really make a lot of sense when you just hear it for the first time. So a quick definition, Dan, what is MDM?

Dan Timmiss:

So MDM is. I mean, you say it's not sexy, I do. I really like it. It's like my bread and butter you know? So MDM is looking after the devices that you've got, be it your laptops, your desktops, your phones, your servers. All it is, is a way of managing your fleet of Devices from a single location effectively. That's the most basic way of putting it. By using MDM you can apply settings to it. You can apply restrictions to it. You can push out apps to it. You can push out users to them, that kind of stuff. It's very much making sure that everything that you own as a business or don't own in the case of BYOD is managed and secure and it's up to date, for example, and doing

Harv:

hmm.

Dan Timmiss:

what it should be doing.

Harv:

So BYOD, bring your own device. And that's where people are using their own devices and you might need them to log into certain things for work. And you want to protect that data.

Dan Timmiss:

BYOD, we often use in the term of phones. And so if you've, everyone can access their work on their phone, you can access your email, you can access your calendar. If you've got cloud storage, you can access your data effectively. So being able to manage those phones when they come in. So for example, both Google and 365, they provide functionality so you can sign into your provider with your phone. And if you then leave the, the business has the ability to wipe that data off the phone, not the phone itself, just the company data. So you know, for a fact as a business that you haven't got some emails or some data kind of lying around on someone's phone that's, that's left the business effectively.

Harv:

So you know, MDM gives you a lot of control over the device, what apps get pushed out and things like that. And, you know, ops people, a lot of times end up being gatekeepers for new software that the teams are asking for. So this can be a really safe way to kind of push that out because they can have built in app stores for your agency and things like that. So you can block people from downloading things from like the app store or whatever. But you can control it and deploy apps through the built in MDM app stores, which is quite useful. There's another area where I found a lot of benefit of this. I'll, I'll tell you a bit about my experience, just a short story. You know, there was a time when I was starting to set up more and more of our devices, for new starters. And I had a hard drive set up with all, you know, macOS installed, all the software installed, and I'd clone that into a new computer to make it efficient to kind of set up a new machine for a new starter. I, I guess there was a time and place for that and size of agency. And obviously the more we grew, and the fact that I was responsible for setting up computers for our French and Swiss business entities meant that that didn't work anymore. We needed something that would work remotely. I've also seen agencies manually setting up computers for new starters as well. Again, that might work at a certain size, but it gets difficult to manage as you grow and you also end up having no control in either of those scenarios I've mentioned. You have no control over the devices. People can go and do whatever they want. So that's a real benefit. I think is deployment of new devices. I think they call it zero touch deployment. Don't they?

Dan Timmiss:

That's right. Yeah. So zero touch the whole idea is, and you can do this with Macs and you can do it with windows devices, is you can send the device like literally straight from the shop to an end user, and they can open it up and they log in with their details and all their apps are there and all the security settings are there. You, you get over a certain size or you starting having a larger turnover of people... you don't want to having to be spending half a day every time someone new starts having to set up a computer and loading the apps on carrying around like hard drives and stuff like that, it becomes like too difficult to manage.

Harv:

Absolutely.

Dan Timmiss:

Whereas if you can do it from the MDM if you can do it from kind of one of the big players sort of directly you just say right then all of these apps go on and they're automatically updated because that's what the MDM does is it doesn't matter if it gets sent on the 1st of January or the 31st of December at the end of the year, the right apps are going to go on at the right time and it just makes things so much simpler.

Harv:

In terms of head count, how big do you think you need to be for an MDM to be critical in your view?

Dan Timmiss:

It depends what, depends what you need it to do for you.

