How to Avoid Cyber Risk and Protect Your Clients and your MSP

Small to medium-sized businesses lose an average of $25K to $50K per cyberattack. It’s more than just about the immediate damages to the company, but the long-term effects too. 60% of small businesses will fail in the half year following an attack. MSPs need financial protection to keep them afloat as they recuperate from the damages.

In this webinar, we talk with two cyber experts - Al Alper, a former MSP turned cybersecurity vendor CEO and Harry Boyne, a current MSP building and deploying his first cybersecurity offering.

They share views on how MSPs can use cyber liability insurance to set up a safety net to protect their business in the aftermath of a cyberattack. 

Key Takeaways

1. The most common areas of protection that MSPs must offer their clients:

• Cyber Security Training (and a mechanism to help clients conduct and pass the training)
• Multi Factor Authentication
• Filtering
• Endpoint Protection
• Perimeter Protection

2. Areas where IT Partners potentially leave themselves liable:

• The biggest risk is that Partners often overlook their own house. They are keen on developing their offering but not pausing long enough to consider themselves. Start with your own security assessment before moving on to your clients.
• Ensure you have security standards - a single bundle that is rip and replace. Don’t sell what you can’t take on yourself. 

3. MSPs are often the target of data breaches themselves, because they can be an access point to hundreds of businesses and thousands of customer files and private information. Here’s what MSPs need to be doing to keep themselves safe:

• Do a risk assessment of your organization 
• Make sure that your team knows the company policies and procedures, front and back.
• Make sure your team is going through some form of ongoing training. 
• Run simulated phishing campaigns against your own team. 
• Perform quarterly vulnerability assessments on your infrastructure. 
• Perform annual pen tests, against your infrastructure, if you're hosting any of your own tools.

4. MSPs should be extremely paranoid about their cybersecurity offerings and their clients. As MSPs you literally hold the keys to your clients livelihood and so it’s your obligation to protect. The goa of your MSP should be to keep your clients data safe, always.

5. It’s certainly attractive to SMBs to work with MSPs who have done their due diligence creating a strong security posture for the MSP. MSPs should not be selling tools instead solutions.

TRANSCRIPT

‍

‍Shannon: 

Hello and welcome to Paranoid or Protective? De-risking Clients Cybersecurity for Partners. I'm Shannon Murphy, Chief Marketer at Zomentum. The Sales Acceleration Platform built exclusively for the channel. 

Let me tell you a little bit about our guests whom I just adore. Every call I have with them is fantastic. Harry Boyne is the Co-Founder and Technical Director of Chalkline, one of London's leading IT Managed Service Providers and Microsoft Cloud Solution Providers now going on five years. And congratulations to them. I just saw your five year anniversary on LinkedIn. Harry thoroughly enjoys creating unique, best of breed solutions, which meet all customer expectations and bring them ahead of the curve. 

Al Alper is founder and CEO of Absolute Logic Inc, an MSP based in Connecticut, and CyberGuard 360, a channel-only company providing advanced cybersecurity platforms to MSPs, MSSPs and IT Service Providers. They're also Zomentum partners, and we very much enjoy this relationship. It's fantastic. He is a serial entrepreneur, having founded several successful companies and is passionate about security and compliance. He can be found proselytizing about culture as a primary driver of security and compliance to international CEOs and NASDAQ, the halls of Congress, Harvard Business School and MIT, and then a myriad of boardrooms around the country. And myriad is one of my favorite, favorite words. Lovely, bio.

Thank you both for being here today. And I just want to let the audience know we are going to have such a good time because we have some very smart gentlemen on the line, who will also know how to have a good time.  

So insurance compliance is top of mind for almost every SMB. That's why we're here. That's why we're holding this session. 

‍

What Are The Most Common Areas Of Protection That MSPs Must Offer Their Clients?

‍

Al:

I'll jump into that. If I say I'll jump into that first, not to monopolize the conversation. So by way of background, we're deeply invested in the insurance space and our MSP. In fact, CyberGuard was born predominantly because of the relationship we have in the insurance space, amongst others, but in financial services writ large, the insurance space in particular. And that was born as a result of one of the first regulations ever for the insurance industry around cybersecurity. It was a New York reg that was promulgated in 2016 and came out in 2017. 

The insurance market over the last year and a half has gotten very restrictive, relative to what they are willing to pay out on, and predicated on what MSPs are doing, not just for themselves, but for their clients. (And I want to add to this a little bit later on in our conversation with the DOJ’s latest release, which is really interesting that it came out just yesterday, in advance of this webinar, it's almost like they knew we were gonna have this webinar, they made this announcement. But I'll get to that in a few minutes.) 

