Strategy for dealing with suppliers


This post has been at the back of mind for a while now because I often encounter randoms and family who have had poor and frustrating experiences dealing with  suppliers over the phone. There is a lot a customer can do to make the experience easier and more productive.

I have had to deal with various services over the phone over the years and I have developed an approach which works well, helps you to gain accountability from the provider and ensures you have an effective tool and information for when things get rough.

Why write this?

We’ve all had to deal with it in one form another, we’ve bought something online and it hasn’t arrived, some sort of technical fault has occurred with a device or service, or you’ve had some sort of poor customer experience when dealing with a supplier. In your conversations with the supplier things have not gone well for you, you’re not comfortable that the supplier has understood the problem or not taking your needs seriously. Maybe you have already spoken to them and the supplier has made a commitment to you and that commitment hasn’t been met or wasn’t up to the standard you expect. If you’ve had an experience like this then hopefully the following tips will help you to help the supplier to help you.

Do’s and Don’ts

Starting with some simple do’s and don’ts for how you approach and handle the situation…

  • Be polite. Regardless of who the supplier is, where they are located or how angry you are remember that the person you’re dealing with is a fellow human and almost certainly isn’t to blame for the experience you’ve had. Ensuring you are polite with the person you’re speaking to gives you the best chance of having that person take on an advocate role for you inside the supplier organisation. Often people in these roles are dealing with hundreds of customers who have an axe to grind. The customers they are likely to remember and go the extra mile for are the ones that treat them well, like a colleague or friend. Your kindness and empathy makes you stand out.
  • Be patient. If the supplier is a large organisation then things can sometimes take a while to work their way through the system. Yes you’re likely to end up in a call queue, more than once, probably a few times. Yes its poor customer service for suppliers to let their customers rot on hold however that is not your beef here. Your mission is to get the outcome YOU want. If you want a supplier that responds to customers quickly then do your research and find one that can do that. It is also common to experience heavily scripted first contact calls with suppliers. Be patient, answer the questions and let the supplier process roll. Being angry or frustrated about a call script isn’t polite or patient.
  • Be open. Be clear, open, direct and don’t make stuff up. You want to own the moral high ground in the interaction, not look like some goon trying to get something for free. If things have been rough when dealing with the supplier, explain this to the person you’re dealing with so they can understand your frustrations. Tell the supplier on the phone that you will be taking notes. Ask Open Questions. Remember though, above all, be polite.
  • Keep a Log. One of the easiest and most important things to do is to keep a log of your interactions with the supplier. Date, time, name of the supplier agent you spoke to (its reasonable for you to ask for their first name, some suppliers even allow their staff to supply some sort of employee ID, its NOT okay to ask for their full name though), the topics of conversations and MOST IMPORTANTLY, the commitments and information the supplier gives you on the call. Critically, it’s important to also request a case number, ticket number or some sort of identifier that the supplier uses to track customer interactions. If a supplier isn’t using such a system it’s almost certainly time to find another supplier.
  • One problem at a time. Try and deal with one thing at a time at the start. This makes it easier and quicker to get the ball rolling and get the supplier engaged. Services staff will often ask at the end of a call if there is anything else you need help with. This is the time to bring up the next issue. Ensure you treat the issue the same way as you did the first. Prepare and Execute.


When you are starting off an interaction with a supplier to get a matter addressed or resolved, spend a few minutes before you pick up the phone or send the email and make a few notes for yourself to help you focus on the issue and get it resolved as quickly as possible.

  • Problem Statement Start with a brief sentence which describes the problem you’re having or the need you have.
  • So far I have… Write down a few points about the actions you’ve taken to try and address the problem yourself and any observations about the problem that may have changed.
  • Recent Changes Think about anything that might have changed recently.
  • I would like… Describe what the best outcome for you is but also describe what a bonus outcome might be.


Now the time has come to contact the supplier. The best way to do this depends on what sort of service the issue is about and where the supplier is located.

If the problem relates to a product or service from a supplier that is based overseas then email might be the best way to contact them. If the supplier is a local supplier then phone might be better. Either way the execution is largely similar.

The goal here is to produce an experience log you can share with the supplier or, if things go badly, a regulatory agency later.