Harv:

Hmm. Hmm. Mm

Dan Timmiss:

So, security, if you want it to lock down your devices from a security point of view, you might've been asked for a client, you might be only three or four people, but if you've been asked by a client to particularly lock down your devices, you're gonna need an MDM to do it because that's the only way you can verify that they're locked down, you know. if you haven't been asked to do anything like that from a security point of view, but you're, you're growing and you want the benefits of the onboarding and the offboarding and things like the security for internal works as well. And, yeah, we normally see people jump on board if they're not being asked to do it or forced to do it, if you will, from about 20 users or so, 15 to 20 users is where it gets to the point where you think, hang on, we need to be making sure our machines are audited. We need to be able to make sure if something gets stolen on a train, we can remote wipe it, for example.

Harv:

Yeah.

Dan Timmiss:

We need to make sure that people can log in if someone's out of the office and someone else needs to hop onto the machine that they can log in with the credentials and that kind of thing. So yeah, it's about 15 to 20 people. I mean, if you talk about the big players, there's things like Jamf is a big player in the Mac world. We've got things like like Kandji, obviously Microsoft and Intune are a big player in the PC world. There's Mosyle, who's a pretty big player now. They were in the education space and they've moved over to business in the last few years.

Harv:

Okay.

Dan Timmiss:

can actually get Mosyle. Mosyle is effectively free under 30 people. So if you've got under 30 devices, you can go and sign up to that as a business and, and effectively start straight away on their standard platform.

Harv:

Yeah. You know, one of the benefits that you mentioned there was offboarding and we didn't really touch on that, but yeah, when somebody leaves, being able to reset your device and get it back to factory settings, I think it was a huge benefit. So you're not manually having to wipe things and stuff like that.

Dan Timmiss:

We look after a business, just talking about a that, we look after a business. And they have... It's one of the larger businesses that we look after and they have an onboarding offboarding process, which is done entirely by their staff. So they will ring up and they will say, I'm leaving or I'm moving department. My Mac is going to a another person. And what we do is we present them an option in self service. And it'll be reprovision my Mac and this option in the self-service app on their, on their Mac wipes the device and gets it ready to be rebuilt for the next person. So the IT don't even have to do anything. It's entirely user led. And all they do is they walk up and they give the machine to their next person. They open it up, they sign in and they're ready to work. It's wiped, the data's been wiped clean and it's all up and running. And, and, and that's all managed by, by an MDM. That's all managed by Jamf. That one in particular, but yeah.

Harv:

Yeah, I, I use Jamf at my past agency. So I did some training with Jamf when I brought it into the agency. So I got orientated with the basics. Is that something you see a lot of your clients do, or do they tend to leave it in your hands?

Dan Timmiss:

It's, it's a bit of both. It's really much a bit of both. It depends on the size of the client. If we're working with people that have also got IT people on premise, we tend to recommend, people do a bit of light training. One of the things that Jamf do really well is when you take out a contract with them, they do what they call a jumpstart. Which is kind of a, an onboarding for staff of the business. The thing is an MDM is only as good as the people that are using it. It's just a framework for the device. It's not a, a catch all. You can't enroll your device in an MDM and it's secure and perfect and it can onboard and offboard and all that kind of stuff. Jamf and the other providers don't want to sell you something if you can't use it because then it's going to come up for renewal and you're just going to be like, well, it's not doing what it was supposed to be doing. So we're just going to get rid of it. You know, so yeah, we would always recommend training. Jamf are really good. They've got a number of courses, they call them like the Jamf 100, the Jamf 200. If people have got an in-house IT team, they do the Jamf 200 and that kind of sorts them out for the day to day. As you get bigger, like we said before, it's always important to have someone on the, on the cold face, knowing what they're doing with the systems that they've got, you know.

Harv:

Yeah. I did the jumpstart with Jamf. I think for an ops director's point of view, having an understanding of how it works lets you dip in and you might not be the one that wants to set up all the infrastructure and make sure everything is like configured properly, it's probably too complicated. But being able to know where things are so you can go check something or, you know, look something up is super useful. So I think that's why somebody might want to just get a bit of exposure to those tools.