What insurance companies are beginning to do is something called a deck page or a declarations page in everybody's insurance policy. And what that declarations page again, deck page for short, does, it lists all the things that they will not pay for, if you have not done them? Basically, they're the exclusions that says -  If you say you're doing training, and you don't do training, we're not paying if you're breached. If you say that you have a firewall and you have a router, we're not paying if you're breached. So they have the list of what they will not pay you for in the event of a loss if you haven't fulfilled your obligation on that side. 

And so as MSPs consider what they're offering their clients, they need to and I strongly encourage it, to review what their coverage looks like with their insurance providers and see what is excluded from coverage in the event of i.e. -  if they don't have training and they're supposed to have training, they're not going to be covered for a breach -  and then offer those services. 

At a low level, what we've seen, and we've got some 150 Plus clients in my MSP, what we have seen is that they have some entry level things that all carriers want their clients to have, if they're going to have cyber liability insurance, and they're going to pay out on a claim. Top of that list is training. Interestingly enough about training, they don't set a standard, they just say training. 

And so anybody who knows, you have really good training, and then you have checked the box training. And all of that counts, I'm not saying that you should use check the box training, by the way, I'm just saying that all of it counts. 

“And so MSP should be, not just be offering cybersecurity training, they should be helping their clients actually go through the training.” 

So in my MSP as an example, when we onboard somebody, I take over the responsibility of getting their team to go through training. And we do that through our CyberGuard platform, obviously. So a lot of that's done on an automated basis. And that relieves the burden from the CEO. And therefore they're much more willing to let us impart that on their team. And that's really the top of the list for what insurance companies are looking for - Are you doing training? 

And then there's all the things that almost every MSP is doing - Endpoint protection, perimeter protection, spam and email filtering, those are kind of 

The four high bar things  - Training, Filtering, Endpoint Protection, Perimeter Protection - that you need to have in place as a baseline, if you're going to have a carrier, cover you for cyber liability.

Shannon:

I know Harry, I know you're building out a bundle. And I think that could probably be an inspiration for some people who are also building out their first cybersecurity offerings and aren't you tiering based upon training as well?

Harry: 

So about two years ago, we created a bundle that we started selling to our customers, that was a one size fit - bringing in our essential products effectively. 

COVID hit just as we were kind of getting on the right path, which didn't help, although we've still done quite a lot of deployments and most of our customers now have this. So it's things like, everyone's got an MFA, everyone's got some email filtering, Office 365 backup elements like that. We're now creating our latest security bundle stack, which is taking far longer than I thought it ever possibly could. 

And in that stack, we're making sure we include, MFA has to be there, MFA is the first thing, if you don't have that we're not talking to you. But then also things like definitely training, we want to be sending phishing emails out, we are looking at possibly having on more of the premium stacks, maybe some stock monitoring, or some network edge stuff. And also maybe looking at password managers. But you surprised how many people have still got that spreadsheet or that book that's on their desk or the sticky notes are on their monitors. And they still don't change those passwords, or they don't put MFA on it. So having a password manager, which supports MFA, does dark web monitoring - that's a godsend for us.

Al: 

And I think those two things that you said are critically important. One of them is how unbelievably long it's taking you to build your stack. Right? Because, you know, when we first started, it took us a year to put our stack together. A full year from shot. Okay, we want to do this. What is it we want to do? And it still wasn't perfect by any measure, but it was now good enough to go to market. And that stack was wide and deep. But it needed to be, right? If you think about the attack surface, and how broad that is, and having to at least cover as much of that as possible at a price point that's reasonable, right? 

I have this graphic that my team built about covering the full attack surface. And there are some 70 plus elements that would be added to your stack, if you were to cover the attack surface at a rough cost to the MSP of between $1,200 and $1,400 per user. That's the cost, right. So you couldn't possibly cover the entire attack surface. So you have to build something that is affordable, but protective. And that's why it takes so long, I'm sure how he's going through this now, as he's building like, Okay, what do I weigh into this? And what do I consider - Basic what do I consider advanced.

Harry: 

And you've got that constant - the thing that you don't include is the way someone else’s gonna get in. It's like, you've got to be pragmatic. At the end of the day, you know, you take risks every day, which risks are you willing to take, which are the ones that make the most sense? And, we have conversations such as - do we look at doing endpoint vulnerability assessments? Well, 99% of attacks that we get reported are caused by phishing inks, people clicking phishing emails, people putting passwords in and not having MFA. So actually, we should be focusing on what happens there. How do we protect our data? How do we protect our identity? And yes, endpoints are important. But maybe we need to be focusing elsewhere, initially, at least.