Contact the supplier, state the problem and request help. For each interaction you have with the supplier, include the following in your log:

  • How you contacted the supplier. Phone, email, web form etc and what the number, address or URL for that contact was. A neat trick when calling suppliers who have complicated IVR phone systems is to write the number you called and then the keypad options you dialled. This way you can quickly refer back to the numbers you dialled if you have to call again and you have a better chance of ending up with the same team you spoke to the first time.
  • The date and time you made the contact, the name of the person you spoke to, the location (suburb, city, state) of the call centre where the call was answered and what the result of that contact was.
  • Notes and comments about the supplier conversation.
  • Pay careful attention to what the agent is saying and telling you. Some agents, particularly new or junior operators may do or say things to you that just aren’t true or show that they do not understand what you are telling them. If you suspect this is the case you should request an escalation to a more senior person. Be sure you note the date and time of the request.
  • If you seem to be getting a little roadblocked by an agent, its often useful to keep coming back to your original problem and invite them to comment on what needs to happen to have it resolved. If you turn the conversation around on them and force them (politely!) to present options to help you get things resolved then that can often get you some traction.
  • Agents will often say “someone will get back to you”. When you are told this, push hard (politely!) for a timeframe where someone will get back to you. Agents can be very evasive about this for several reasons. Your job is to get them to set a day, date or timeframe for when you will be contacted and the role of that person. If they refuse to give a number, throw a speculative number at them.
    • You: One year?
    • Agent: No.
    • You: Six months then?
    • Agent: No.
    • You: One week?
    • Agent: Oh yes, absolutely within a week.

And this is the important part, you state back them your understanding. “Thank you, I will expect a call back from from the Escalations Team no later than 5pm next {DAYNAME+7 HERE}.

A good approach to take is to assume that the notes you keep will be shared with the supplier in the future. If you keep your notes clear, concise, polite and factual then if/when things go off the rails you can easily share the log of information with the agent directly. Don’t ever put anything in the notes you don’t want the supplier or regulator to read.

Going to a regulator

Some suppliers are subject to government regulation such as telcos, banks, other government agencies. A regulator can help you get your issue resolved when you have been unable to do so with the supplier directly.

Before contacting a regulator though, advise the supplier that you are considering taking the issue to their regulator. Some suppliers (like telco’s here in Australia) are very keen to ensure that customer issues do not end up with the regulator. There are various reasons for this. Sometimes the supplier will escalate your case to special team within the organisation for dealing with these situations.

My preference is the three-strikes method. When a supplier has had three attempts or opportunities to resolve your issue and have been unable to do so, advise the supplier that you will be contacting the regulator. If the supplier still doesn’t come through for you, look up how to contact the regulator and open a case with them.

Regulators almost always expect you to have attempted to resolve an issue with the supplier directly before they will take on your case. If you have a detailed log of all the interactions you had with the supplier then this helps the regulator enormously because they can see at a glance everything you have done and when. This also increases the likelihood that the regulator will take your case on for you.

Common Challenges and Pitfalls

  • Look out for the up-sell. Some less reputable suppliers might try and convince you that you need to give them more money or purchase an alternative product to have your issue addressed. Do not give in to this. If this happens to you, focus on getting the issue resolved and then find a new supplier.
  • Sometimes something bad happens. I once spent 4 weeks working with a supplier to have an issue resolved. The case ended up on their Asia-Pacific Vice President’s desk and was resolved in very short order from there. I was only able to get this to happen because the suppliers IT team migrated their issue tracking system to a new service in the middle of my case and lost all my history. I was faced with the task of starting again or being polite yet firm to get an effective escalation. The VP was very apologetic and I learnt I wasn’t the only customer who wasn’t please about the situation.

A mapping (no not a Swardley thing) of On Prem, AWS and Azure Security Components


A useful one pager to compare the various security products of AWS, Azure and the usual on-prem suspects/capabilities.

via Conceptual Mapping of On-premises Infrastructure Security Components to Cloud Security Services by Adrian Grigorof CISSP, CISM, CRISC,CCSK – physical, providers, security function | Peerlyst

I’ve found a name for the way I like to work


Dynamic work design is a more effective method of managing workflow, especially intellectual work, says MIT Sloan senior lecturer Donald Kieffer.

via The 4 principles of dynamic work design

HA MultiAZ SMB Cluster on AWS


The following video was shared by @Gordypls. So HT to him.