Dan Timmiss:

It's good to know as well, from a business point of view, what's actually possible with the tool set.

Harv:

Yeah.

Dan Timmiss:

Cause you could come to us and say, I want this to happen, or I want that to happen, knowing that the product could make it happen.

Harv:

Mm hmm.

Dan Timmiss:

And then we go away and write a script or something or put something in place to make it possible, you know

Harv:

Exactly.

Dan Timmiss:

And that's where we come in. We take the burden off people having to do it. We're happy for other people to do it, but people are busy, if people weren't busy, then we wouldn't have a job because everyone would be spending their entire time kind of fixing machines and stuff.

Harv:

Absolutely. Okay, so let's move on to talking about security, Dan. Before we get into considerations, have you seen any agencies fall victim to a security breach due to poor IT practices?

Dan Timmiss:

The main security breaches I have seen in kind of the last three years, most of them come down to kind phishing. A lot

Harv:

Okay.

Dan Timmiss:

A of them come down to people getting an email or getting a text message from someone that they think is a trusted member of staff saying, can you fill this in or can you wire this money to this account?

Harv:

Mm.

Dan Timmiss:

they wire some money there and it's, and it's a scam and I've seen it quite a few times. There was one I remember that was a particularly large amount. I think they lost maybe about£70-£80 thousand.

Harv:

Oh, wow.

Dan Timmiss:

And it was a very complicated phishing scam that had gone over a course of a few weeks and, and it was this, this other company, their email had effectively been hacked. And they were talking to the agency and it was like the agency didn't even know that they weren't talking to the company that they thought it was.

Harv:

Oh, no.

Dan Timmiss:

And this company turned around and they were like, Oh, yep. Our bank account has changed. Can you send us the money to this new bank account, the invoice that you owe us or something like that? They sent it, wasn't them, someone else, and they'd been caught out.

Harv:

Mm hmm.

Dan Timmiss:

And that's the kind of stuff we see all the time. So while it's very important to look after things like viruses, especially if you're on PCs, social engineering stuff is very much the thing that a lot of people need to look out for now.

Harv:

Mm. Very, very good point. And you know, touching on that, there was a time when people used to think that Macs didn't get viruses, but that's definitely no longer the case, if it, if it ever was.

Dan Timmiss:

Macs definitely get viruses and crucially Macs can pass on viruses. So we don't see many agencies that are only Macs or only PCs. A lot of the time, it'll be a hybrid mix of both. It might not be many PCs in a Mac focused environment, but they'll tell you what, the accounts team will often be on PCs, some of the admin staff will be on PCs, some developers might have two devices, one Mac, one PC, for testing, that kind of stuff. And even if it's a PC, a virus on a Mac, all it needs is that to be sent via email or sent via Dropbox or AirDrop or something like that to a PC, and then that's it. The PC's got it and yeah.

Harv:

So, in, in terms of preventing that, you know, can you just touch on what you can do to protect your devices there?

Dan Timmiss:

So, yeah, antivirus is still super important. But, some of the stuff that we see now are things like MDR and XDR. So MDR is managed detection response and XDR is extended detection response. So instead of it looking for kind of normal viruses, like looking for a signature of a file that might be at fault, they are looking for anomalies on the device. So say a script has been run, which wouldn't normally have been run, or a piece of remote software has been downloaded. What you hear about a lot is someone will be on the phone and they'll get a scam call and the scam caller might pretend that they're IT and the first thing they'll say is oh can you download this remote software tool and they'll download the tool and by default this remote software tool isn't a virus so a normal virus scanner won't pick it up they'll just think oh it's just a normal tool but it's just a normal tool. Something like MDR will realize; it'll put two and two together and it'll be like this No one's ever used this remote software tool in this company before. Why is it suddenly on this machine? Why is this machine suddenly opened an app. Why is it suddenly gone to a banking website and it's got this remote software tool on it. Do you know what I mean? So they're looking for behavior. And what these tools can do is they can then lock your machine down. They can automatically stop the network traffic. They can automatically shut down the machine, on the basis of the fact something's out of the ordinary is going wrong, we need to fix it. A lot of them with things like 24 seven. So they will ring someone nominated in the business and they will say, Harv's machine has just been took off the network because we noticed these anomalies and then you have to go and investigate it and try and figure out what's going on with it.

