Recently I did an informal poll of IT service providers to ask what their biggest concerns around migrating a new customer from another service provider were. Far and away the most common response was getting access to ALL of the client’s systems. This is pretty obvious, but like all things obvious there is usually a gotcha or two. First, it should always be your responsibility to be diligent and make sure you do an entire inventory of anything IT, IoT, security, or cloud based. When I say security, I also mean physical security, not just the things that plug into the network. These are some of the things you should consider:
- Every device everywhere that interacts with your client’s data—this includes employees’ BYOD that they use for email, texting, etc., for company purposes
- Domain names, websites, email hosting, Office 365, ISP information
- Alarm systems, GPS tracking in vehicles, security cameras, access controls
- HVAC controls, Alexa/Google Home, lighting controls, etc.
- Manufacturing systems
- Employees, their roles, security clearances, contact information
- Physical locations, addresses, contact information
Once you know what you are going to inventory, make sure you have forms or tools to capture the right information on all those items. Many of those devices will have credentials that first need to be obtained and then changed to lock out the former provider. Having a secure tool like SolarWinds® Passportal (INSERT LINK) can help you capture and manage those credentials in a secure container.
Much of the information should be provided by the former MSP. However, some providers believe the information is property, which is unfortunate. In my reading about most court cases covering this type of situation, the former MSP has been judged incorrect. Denying access is not only ethically wrong, in these cases it is wrong according to the courts.
Also, always let the client deal with the former provider. First of all, they are the ones entitled to the information, not you. However, you do need to be providing the client with exactly what to ask for once your inventory is complete. This should dramatically reduce the confusion and therefore the time it takes to get the information.
It’s also worth noting that there are a couple of things to learn from this if you ever find yourself in the “former MSP” role. First, never use the same credentials from client to client. I have seen too many situations where a former MSP was forced to give up credentials to their client after being fired that revealed they were using the same password everywhere. Second, being able to provide all of this information quickly and easily makes you look good and, more importantly, it reduces the amount of time you have to spend on a client that is moving away.
Don’t drop the ball on backups
The next thing brought up in the poll was backups. When switching from one provider to another, there can be a lag time between their last backup and your first complete backup if the backup service itself is not being transferred from one provider to the other. First, the client should negotiate for the former MSP to hold their existing backups for a period of time. I would suggest 30 days minimum, but it may differ based on client needs and compliance requirements. This should be in writing and reviewed or executed by the client’s legal counsel. Next, make sure you get good backups as quickly as possible just in case the former provider decides not to hold up their end of the deal.
Find and remove all old monitoring software
The third issue from the poll and the last for this post is removing all of the former MSP’s access and software. Most of this can be done with automation through your RMM of choice but you need to do your research and find out what they were using to make sure you get it all. One of the worst things I have seen happen is a former provider had access to a server via RDP and used it post-firing to upload ransomware to a client’s system. This could also happen using their old RMM or remote access tool. To me this one represents the most risk to the new provider. It will be hard to prove that it was the old provider’s fault, which could make you liable for the damage.
As the marketplace for managed services continues to be more competitive, the opportunity for you to displace an existing service provider is going to be more common. Approach it with careful preparation and defined processes to have a greater chance of success. Also, keep security at the top of your mind for all these situations, not only to protect the client from the former provider but also to make sure there are no gaps in protection during the transition that could put you at risk as well.
Eric Anthony is the Head Operations Nerd at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed services provider business for over six years.
You can follow Eric on Twitter at @operations_nerd