The Nuts and Bolts of IT for SMEs

Some IT decisions are easy to make -- the basics of how you do email, where you store your files, and how you manage your backups. In this episode, Matthew Reynolds looks at these "nuts and bolts" issues, in addition to some "gotcha" on encryption, and first looks at how to build a data-driven business.
27 June 2020
Subscribe to our podcast using your favourite podcast provider
  1. Listen on Apple Podcasts
  2. Listen on Spotify
  3. Listen on Stitcher
  4. Listen on Deezer


Hey, deserving listeners and welcome to the It's What's Next SME IT podcast. The podcast for SME owners who want to get a little bit more out of their IT. I'm your host Matthew Reynolds and today we're going to look at the basic, fundamental things that we all need to have in our organizations in order to support our IT. I'm very keen to help SME owners build their IT so it looks like large, corporate IT. There's really no difference between the sort of IT we need as a single person business or if we've got ten employees or we've got ten thousand employees. We're all trying to do the same thing. IT is an innovation toolbox. It's something that we can use to gain competitive advantage. It's something we can use to drive up efficiency, drive up productivity, reduce waste in the organization. Large organizations will look at IT as a tool that can be applied to the whole business. In my experience, SME owners don't look at IT like this. They tend to look at IT as simply a communication tool. It's email. It's your social accounts. It's the web. It's being able to place orders with suppliers. It's being able to find and research information. Very few IT owners lean in and say, “Okay, well, we've got this information technology, how can we use it to innovate within our business? What can we do about efficiency? What can we do about flow?”, etc.

So, this podcast is really just a starter for ten. What we're looking to do is say, “Here are the baseline bits and pieces that you need”. If you have all of these pieces in place, you've probably done more than most SMEs anyway, but this is a good foundation. We can then say, “These are the basics done and we can move on”. So, the five things we're going to look at in this podcast are Tier 1 cloud email providers, cloud file storage, backups, device encryption, password managers, and CRM and data-driven business.

Let's start by looking at what I call Tier 1 email providers. The idea here is that email is a commodity service. Anyone can get email. It's so cheap, it's effectively free. But there are ways that it can be done which are better than others. If you look back historically at how email worked, it used to be difficult and expensive to implement. We needed to have a server within our organization that ran the mail server software, that [settled 02:07] the internet and received and sent emails. Over time, what's happened is that those servers have migrated their way into the Cloud. So, rather than having a server sitting in our office that we have to pay for, maintain and keep running, it's easier just to give a cloud service provider ‘X’ number of pounds a month in order to run our service for us. What's happened here, though, is that there's a consolidation that's occurred in that we have two broad types of email service in the Cloud. We have Microsoft 365, and we have G Suite. Microsoft 365 used to be known as Office 365.

Microsoft 365, [I’ll] probably do in another podcast because it has some confusion anyway, in exactly what that product is and what it includes. On a business account, Microsoft 365 includes the Office applications - Word, Excel, and Outlook. It includes something called Exchange Online, which is an email service in the Cloud, and SharePoint Online which we'll talk about later as well. As I've said previously in other podcasts, and I tend to lean into quite a lot, there's an idea that whenever we're looking at vendors in any market, there tends to be a Coca Cola, and there tends to be a Pepsi. If you choose the Coca Cola or the Pepsi, you'll do fine. What you want to do is avoid the Happy Shopper Cola.

In the cloud email provision space, we've got Microsoft 365 and we have Gmail as part of G Suite. We all need to have a website so we'll tend to go to a web hosting company or a company that will build a website for us and say, “We need a website. We need somewhere for it to live”. Historically, those providers have tried to bundle email service together with a web hosting provision. After all, they're both servers, they're both bits of software, and they're both technical things that an SME doesn't want to deal with. So, you can have a technical partner to deal with that. Where we get a disconnect then, is that it's often the case that if you go and buy a web hosting package from GoDaddy, 1&1, or one of those other providers, they will sell you an email service too. What you want to do is very carefully disconnect those two worlds. Your website is your website and your email is your email. You can still trade if you don't have a website. You probably can't trade if you don't have email. It's absolutely essential then that your email is lodged in one of these Tier 1 email providers. So, you're either using Exchange Online as part of Microsoft 365, or you're using Gmail as part of G Suite. You're not using the email service provision that comes with your web host. There's nothing particularly wrong with the service that comes from your web host. It's an unnecessary risk.