Al: 

Yeah, absolutely. Because time is money. And you can't be everywhere all the time. Resources that are finite. 1000% agree with you Harry.

Shannon: 

Yeah, yeah. And so that brings me to my next question. You guys already anticipating this? Because we do want to talk about risk. Right? I think that's a huge fear for the MSPs, Partners and especially within the context of insurance, I'm very curious, you know -

‍

Where IT Partners Could Potentially Be Leaving Themselves Liable?

‍

Al: 

That's a great question. Everybody wants to be in the security space selling security offering protections to their client. And all too often, they don't even bother to look at themselves. And that's a serious problem. I don't think you can sell security until you've secured yourself and that's actually one of the reasons it took us a year to build the stack, as we looked at the landscape of our attack surface. And I've literally looked around saying, WTF, how is this even possible, I'm the guy that sells it. And we had gaping holes all over the place, thankfully, I knock wood, that's no longer the case. But when we first started up with that, I was going to sell things that I wasn't even using myself. 

“And so it's important that an MSP should first look inward at themselves and their company and their employees and their infrastructure and everything. And they should do a full assessment of themselves.” 

It's one of the reasons why in our platforms we give our partners a fully functional version included in their account for them to use on themselves. It's not because we're great guys, we are! But it's because we truly believe you have to use it to better understand it, not only its value in the security lifecycle, but why it's so valuable for your clients. 

And if you're not doing that, you are doing a huge disservice to your customer base. And frankly, I think you're leaving yourself open to litigation, and not just litigation by your client to you, but past litigation by their customers who've been breached. 

If you look at CCPA, New York shields, GDPR, you can see a litany of your clients' customers coming after you for not having protected data that you are custodians of and you have an obligation to protect. And as a result of that, you're exposing yourself. In California CCPA, they have codified, they have embedded in the law, the right to class action suit without proving harm. And so what they're saying is that I just need 20 people to say that they were hurt without proving it. And they can go after the MSP in a class action suit. If you don't realize the implications of that, you are literally homeless, because that kind of a suit pierces the corporate veil to the owner of the company. Your exposure is incredibly deep and wide, if you're not taking care of your client, and, the only way to really do that successfully, is to take care of yourself first and foremost.

Harry: 

This resonates a lot with me, I mean there's a slight frustration, I think, internally because my guys, you know, they don't have admin rights. And people get over it quite quickly. They understand that it's a requirement. But you know, I've seen on Reddit, some threads where people have said, My boss has taken away my admin rights. This is disgusting. This is war.  And, actually you know the truth is we're evaluating a few security tools that they've sent to us. You know, we're looking at a whitelisting product where it's a lot of work, because we're having to build a whitelist. And they said at the beginning, just FYI, you are going to be your worst customer. Most of your team will be technical so they'll be fighting against the system, they know best, they know what they're doing, they're qualified. And you've also probably got the weirdest set of applications with your RMM and your PSA, you're making constant changes. So it's the hardest environment to secure. It's also the one that needs to be kept the most secure. 

So when I deploy things like IP lockdown, when I have conditional access, and all of a sudden, you know, the guys, when they're at home, they're not able to get in as well, or they're having to jump through extra hoops. And oh my God, I've had four MFA prompts in 15 minutes, you know, or they've had another phishing test, and I caught them out, you know, it's things like that, that actually, I think it's a culture thing - If one of our customers takes on a security measure, if we don't take it on, it's not an option. It's not a discussion. I'm not willing to have it anymore. Yeah, that's as simple as that.

Shannon: 

Yeah, yeah. Well, because I mean, we already know MSPs are a target for these data breaches.

Harry: 

It stops me sleeping. 

Shannon: 

I know this, it's like the thing of nightmares, right? So we know MSPs need to bring this technology in by testing it themselves, so that they can be the best advisors to their clients, and that they are protected as well. Um, do you guys want to get into any specifics of what you feel like MSPs need to be doing to keep themselves safe.

‍

What MSPs Need To Be Doing To Keep Themselves Secure and Safe?

‍

Al: 

So I'll start with this and from my MSP perspective, right. 

“So I strongly encourage all MSPs to settle on a stack and then require all your customers subscribe to that stack, whatever that is.” 