Harv:

Okay.

Dan Timmiss:

But that's really the next step of kind of protection.

Harv:

Interesting. Yeah, I haven't heard of that before. So that's really interesting to hear.

Dan Timmiss:

Yeah.

Harv:

Another thing you talked about a moment ago was phishing, you know, training your team to be on the lookout for dodgy emails or emails that don't look dodgy or text messages that they can fall for. In fact, I've recently come across, In the past year, Google has a free training tool around phishing and I loved it. And so I put it into our onboarding for new starters so it was one of the activities they would have to do in their first week to go through that training program and make sure they understand, and are on the lookout for that. So do check that out, you can just Google,"Google phishing quiz" and, and find that. Beyond phishing, then Dan, what kind of other areas do we need to think about when it comes to security?

Dan Timmiss:

I mean, when it comes down to security, a lot of the things come from certain accreditations people need. So if you're in the UK, you may have heard of Cyber Essentials or Cyber Essentials Plus. So that's something that the government put in place to try and raise awareness of cyber security within a business. And we do that for a lot of people, help them get through cyber essentials and cyber essentials plus. The difference is one is a questionnaire that you kind of have to fill out and raise awareness as a business. And the second one, is basically you have a team of people come in and actually check your devices to make sure you're, you're doing what you say you're doing effectively. And we find that really helpful and you get a lot of people, thinking, well, we're fine. We are secure. And then all of a sudden they do the questionnaire or they do the CE+ think, oh, actually we need to put in additional things in place, be that things like MDM or, things like phishing training or something like that. There's also things like the CIS guidelines, which is something that we try and help people adhere to. And these are a set of guidelines set by a business in the US that look at number of different security features on each device and provide recommendations for it. it might be things like making sure that your screen locks after a certain amount of time of inactivity, for example, or that the logging is turned on in the device in the event of a breach or a failure, you can go back and trace and actually see what happened. And CIS provide guidelines for loads of things for windows and for servers and for Macs, for mobile devices, network appliances. So we like to try and apply as many of those guidelines and that's something that businesses also get asked. So, a lot of your, listeners might have seen this or heard about this, but, clients coming to people saying like, do you have accreditation or do you abide by any baselines? And these baselines would be things like the CIS baseline. And they can say, yep, we look at our devices. We have our MDM management in place. We apply certain settings to adhere with CIS guidelines and that's a big tick in a lot of clients books and a lot of security, like functionality. You can take it further. So you can go for things like, ISO 27001, which is like a security framework for larger companies and that's a lot more audited and a lot more, there's a lot more, a lot of moving parts in regards to that. It's not just devices. It's, it's all data and policies and that's kind of stuff. I mean, Kaizen are, ISO 27001 audited, and I'm the lead auditor for that and it's, I would say it's a pain, it's a pain going through it, but the benefits it gets in the amount of security and it just uplifts the business when you're going through something like that and it really really helps, you know.

Harv:

Yeah, I think sometimes you start working with these kind of corporate brands or international brands. And for them, it's a really important requirement and they will refuse to work with agencies that don't have that qualification. So that's probably the trigger that results in them kind of pursuing that.