Microsoft and Google when they run these email servers, they never go down. They're never unavailable. They never lose data. The only way you can experience data loss on the Microsoft service or the Google service is if someone logs into your mailbox and deletes all your mail. They simply do not lose email and it's so cheap. It is ridiculously cheap. Microsoft 365, the business account that comes with all the applications, comes with Exchange Online and SharePoint Online, is £9.40 a month. That's effectively no money so there's no real margin in taking the risk and saying, “I'm going to put my email with my web host”. This might mean in order to modify this, you need to have a conversation with your web host about, “Actually, I want to move this over to Microsoft 365, or talk to your IT partner about migrating that over”. For me, this is an absolutely critical thing. So again, looking at how large companies work, a large corporate would never say to their marketing firm, “I want you to build a website and I also want you to look after the email”. The CTO or the senior management of that organization would never go for it because these are very different functions. So behave like a large corporate would and say, “Actually, a large corporate would provision an email service as a fundamental service that has to be provided to the whole organization as a separate piece of work and wouldn't lump it in with another piece of work that happened to be related to a website”.

The second thing we need to look at is where we're going to store our files. Within the SME community, there tends to be two types of organizations. They're organizations that don't do anything particularly weird with their files. It's basically just a bunch of Excel worksheets and Word documents, the old PowerPoint. And there are organizations where they create very large files or very complex files. So, think things like a firm of architects, technical design organizations, print organizations, graphics designers, those sorts of things. They have the need to store files that tend to be larger. For the most part though, whatever type of business you are, you can store your data in the Cloud and there are really fundamentally good reasons for doing that. Just like we've moved our email over to the Cloud. The reason why we did this is because it tends to be expensive to buy and maintain servers within our office.

So, what we want to do is try and get rid of all of these special, weird pieces of equipment we have in our office. It should be the case that we can run our entire office - even if it were quite a large organization of, say fifty or one hundred people - with the only devices in the office being a set of phones, their computers that people were using, 1&1 network printers and some form of connectivity out of the building. You should be able to run your entire IT infrastructure with just those pieces and put everything in the Cloud. That's a direction that corporate IT is going to, and that's a direction that small business IT should be going to. So regardless, we need a place where we're going to store our files, and we can put those in the Cloud. Now, a mistake that I find that small businesses do is that they will say, “Yep, I put my stuff in the Cloud because I use iCloud or Dropbox, or or OneDrive, or even Google Drive. The problem with those services is they are not storage technologies. They are synchronization technologies. They came out of a piece of technology or an approach whereby in order to create ad hoc groups of people who could collaborate on a piece of work, they wanted to be able to create this kind of peer to peer file sharing. So the idea is, you have four or five people in a group, all of whom are signed up to this cloud synchronization tool so that when one person puts the file there, it gets propagated around to all the other people. When someone deletes a file, it gets deleted for anyone else, and so on.

What there isn't is a master set of that data in the same way there would be with a file server. There is a big advantage to having a master set of data, which is that you can back it up. If you know where your master set is, you can configure something which will say, “Actually, I want to go and back that up”. We're going to talk about backups in the next section but fundamentally, things like iCloud, Dropbox, OneDrive, and Google Drive can't be backed up. Rather, Dropbox and iCloud because they're cloud synchronization services first, we need to think quite hard about how we're backing things up. Again, I'm going to talk about this more in the next section. The general idea of a backup is that you can rewind. So, you can say, “Oops, a disaster has happened, I need to go back and get an old copy of that file”. Sometimes the disaster is so big that rather than having to get a hold of one file or one email, we have to get back an entire organization or entire department or everything that has ever been created by restoring a backup. Because cloud synchronization services like iCloud and Dropbox exist to synchronize files, their backup story is less good. So, whilst you can go on to Dropbox or iCloud and say, “I want to retrieve a previous version of that document”, it's not made to do that. It's made to synchronize your files around. If you have a complete disaster - so you end up with a piece of malware on someone's laptop - everything on that laptop gets encrypted. That encryption or that damage gets propagated around the whole network because that's how these systems work. If all the files on one machine get corrupted, that corruption flows over onto the other machines in the network. Without being able to go and get a backup, that becomes a real problem.