So, when we take out a new client as an example, and I'll explain the rationale for this, we rip and replace everything they have if it isn't part of our stack. And it could be a lot easier for me not to replace what they already have. The problem with that is in the long run, it's much more expensive and much more risky. Because now instead of supporting the known stack that you have, you're supporting a dozen endpoint protection products. 

And you couldn't possibly be good at all of them. It's just not possible. Right? So when you take on a client, and I would strongly encourage everybody on this call, if you're not doing it today, go back and re-onboard all of your clients. 

Because when you bring them into your stack, two things happen very very quickly, you as an MSP become much more profitable, you become more profitable because you know your stack better, you know how to lock it down better, you know how to handle the incoming tickets better, your efficiencies and margins go way up. 

The second thing that happens is your client is much happier, their problems go way down. You're solving problems that do come up much faster. So it is quite literally a win-win. It's ripping off a band aid, I can tell you that, nobody likes change. However, it will be the best thing that you could ever do.

Harry: 

We've accidentally done this, we didn't walk in planning to do this with our customers, but it somehow happened. And we've been evaluating a few documentation, monitoring, and vendor agnostic platforms recently. And when we speak to them, I'm finding it incredibly difficult to understand their value proposition. And I'm feeling like I'm talking a different language, and I'm on these calls with them. I don't understand how you've got these other MSPs, who are just saying, this is brilliant, we're running our lives on it. And I'm looking at it and say, I don't understand why we are, why we aren't rather. 

And it turns out, it's because we standardized. Because we don't have 18 different firewalls that we have to know how to change a rule on each one, we know what they look like, because all our firewalls are the same. It's the same vendor, pretty much the same models, if they've got H.A, you know, it's a flag, it's something we put in you know, it's fairly straightforward. I've now realized what a difference that's made with our MSP and it's something that if you're not doing it, I strongly recommend doing that ASAP.

Shannon: 

That's interesting. You're almost saying like, these products aren't brilliant to me, because I haven't allowed for like the bloat of why this problem would even occur.

Al: 

Right? Exactly. And the more you add, the more sporadic your tool set looks right. 

“So five different endpoint protection, six different firewalls, the higher the likelihood that something slips through the cracks, and you're leaving a hole in your attack surface. When your team knows your product suite, well, they can lock it down the best.”

Harry: 

It doesn't matter. It doesn't have to be the best of breed, I mean, it's one of those things that, oh, we think this is better. But if I'm not monitoring it, if I'm not able to support it, then it's not going to be better. It's going to let something through, I'm not going to realize it's happened, you're going to get hacked, and then we're all going to sit back and go, well, what could we have done?

Al: 

That's right, using firewalls as an example, right? If you don't know a firewall, then you're not properly configuring it. And an improperly configured firewall is called a router. And they're not safe. 

Shannon: 

Yeah, absolutely. And I do think it's your job as an IT consultant to say, you know - trust me on this, I'm solving the problem, we don't need to be married to a specific piece of technology to do it. Right. Like that's an over-emphasis, you know, which happens from the clients perspective, kind of on the wrong things.

Al: 

So, I think that a lot of MSPs, and hopefully this helps them as they consider potentially standardizing and this should be your 2022 goal, by the way, if you're not doing it today, this should be because it's going to take you time to figure out what you want to standardize on. 

Because if you're supporting 10 endpoint products, you're going to have to choose one. If you're supporting five email filters, you're going to have to choose one. So just accept it'll take you a year to get there for a moment. And then you're gonna have to start re-onboarding your clients and moving them over. 

You don't sell products, you sell solutions. Because when you sell products, two things are true, they're gonna want to know why they don't have that Fortinet and why you're putting in a Meraki. They shouldn't even know what the hell of Meraki or fortinet is, but let's leave that alone for a moment. The other problem that you're having is, they're not going to price you out compared to other people selling Fortinet and Meraki and so you're commoditizing your offering by selling products and not solutions. And that's a race to the bottom, because they're going to go to the next cheapest person so I strongly, strongly encouraged selling solutions and not selling products. That's a much easier lift when you convert clients and re-onboard them.

Harry: 

Yeah, I mean, what I'm just going to add, because we are a part of this bundle reimagination, we're looking at every supplier again and every vendor and what's interesting is some of the criteria I had in my head two years ago has vanished and a new criteria has come in. 