Ive seen similar solutions to this need come and go over the years and have never found a solution that I was entirely happy with. This one looks better than other contenders. Its a 4 minute watch and feels like a reasonable solution for use on AWS.

Ive corrected the title on this video because CIFS is a legacy name now. See this.

via Qantas: Building a Highly-Available, Multi-AZ CIFS Cluster on AWS – YouTube

Interesting Railways Documents


Putting this information up here for future keeping. I seem to need to keep referring to these from time to time and it will be handy to have them saved somewhere.

PIR for RailCorp (Now SydneyTrains) Sydenham Signal Box Failure on April 12th.


Presentation on the Stabilisation of the Melbourne Train Control System

Legacy Train Control System Stabilisation

Technet landing page for Windows Event Forwarding information.


Probably more information about Windows Event Forwarding (WEF) than you will ever need.

via Windows Event Forwarding – TechNet Articles – United States (English) – TechNet Wiki

ASD Essential Eight and Enterprises


The Australian Signals Directorate (ASD) has updated their top four mitigations for intrusions. The recommendations have now expanded to the ‘Essential Eight’.

The essential eight is a short list of the top eight mitigations govt and businesses can adopt to reduce the threat and likelihood of a successful IT security and/or information breach.

This article examines the eight recommendations and which ones I consider a *MUST* for private enterprise. Government agency’s should use their own info-sec policies to determine their own approach and that’s a topic for a different post.

Of the eight mitigations described by the ASD, the following four key items for business are critical:

  • Patch Operating Systems and Applications
  • Restrict, control, monitor and audit privileged account access and use
  • Use 2FA/MFA authentication
  • Backup data and offline storage

Lastly, the other three items are briefly described with justifications for why they aren’t a *MUST* do.

Patch Operating Systems and Applications

It goes without saying that regularly applying operating system and application patches to any system is a must. This is a well known mitigation and has been recommended practice for many years now. Operating system vendors now have mature and robust tools to allow businesses to quickly understand the patch level of existing systems and easily approve patches for distribution and installation.

Applications are a different problem. The recent Apache Struts vulnerability and the openssl Heartbleed exploit in 2014 are good examples of complex application vulnerabilities. In both these cases it wasn’t vendor products or services which were directly vulnerable but the included underlying libraries and code which was.

This type of problem is difficult to manage since, as a consumer of a SaaS offering or CoTS product, it is very difficult to know precisely what other code vendors include in their offerings.

Couple these complexities with busy teams, reticence to touch or change old or fragile systems and its no surprise that application vulnerabilities take a long time to be patched.

Robust and regular operating system and application patching is highly desired but may no be easily attainable. There are other options to further mitigate this risk however.

Automated vulnerability scanning can be used to regularly scan and interrogate systems and their software inventory for known exploitable code. These systems can present threat telemetry (or alarms) to operations teams. This allows informed decision making so that limited and valuable resources can target the areas of highest risk.

Restrict, control, monitor and audit privileged account access and use

Exploitation of privileged accounts is a common and easy vector for intrusion into any system. To make matters worse many systems have an ‘all or nothing’ configuration of privileged accounts. The most common example is the ‘Domain Administrators’ group in Microsoft Active Directory where members of the group are able to perform any action on any object or device in the domain with little-to-no audit or oversight.

The people who feed and water the systems should only elevate their access to a privileged state when they are required to do so and only as part of a controlled and audited event. A few simple rules and approaches can help realise this.

Operations staff are users too, therefore their accounts are just normal user accounts and confer no special access or privileges at any time. This approach serves as an important reminder to the operations staff that a conscious choice and action the part of the operator to elevate their access, it pushes back on the operators inclination to think ‘oh i’ll just quickly tweak this small thing’ and possibly leave something in an open state or worse still have a broad, unintended side effect. Remember, with great power comes great responsibility.

Privileged groups and roles are always empty. If the system has a role-based access control mechanism and the roles and groups with elevated privileges are empty then there are no individual user accounts to leverage to gain elevated access.