Another thing that I see small businesses do is that they will buy things called Network Attached Storage devices or NASs from companies like Synology, QNAP, or Netgear, etc. The idea of these is that they replace the idea of a file server. So, they are actually little miniature Linux computers that sit in your office, have got a few disks on it and people connect and share. They're not great for small business use because they are very limited in what you can do with them. It makes a lot more sense just to have all your data in the Cloud. What's happened with the lockdown period is it shows this in the fact that everyone was able to decamp from their offices and start working from home because all of their data was in the Cloud. If we had been in a situation where all the data was inside private networks, that we had to find a way to get into those networks from all our homes, things would have gone a lot worse. It's only the fact that we had so much prevalence of cloud-based technologies in email and file storage and other software that we use, that was able to let us go, “We don't need to be at home, we can just access all this stuff from outside”.

So, there's a huge advantage to using cloud stuff. NASs should generally be avoided. We don't really want to be buying file servers. We want to make sure that we're storing our cloud files in a Tier 1 provider in the same way as we are storing our emails. Ideally, we want to be using the same technique for reasons we're going to look at in the next section on backups. So again, the Tier 1 in terms of file storage means as well as storing our emails - if we use Microsoft 365 - as well as storing our emails in Microsoft 365, we should be storing our files in Microsoft 365. If we're storing our emails in G Suite on Gmail, we should be storing files in Google Drive on G Suite as well. I’ll explain why that's an advantage in the next section.

So, I said right at the beginning of this section, that some organizations tend to do weird things. In fairness is not really weird, it's just that they tend to store files which are generally bigger, as individual units than most people store. If you're storing basic Office documents, then you have absolutely zero problems storing IT stuff in the cloud. If your files are a bit bigger - and I would say that the only people this really affects are organizations that do video production - you might need a specialist storage and that could mean that actually having a NAS in the office or having some sort of file server in the office is a better approach. You’d need to solve the backup solution of what you do with that server but generally, it's okay if you're storing very large files. If you're just run of the mill, if you're only using PowerPoint, Excel, and Word, the best thing to do restore your files in the Cloud.

In the third section, we're going to look at backups and this is a really important and pretty interesting topic. The general principle of a backup is that it lets you escape from disaster by being a big rewind button that you can hit and go backward. So, if you discover that you've deleted a whole load of stuff or you've been hit by a malware attack, or a machine has caught fire or something horrible has happened, you can go back to a backup and get back to where you were. The general idea here, of course, is the backup has to be made as close in time as possible to the point when the disaster occurs. There's no point making a backup in January, having a disaster in June, and losing six months' work. You want to be aiming to lose, at most a day, an absolute mess would be to lose a week, but any more than that would be a complete disaster. In order for backups to work properly, we need to be monitoring their backup health and there isn't a really good automated way to do this. The best thing to do is to have someone in your organization whose job it is to make sure the backup is running. So, this could be a relatively junior member of staff who has it as one of their tasks to do it on a weekly or daily basis. Then you have some oversight from someone more senior in the organization to make sure that process is working. A backup that can't be restored is no backup at all.

In terms of how we do backups, the less labour involved in a backup, the less somebody has to remember to do something, the better. Luckily for us, we've got infinite bandwidth and infinite storage effectively. So, the smart thing to do is to always make sure that everything you've got is being backed up automatically to the Cloud. The way we used to do this is we used to have an external USB drive we’d plug into the machine, we’d copy and retake home, but that was really messy. There were some really obvious problems with that, like people forgetting to do it. Another less obvious problem is effectively the theft of that backup. If you're a small business and that external drive is to be stored at [the] director’s home, if the backup drive is in a laptop bag, stop off at Sainsbury’s on the way home, the laptop bag gets stolen, the external drive gets stolen along with your backups. Those backups aren't necessarily encrypted. Encryption is something we're going to talk about in the second to last section but it's the manual process that's the real problem here. We want to make sure this is automatic. Even from that perspective, there are two things we need to think about.