So, for instance, a lot of the vendors are still shouting from the rooftops, oh, it fully integrates with our RMM, you can manage everything. So whatever RMM you're using, you stick it in the antivirus plugin, and it's fully managed. And yes, they work brilliantly. They work really really well. The problem you have, which I didn't really realize until I kind of thought it through - well if your RMM gets compromised, which feels like it could be an if and not a win. But if and when that does happen, what you don't want them to do is be able to get in, go on the antivirus module, hit uninstall everything and then start deploying their ransomware. You want them to be able to do what you want with the RMM. But our security lads are sitting there, and they will stop you. But it's something that they're still pushing. So it's just, it's something else to consider.

Shannon: 

Alex said spot on RMM. And I recognize that name. Thank you for joining us again, Alex.

Al: 

Remember that every single tool we use that makes our life easy, is a way for hackers to get in and exploit our ability to service everybody. 

So I wrote that Kaseya has been top of mind for everybody, because they are the latest headline. And unfortunately, they also were a major headline for some time, but before them was Webroot, before them was connectwise, before them was Datto, before that was SolarWinds. No. And it will loop again, right? There isn't a single tool out there. That isn't insecure. That's just a fact.

Harry: 

And you know, you have this remote working debate about you know, what should and shouldn't you be able to do remotely? And that at the end of the day, you have to be pragmatic, you have to have some access. But then you know, that the obvious and the honest answer is, well, if you can do this from home, so can a hack in, pick a country, you know, and yes, you can geo block IPs, they can set up a server here, it's happened, there's nothing that stops that. And yes, you can block it unless you get private broadband connections to each house. And there's still ways you know, at the end of the day, you can still have your son, partner, whatever it might be, go onto your machine and do something, you know, there's obviously there's risks there. But you know everything has got to be assessed. You have to want it to be isolated to a single layer. Otherwise, it's just game over.

Shannon: 

I'm just imagining Harry every morning with the like, the cup of coffee gazing out the window, like he's been on the same, what's the worst that could happen, but it started three weeks ago.

Harry: 

Doesn't need coffee, I’ll tell you that. 

When the Kaseya attack happened, I remember I think at four o'clock the following morning, I woke up. I'm just sitting down just reading through logs. Nothing has happened. But I'm reading every log, I'm writing a list. Right? If this has happened, then this will happen. And you're trying to justify it. And I think it sounds like quite a lot of MSPs, we're going through something similar journey on that day. It used to be when someone goes down everyone laughs because oh, well, I'm not with them. I'm better. It's not all luck. That's a bit that downplays the conversation. But a lot of it is you know, it so happens that you weren't attacked today.

Shannon: 

Yeah, absolutely. So make it a point of pride that you won't work with that particular vendor.

Harry: 

Being calm will not work for you there.

Al: 

So just so you know, in our MSP, we are an on-prem Kaseya shop. And we weren't hit. I believe it was 20%. Because we start with zero rights. And we only add rights that you're allowed. That's 20% of the neighbor's sense of luck. Right? We just got lucky. How much of that? Whether that's right or wrong, I believe in the 80-20 rule. I don't think we're smart enough to be 80. So we've got to be the 20 part of that. Right. 

So I think that well, two things are true. The way we handled it, although my team did an extraordinary job. Again, we weren't affected. We notified and were transparent with our client base. As a result of that we won a $1.2 million dollar additional contract with one of our clients. So that was because of our transparency and our openness and what we were saying. I'll also to Kaseya’s  credit, and I know the channel is not a fan of Kaseya for a variety of reasons. I thought they handled it extraordinarily well. I think that they took the initiative, they did things that, if you look at what SolarWinds did, or if you look at what some of the others did. You know they didn't take that approach. I thought that their approach was the best that I've seen so far. Is it perfect? There's no such thing. But best that I've seen so far in hindsight, right. So look again, looking at SolarWinds and Datto and ConnectWise and Webroot.

Harry: 

There were some vendor wars, which I'll not name during this Kaseya issue. And I wrote back to those vendors and made it very clear don't get me to sign a petition against this. Don't get me to do this. I'm telling you now, I'm siding with Kaseya.

Al: 

In this instance, right, and not always, I just think they did a terrific job on that. But what it did was one of the things I thought was a really great outcome of the Kaseya event, it really forced a majority of our brethren in the MSP space to be introspective and say, Jesus, what about us?  Because for the first time, I was having a real conversation with our MSP partners in CyberGuard, how do we deal with something like this? Like, what are you doing to help me and how are you taking care of the day? I mean, before, you know, MSPs would just sign up. It was interesting, and I welcome those conversations.

Shannon: 

Yeah, no, that's it. That's a completely valid point. Related to this, how often do you think MSPs should be reviewing their security policies and procedures, and perhaps that of their vendors too. How paranoid should an MSP be?