Dan Timmiss:

That's correct, that's correct I mean we work with businesses who do work for Amazon. And Amazon will come in and the amount of security which is asked for, by Amazon for a business to work with them can be really, really high. We work with people who do work with credit card companies like Visa and Amex and that kind of stuff. And they have to have infinite amount of restrictions in place. And you have to go through various audits every year and questionnaires to be filling in. But a lot of the times if you've done something like ISO 27001, or if you've done, CE+ for example, there'll be a box right at the beginning. It'll say, Are you 27001 accredited? And you say, Yes, we are. Ignore the rest of the questionnaire, because the rest of the questionnaire is basically asking you about stuff that, you've already done because you've got that accreditation. So Right. it may be something that people want to do to avoid hassle later on. If you're trying to bid for a contract and you get the questionnaire through and you have to spend countless hours working through a security questionnaire, whereas you've already done this prior and you can just say, yes, we already have 27001. Big tick to the corporate client, you know, I mean, it's a good way of um doing it. And to be fair, the smaller the business is, the easier it is to get 27001 accreditation, because there's less moving parts to deal with. You might not have a lot of the things that it's covering. You may only need to cover devices and data, and you're not needing to cover a lot of the more complicated HR stuff if you're only a small company, you know?

Harv:

And before we move on from security, I suppose having a data breach plan of some kind is important. what does that usually entail?

Dan Timmiss:

A data breach plan is going to be something like, if you're getting getting attacked or if you found out you got attacked or if you get ransomed or something like that even with all the security things in place you end up, being in that situation. It's, it's just having the plan in place to, to how to deal with it. Robust backups a key, you know, whether that's to a cloud location or a different location entirely. Things like, a business continuity plan. So we're talking about security here, but anything can happen. I mean, COVID, like everyone's business continuity plan had to kick in. When everyone was said to work from home, you know, and it's important to have a plan in place to be able to say, right, okay, something major has happened, flood, fire. Outbreak, that kind of stuff. How does the business keep functioning? Both from a data point of view, from a, from a people point of view, from a security point of view, and, and how to get the work out as well. Cause at the end of the day, your deadlines might not stop just because you've had a fire in the building or something like that, you know, it's like the worst thing to happen is, if there is some kind of disaster to not get paid because you've not be able to, fulfill your contractual agreements, for example, not to put a downer on things, but yeah, it's, it's super important for something like a, a data breach plan or a business continuity plan. So we can continue to work, you know, however it goes down.

Harv:

Yeah, definitely. Things a bit more easier, I suppose, now that we're all so used to working from home. It's likely not to completely grind to a halt like when we were all based on premise, but still super important to have.

Dan Timmiss:

And yeah, that leads us back to the kind of the cloud storage stuff as well, you are avoiding things that can be part of your business continuity plan to say you have distributed cloud storage and everyone can just go and work from home, you've got a fast internet at home, that kind of stuff. So the premises aren't necessarily required and it massively reduces your risk, you know.

Harv:

Excellent. All right. So the last area we're talking about is your agency's IT support infrastructure. Kaizen refers to itself as a managed service provider. What does that actually mean?

Dan Timmiss:

So an MSP is basically a kind of company that will provide everything to do with IT. So our core business is, is IT support. So we help people, effectively. That's that's our core business, but as well as helping people, it used to be some person and a computer, maybe a server, maybe a router, and that was the entire business, but it's not the case of that anymore. There's cloud services, there's storage, there's MDM, there's security. We effectively become the security team for a lot of people as well. If you're a small business, you're not going to have your own IT team. You're not going to have your own security team. That's for certain. You don't get your own security team until you start getting to over 150 people, maybe 200 people when you start having the resource to be able to put people dedicated to just looking at security. So we will be that team for them as well. We resell everything. So, and we're like whole of market. So like we're talking about 365 and Google, it doesn't matter to us. What we want is it to be the right fit for the business, you know? And we partner with everyone. So what we try and do is understand the businesses that we're working with and provide the best solution for them.

Harv:

So your outsourced IT partner, managing everything from like, you know, tickets and issues people are having for troubleshooting to administrating accounts and systems and the infrastructure itself. Yeah.