Most people don't tend to think about the need to back up their Microsoft 365, or their G Suite environment but what's happening here is as an organization, you're storing all of your emails, all of your files in the Cloud but that isn't being backed up. Now, Microsoft is never going to lose your data. You're never going to wake up one day to an email that says, “Oops, we’ve deleted your mailbox. We're very sorry” or open the paper one day and discover that everyone has lost all of their data. It isn't going to happen. However, there is a risk in terms of somebody going in and deleting emails, either accidentally or maliciously, or getting hit by some sort of malware attack. So, we want to back that cloud data up. Luckily, there are loads of providers that do this. Two, that I like to use are Backupify and Spanning and they do something called a cloud to cloud backup. They will connect into your Microsoft 365 or your G Suite tenant and they will just backup the data as if it's a normal backup. Then from anywhere on the planet, you can log in and you can download that data. So, if something completely goes to custard - you lose all of your machines, you lose all of the details of how to login to your Microsoft 365 tenant, you're completely at square one or somebody has walked into your building, stolen every computer, logged into your Microsoft 365, deleted all of your emails, logged into your SharePoint, deleted everything - from anywhere in the world, you can log on to one of these cloud backup providers and get all that data back. That, to me is invaluable and the price of it is cheap. It's like £25 per user, per year for that sort of certainty.

In a similar vein, there's an idea of device to cloud backup, which is software that runs on a laptop or a desktop and backs up the data on that to the Cloud. It's less useful in that if you're managing your IT properly, all of the data that you're using should be going on to the master set in the Cloud anyway. No one should really be using their local machine. In an absolutely ideal world, you want to be in a position where if someone loses their laptop, it’s nothing more inconvenient than ordering a new one from Amazon or your IT provider and getting them set up on it just with a couple of keypresses the next day. There should be nothing special on a laptop, and therefore it doesn't need to be backed up.

There are some situations in organizations though, where you need to back up the individual devices because of some complexity. Somewhere where we often see this is on the accounts system. There'll be an older organization that uses some on-premise IE installed locally on a computer version of Sage, and they need that backed up. A good argument could be the accounts computer in the office that does Sage, you do a device to cloud backup to make sure that has been backed up. You then have your cloud to cloud backup of your Microsoft 365 or your G Suite. Remember at this point, because we've got all our email in there and because we've got all our files in there, which is why I was keen to push everyone away from Dropbox and iCloud and using SharePoint as part of Microsoft 365 or Google Drive as part of G Suite is because you have a one-stop-shop then. You basically have a master set of data which is your groupware - your Microsoft 365 or your G Suite - and you've got your backup. Every other machine in your building can become effectively disposable. You can lose it. People can go in. It can get infected by malware if you want but you've always got these backups and you can always get that data back. If you get to that point, you're golden. You effectively can't lose data and you're entirely protected. You’d need some support in terms of basic cybersecurity. So, phishing detection, not clicking on emails or opening attachments that might end up with malware being installed on your computer, social engineering scams, those sorts of things. However, with those backup pieces in place, especially the cloud to cloud backup, it's very very difficult for you to lose data.

So, as we get to the end of this, it's a good time for me to mention what it is that we do at It's What's Next IT. So, It's What's Next IT is a managed IT support company. We work with small to medium organizations in Milton Keynes, Northamptonshire, Buckinghamshire, and Bedfordshire, but we happen to be a social enterprise. So, we employ people disadvantaged in the job market such as care leavers, ex-services personnel, or other people who find themselves excluded from the job market. My philosophy is trying to help IT owners to get the absolute best IT that they can. So, if there are some issues you've got within your organization, or there are some questions you've got about how you achieve certain things, then I'd love to talk to you. If you go to our website at, that's, go to the contact page, and there's a link in there, where you can book a call with me. I'd love to sit down with you and help you with your issues.

The second to last thing I want to talk about is this idea of encryption. Again, this is something that I find a lot of SME owners don't fully appreciate. It's absolutely essential that any devices that you have are encrypted. So, what encryption means is that you can only access the data that is on the device with the device password or some other form of credentials that lets you access the machine. The reason why this is so important is that if you lose a laptop - it gets stolen, or it gets left on a train, etc. - anyone can take the disc out of that machine and install it in another machine and read all your data off unless it is encrypted. It's encryption that protects you against that problem of data loss. Data loss is a very serious issue for businesses for a couple of reasons. One is that there are regulatory concerns in that if we do breach data like that, we have to report it to the ICO, and we can be fined for doing it. There's also an ethical consideration in terms of as a professional business, we need to make sure we keep our clients’ data safe. In fact, the data that's on there may also be personal information about our employees, and we have an ethical obligation to keep it safe from them as well.