Privileged group and role memberships are controlled by policy. The IDAM system shouldn’t govern what users are members of what roles. A policy control system (in AD that’s Group Policy for example) should be used to define which accounts are members of which privileged groups. Doing this ensures that even if an attacker is able to enact a change in the IDAM system that there is another layer of control and audit which can revert the change quickly to the desired state.

Changes to privileged groups and roles are audited, monitored and alarmed. This is a critical capability to realise. The operations teams (both infra and sec) should maintain situational awareness of use of privileged actions and changes. This means that everyone knows when a privileged action is scheduled to occur so that when it occurs unexpectedly alarms can be raised and investigations commence.

Businesses insist on a ‘separation of powers’ approach to procurement and purchasing, privileged access to systems should be no different.

Use 2FA/MFA authentication

Password sharing between systems and storage of passwords in weak or reversible forms is the biggest single threat to the safety of credential information in any system. For public Internet accessible systems the viability of the username/password pair as a secure method of access control is no longer tenable. Better security of user authentication is required.

Enter two-factor authentication (2FA) or multi-factor authentication (MFA). This capability adds a third factor to the user authentication process and better yet it is something that is not easily shared and is only valid for a short period of time. Attackers can attempt to brute-force their way into an account forever and without the token will never succeed. Better yet, attempted logons without 2FA or MFA can be used to trigger alarms and prompt further investigations by ops and sec ops.

Attach the 2FA/MFA to a privileged account request or action and a strong protection against compromise of elevated privileges is realised.

Backup data and offline storage

This mitigation ensures that backup data is captured and stored in a manner that makes the data impervious to ransomware and other data loss type intrusions. Data backup is a core service component of any IT system, however, in recent years, as the incidents of ransomware has grown, stories have emerged of systems that suffered a ransomware intrusion which also managed to reach data backup systems. This has meant that businesses have not been able to restore their data because the backups are also encrypted. In some of these cases business have paid large ransoms or gone bust. Payment of the ransom is also no guarantee that that attacker will release the decryption keys to you.

Storing backup data in an offline manner is considered an ageing practice now however it is an effective mitigation for ransomware and other malicious data loss scenarios because it ensures that backup data is not subject to this type of intrusion.

In cases where offline storage is undesirable or difficult, then implement strong control and audit of backup account and system access. Treat backup access as a privileged action and ensure that backup data cannot be accessed without using 2FA or MFA. Consider a three tiered backup data storage approach where recent backup data is stored online or near-online and older colder backup data IS stored offline.

Backup data is the last line of defence against ransomware, ensure your organisation and teams are well geared and equipped to rely on it when things go badly wrong.

Whitelisting, macros and application hardening

The essential eight recommends three other strategies for mitigation which are worth mentioning since they aren’t strictly recommended for businesses here.

These three mitigations have important value in the effort to prevent and limit infosec incidents in any organisation and must not be dismissed out of hand. Their important to private business in this article is diminished for a few different reasons.


Application (or process) whitelisting is a very large, complex and onerous mitigation. Imagine if you will a haystack full of needles. Each needle is a different length, diameter and type of metal. Now build a sieve which will filter all the hay and needles and ensure that only a single needle remains in the sieve. A very difficult, complex and time consuming activity.

Whitelisting has a place and there are multiple ways to achieve it, however there are few environments where the cost or complexity risks make whitelisting a must have.

Office macros

It is often said that businesses run on spreadsheets and Microsoft Excel is no exception. The macro capability that is baked into all 32 bit versions of Microsoft Office was one of the first exploit vectors and remains in use today.

Microsoft has made changes to the default security posture of office when it comes to macros however the functionality remains on by default and this is what intruders rely on.

For organisations that don’t use Office macros they are very easy to disable via Group Policy and should be mitigated this way. Better yet, deploy 64 bit Microsoft Office which doesn’t support Office macros at all.

Application hardening

It’s unclear why the blocking of Adobe Flash and Java is referred to as application hardening. Both these technologies are known exploit vectors particularly Flash and sometimes through website advertising networks.

Block Flash and Java at the perimeter of your networks. When done well, you will be shocked to see how much faster webpages load when all those advertising frames aren’t rendered. As another side bonus you will save your Internet bandwidth as well.


If you have gotten this far then I congratulate you. Push on and review the additional information available from ASD on each of these topics.