‍

How Often Should MSPs Review Their Security Policies And Procedures?

‍

Harry: 

All right. Whenever they blink, exactly that. Hahaha

We've had customers who will forward us, like BBC News links - oh these people have just been hacked, are we fully protected? and we reply, and the answer is no! And yes. it doesn't mean we're crap, it doesn't mean we're not doing our job, or we are completely negligent. If we said to you you were fully protected. You know, it's a very different conversation, all we can do is add layers of protection, your house might still get broken into, it doesn't matter if you've got a security guard or the guard dog at the door, you know, it can still happen. 

“And it's not necessarily about the protocols you had in place to prevent it from happening but how you're going to respond and how you're going to limit it.”

It is very different to one user's email account getting hacked and a few emails going out. And a full blown ransomware attack. One is very easy to recover from a bit of embarrassment, everyone has a bit of a laugh at your expense. And there might be a few damaging emails. In the case of the other one, his business can be off for three months.

Al: 

I think that, like Harry said, you need to be paranoid as hell. Right? We quite literally have the keys to the kingdom. I don't know how many of you think about all of your clients, think about the 1500 businesses and their Kaseya attack. By the measure of most of them recent supply chain attacks, Kaseya was small. It was a big headline, small consequence, not for those that happened to and if you're on this call, nobody felt as bad for you other than yourself and we did as especially as a fellow Kaseya shop. I even offered my team out to the people I know who were affected. 

But you need to be very paranoid, we literally hold the keys to our clients livelihood. Now when I talk about our customers, our stakeholders in a much broader sense. Your customers and their stakeholders are not just them and their financial bottom line, it's their employees and the families that eat because of those employees. It's the vendors that they buy from and the families that eat because of those vendors paying those salaries. It's the customers who rely on them. Think about the supply chain problem today - when you walk into the store, you can't get toilet paper. I mean, this is what happens to customers when your clients go out of business. Somebody isn't going to get something from them, and they may not have any other place to go to get it by the way. 

And so our role and responsibility as MSPs is greater than most people really understand. Because there's so many people in that stakeholder chain that ultimately rely on us to do our job. And our job first. If you ask anyone in my MSP, what is the single most important thing we do for our client, and I encourage anybody to go on my absolute logic.com, go on the website, call the phone number. And whoever picks up the phone, they know what's the single most important thing you do for your clients. And to a person they're gonna say we protect our clients data. And that is the most important thing that we do. And they know it. It's a religion here. You can not answer the phone call, if you're busy worrying about data being protected. When you solve it, get back to the damn call. That's the single most important thing we do. Because there are so many livelihoods at stake, we have an obligation to protect.

Harry: 

I mean, When I say about the culture, and having a conversation with my team, you know, I've had people go, Well, if we don't have a backup option to connect to our cost customers machines, then in the event that we had anything happen, we couldn't get on to their machines. And I just turned around and said, right, I can have two conversations with the CEO of my customer. Conversation One is, we're really sorry, we've messed up, we can't support you for today, you're going to have a bit of a bad experience, if you need support, our tools are down, we're taking it as precaution, we did something silly, or whatever it might be. 

Option two, really sorry, Mr. Customer, you've had a ransomware attack, wait for the call, you're down for a few months, you know, what days, months, whatever it might be, there's going to be disruption, you know, look for that. You're gonna need to press contact, give your insurance, go through that whole process. 

I don't ever want to have conversation number two, I will have conversation number one every single day if I need to, we won't look particularly competent. But if it's to save us from a breach, if it's to do the right thing, from a security standpoint, then there isn't a conversation. There isn't a debate, it is a no brainer.

Al: 

So in our Kaseya response, again weren't breached? So we knew something was happening about 45 minutes before Kaseya shut down their servers and then we had already shut ours down. Because someone in the network alerted us to chat on Reddit, I jumped on Reddit. I saw one of the people there saying what was happening to them.I called one of them like yeah, this is actually happening. I got off the phone and immediately shut our servers down. And I know our response. We have a standard email template for when one of our tools goes offline, particularly one of our support tools that says this is how you open a ticket during an outage. 

And so it's already built into our incident response as to how we manage that. And that's why I said our team handled it really well. Because we hit the playbook and they pulled it off. They made me look really good. I'll just put it that way. I'll send that to everybody so that you can take a look at that. 

Shannon: 

Awesome. Yeah, we'll definitely send that out in supplementary materials. That's for sure.