The big problem in losing a machine, however, is that if you don't know it’s encrypted, you may very well not know exactly what's on there. This means you might have to find yourself going to every supplier, every partner, every customer, and having to put your hand up and say, “We think we might have lost some of your data but we're not sure”. Encryption lets you mitigate that risk because you can say to them, “We did lose the machine, but it was encrypted, so we're fine”. Where this gets to be a real problem for SMEs is that at the very small end, SMEs tend to buy their PCs from PC World, Amazon or from some other retail provider without necessarily appreciating that the standard version of Windows that gets sold in retail - something called Windows 10 Home - doesn't support encryption as standard. Windows has this feature called BitLocker, which is what you have to switch on on the machine in order to encrypt it, but Windows 10 Home doesn't come with that. From a retailer's perspective, Windows 10 Home is much cheaper than Windows 10 Pro.

Now, Windows 10 Pro does come with BitLocker and can be encrypted but of course, in the retail channel, everyone's trying to drive their margins down. So, if you walk into PC World, unless you specifically have that conversation, you're going to find yourself with a machine that can't be encrypted. This to me is frankly ridiculous. Even how Microsoft is actually selling machines that cannot be encrypted even to home users, with the risk that comes from having a laptop stolen or lost is crazy. But anyway, we are where we are. If you're buying a machine for business, you absolutely should make sure that you buy Windows 10 Pro. The reason for doing this is the upgrade or the difference in cost between Windows 10 Home and Windows 10 Pro when you’re buying the machine, is peanuts. It might be 20 or 30 quid. If you buy Windows 10 Pro as an upgrade after the fact, it can cost £150. It's very expensive. So, it's well worth getting it at the lower end. If you can't stomach that, there are some other options that you can use. One of the things that we recommend is something called Bcrypt, which is much cheaper. There's a small fee to buy it of approximately £40, but then you have a maintenance fee every year of £20. So, over time that will add up but if you want to get out of this hole that you've got of the encryption, it's worth doing that. You absolutely should have your machines encrypted. Whether you do that through Windows 10 Pro or a third-party product is up to you.

There's another point about smartphones in that smartphones are only encrypted if they have a passcode or they have some sort of biometric security on them. If you have a smartphone and you don't do that - you just pick it up and you can just swipe the screen and unlock it - it's not encrypted. It's only encrypted when the device is locked. So, it's absolutely essential that you make sure that any employees who are using their work phone, they've got their work email on their home phone or you've given them a phone to use, that they have that passcode on it so that it is encrypted.

The last thing that we need to put in place when we're designing our ultimate small business IT that could grow and look like a corporate IT is the idea around CRM or Customer Relationship Management system and data-driven businesses. This is going to be outside of scope for what we're going to talk about in this episode, but it's an absolutely key component so we have to think about it here. The general idea of a CRM is that it's able to record every single interaction between anyone that your organization has a relationship with. It becomes a central store of record for how every customer came to know you, how every customer bought, how every customer supported, how every customer left. It’s exactly the same with all your partners, other suppliers, anyone you're doing any business development with, etc. It has to be right at the center of your business and integrated into everything. This is something that SME owners typically don't do but by doing this, it enables you to create a data-driven business. It gives you the information you need to know exactly how your business is performing, what's going well, what's going not so well, where the jumping-off points to innovation are, etc. So again, we're going to cover this in later podcasts because it's such a key area, such a key aspect to get right. But just to put on your radar, you do need a CRM. You do need everyone in the organization to have a CRM and you need to be looking at that as the master oracle of everything to do with your organization.

So, I do hope that what we've gone through today has been useful. We've had a look at the ‘nuts and bolts’ about how we can set up the basics within our IT so that we've got a good foundation that we can grow the business on the scale that we expect to be able to grow on but we're not losing sight of why big corporate setup there it in the way that they do. Again, to reiterate this point, corporates don't spend a lot of money on their IT because it's a simple communication tool, or because it's simply a way of storing data. They do it in order to realize operational efficiencies, address competitive threats, go after opportunities, and innovate the business. There's no reason why we can't do that even if we're a one-person organization, two to three, ten, twenty, one hundred, whatever. So again, I do hope this has been interesting. I appreciate your feedback on it. Thanks for listening and take care.