Dan Timmiss:

I think our thing is kind of, we will be your in house IT department, in house security department, in house procurement department, onboarding, offboarding. Things like, what's the best finance software to move to, or we're migrating to a new database software. What can you recommend? What do you see in other, other clients is what we see all the time. Because we work with so many people, we can turn around and say, oh, well, so and so have just put in this new system and it's working really well.

Harv:

Excellent. So your headquarters is in Sheffield, but tell us a bit about how you can support customers across the country. Is there a very much of a requirement these days to even be on site?

Dan Timmiss:

There is still a requirement to be on site. It's nice to be face to face with people. And it's nice to visit a customer's site. And it's nice to, nice to talk to people, you know. We do things where we have engineers on site for maybe a day a week or a day every fortnight or something like that. And what we tend to see is stuff that people won't tell us, they'll be like, it's such a minor problem, I'm not going to bother Kaizen with that problem. But then if someone's on site, it's like, Oh, you just have a look at this for us, please? And it'll be something small, but it's really important for us to fix those small things and make, people happy. Even the smallest thing can kind of bug the hell out of you, you know, I mean, it's, it can be really annoying sometimes. remotely we can do pretty much everything. You still need to do installs. You still need to deliver machines, laptops, servers.

Harv:

Yeah.

Dan Timmiss:

If someone's internet goes down, we've got to send someone on site to, to fix that internet. We can't do that remotely. It's super important. I mean we've got just as many engineers in London as we do at Sheffield. So and we cover nationwide, you know we cover scotland and all the way to liverpool, newcastle and bristol. I think brighton, we've got someone in that we look after it. We've also got some staff in the US now because we're taking on agencies that will have US branches. So it's important for us to be able to cover those hours as well.

Harv:

Absolutely. So, if people want to reach out to yourselves or they want to speak to yourselves about their own agency or issues for advice, where can they find you?

Dan Timmiss:

They can find us, go to our website. It's www.kaizenit.co.Uk. It's K A I Z E N I T dot co dot uk. All our contact details are on there. You can contact us through our website. You can find the phone number on there. Just give us a call. We're happy to talk to anyone that's got any issues, whether they want a piece of software or they want a full blown contract and IT support.

Harv:

Excellent. That's great. Dan, that was really, really helpful and, I think, listeners are going to get a lot of benefit from that. So thank you so much for joining us today.

Dan Timmiss:

No problem. Thanks for having me on mate. Have a good one.

Harv:

So some fantastic advice there from Dan on how to ensure all your bases are covered when it comes to IT and making sure that you're ready to scale. When I was agency ops director, I documented the full suite of tools we used in our agency handbook with a page for each platform along with a short note on what that platform was, who it was for, how logins for the platform worked; whether everyone had a log in, or if it needed to be requested, or if there was a shared login. I also included on that page a few FYIs on usage. Next, the first place the team was instructed to ask for troubleshooting questions with any of their tools was the Slack help channel to see if anyone in the organization could offer advice. If the issue was particularly technical, then Ops would step in to see if we could advise on the solution. And finally, if it wasn't something we could solve quickly internally, the person would raise a ticket with our IT partner. So hopefully lots of inspiration for you to think about your own agency today. If you've got any feedback or ideas for topics, or if there's something that you're dying to share with the agency ops community, I'd love to hear from you. Please DM me on LinkedIn. I'm at linkedin.com/in/harvnagra. If you're appreciating these conversations, please leave us a rating on Apple or Spotify. And please do share this podcast with your friends and colleagues so they can benefit as well. And lastly, if you haven't signed up for the handbook newsletter, please do so. Every second week, we send out the newsletter, and it goes into a personal experience I've had around one of the recent topics in the Handbook podcast. And it summarizes the key takeaways from the guest interview, so you've got something to reference. You can sign up for that at scoro.com/podcast, scroll down and you'll find the form to register there. And with that, our episode comes to a close. I hope you have a great week and we'll see you back in the next episode. Thanks very much.

People on this episode

Head Shot

Harv Nagra

Host