Harry: 

And yeah, that playbook. I mean, we're on that journey. We're not fully there yet. You know, we've been working on it for a while. We're ISO accredited. So we have bits, we've got chunks of it. And in the event of a disaster, obviously, we're able to recover. But what we want is that well-rehearsed fire-drill type scenario that in every quarter, everyone's going to come in, I'm going to tell everyone, right? Half of you carry on, half of you go down to the meeting room. Now, here's a situation. Get me out of the situation. And I'm going to sit there and play Quizmaster, any curveball, I can bring them, I'll bring them. And it's you know, it's there to make sure that we learn from the mistakes. And we've done it a few times. And already, there's little things, you know that the example I always give, I think I've copied out what someone's webinar was, who's feeding the team, you know, in the event, this is happening, and everyone has got their heads in it. You need to make sure that someone is making sure these people are eating and sleeping and not ideally dropping dead at their desks. Because at that point, you know, you're in real trouble, you know, whether it's a response to an attack, or an attack itself or whatever, it might be preventative or it's happened, you need to make sure that the teams are looked after. And if you have someone who spreads, you need to just do that, and everyone else focuses on the job. It gets things done much quicker. 

‍

How To Fully Assess Your Attack Surface's Vulnerabilities?

‍

Al: 

1000% I think the question was, you know, what should MSPs do, if I could go back to that. These are the things that you can do to fully assess your attack surface's vulnerabilities. And then and only then can you start to protect yourself.

• The first thing you should do is, again reflect on yourself, do a risk assessment of your organization. Do a real risk assessment of your organization like where do you have holes. 
• Make sure that your team knows the company policies and procedures, front and back.
• Make sure they're going through some form of ongoing training. 
• You should be running simulated phishing campaigns against your own team. 
• You should be doing quarterly vulnerability assessments on your infrastructure. 
• You should be doing annual pen tests, against your infrastructure, if you're hosting any of your own tools.

There's an old saying, don't expect what you don't inspect. How the hell do you know if you're protected, if you haven't even inspected whether or not you're protected.

Shannon: 

Yeah, Harry, I think that you ran a phishing campaign against your own team, right?

Harry: 

I did, I gained a bit of a reputation after I did that the first time around. I decided rather than going off the shelf, I did something I thought they'd click on, I wrote something personalized, I tried to do it a bit generically. So I didn't send it from the normal personal system. But I mean, we don't use Power BI internally, at the moment we are doing a project that's ongoing. So I wrote an email from Power BI and said, see your report from this month. And I got a 50% click rate. And most of them put their passwords in, they're the technical guys. 

And after that happened, I made it a bit of a cultural thing. We didn't want to dress them down in front of everyone, but you want to have a bit of a laugh about it, you need to have a little bit of banter. And make sure that you do that again. And the next time around, I did it. I did one that I thought might get the same result. I got half - 25% or half as good. 

The third one I did, I went really evil. I wrote from our office manager, I wrote an email to me saying, Could you please approve this month's payroll and attached it? And I think I had one curious person click it. But apart from that, no one else clicked it, and no credentials got entered. 

So to go kind of down that slope, and now everyone's scared to click on an email. But if something is not expected, they run it by us. And that is what it should be. You know, you don't want fear. You don't want someone sitting there like pointing a gun at them every time they open an email. But they need to understand that you need to just check it over. If you're not sure, ask someone! But not only that, there's going to be a little bit of banter. If you click an email, and you put a password, and I'm going to laugh at you a little bit, but on the flip side, you need to tell me about it and it's fine. Tell me in a week's time when I found that attack, that's a firing offense, you need to have that, you know, that's it, you don't want to shame someone into, if you've done that go into the room, and you're going to get a written warning. No, if you've done it, mistakes happen. And quick communication means that we can disarm it before it gets bad. Let us know. And we'll handle it. But we can only do it if you tell us.

Al: 

That is to pick a tool that gives you that visibility. Don't step over dollars to get to dimes, right. You need to pick a tool that gives you visibility into how well your team is performing. And whatever the task is, it doesn't matter. Because you can get free, semi free, phishing that doesn't really fully expand on what the results look like and who it was and which were the triggers that made them move. Same thing with training. Same thing with policies. I mean, you need visibility, pick a tool that gives you as a leader, visibility into how your team is performing without having to do spreadsheets, without having to massage a spreadsheet to get the information you're looking for. 

If you just spend an hour getting information out, you're never going to do it. It's never gonna happen.

‍

Question And Answers

‍

Shannon: 

Yeah, So I did have some more questions left in our script, but we had a very active chat and about 12 minutes left. So I want to make sure that we address these questions. And I'm combining two of them here a little bit. Because I like the specificity of this, I think letting the audience know what is included in that cybersecurity bundle, but also there was a question about how each of you are pricing and it seemed like that was fairly different. Let me scroll back through here. And thank you for answering the questions as we went. Where Harry is doing the £15 per user per month, but going to also add up charges for the device. And Al, you were saying you're doing AISP 197, 267, and 347 per user. So maybe we could talk about the differences in pricing because Ross Dolman was asking about that as well.

Q: What should be the pricing of your cybersecurity bundle?

Al: 

So our all-in seat means exactly what it sounds like. I include our security bundle, our compliance bundle, and unlimited service on the AISP 197. It’s a remote only service, if we go on the site we do charge for that. It includes quarterly vulnerability assessments and Office 365. It does not include the annual pen test. And then we differentiate between remote-only, on-site and remote, or on-site, remote and hardware-as-a-service. That's the only difference in those pricing levels. And so someone could quite literally pick up the phone on the first of the month, and hang up on the 31st of the month, and their price never changes. 

Now there is a setup fee, I'll just qualify this. So everybody knows, I charge a minimum fee, So a two-user office can certainly come on board with us. But they're going to pay me a minimum of $2250 a month. That's our minimum fee, in the remote-only. That fee covers rip and replace. So I'm literally going to put in our own firewall, I'm literally going to put in our own switches, I'm literally gonna bring in our own backup like we do everything, as I said, I standardize on a stack and I never look back. And that's why we're able to have such high SLAs and low ticket counts.

Harry: 

And I guess from this side, it's a bit of a contrast. I mean, I guess the UK market is a little bit different. We tend to be on the more expensive side, we're not always the most expensive, but definitely not the cheapest. £15 is what we're charging at the moment for our Essentials Bundle, which is the stack that we settled on about a year ago, we're adding a few bits into it. 

The new bundles we're looking at at the moment are going to realistically be about £35 and £50. We're looking at having that all-inclusive bundle. I guess the problem that we found in the past is that the all-inclusive bundle hasn't necessarily worked very well with our customers. We're keen to do that. It makes a lot of sense to do that and that is from a standardization standpoint. That's where we need to go next. 

Al: 

I think where you're headed to Harry is where you want to get to now, as you sell clients there, you start moving clients from the bottom out. That doesn't mean fire them, right. So I'll just tell you, when we made this journey, when we started selling AISP, I went to our lowest, our noisiest at our lowest profit clients. And I said, this is what we're selling now. That's how we got rid of them.  Now, I will say sunset okay, I'll take it completely shocked me. I will say that. So I would say don't fire anybody. Just sell them your minimum requirement.

Harry: 

So one thing that I think is a common theme amongst security. And it's actually not one we've touched on today, but it's very important in our eyes. So when MFA started, when we started rolling it out in anger, we wrote an email out to all our customers saying, just FYI, we had this clause in the contract which says something about you have to do what we're saying you have to keep your network secure. We now consider MFA minimum requirements. If you don't do that That's absolutely fine. But just FYI, when you get hacked, we will be charging you and you will be hacked. Not obviously, hopefully it won't happen, but it will. We know it will happen because you're not taking the right precautions. 

And we've had our lawyers draft us a waiver form. So if someone asks for admin credentials, they've signed that, they can have them. But they know that if anything happens, and we suspect it's anything to do with those credentials, we can't cover it. That's not fair. And we're going to be using that same document with our security bundle. So with the latest bundle that is, 

So a client's gonna see, right? Yes, here's what I'm paying for, here's what you're not paying for, you are not having the security functions that we consider critical. So you, Mr. Customer you are going to sign as a company director, that you are opting out of the security tools that we are telling you to go for. And, you know, when we've done it with MFA, it's been quite successful without people who tend to be pragmatic and go, Well, I kind of need this with the security tools. A lot of people might grumble like, you know, like you said, with pricing at low customers. We need our customers to be doing this, no one likes to be doing hack responses. That's not. That's not what our business does. And we want to be bringing that number down to zero. Yeah. 

Thankfully, we don't have that many with things like MFA. But we want to be keeping that threat to getting worse, and we need to keep ourselves protected.

Al: 

I think you mentioned good points. Let me just also say that at some point, anybody can sue anybody for anything, right? I don't want it. My attitude has become over the years -  If you're not going to take my recommendations, you can't do business with me. Because even a waiver of liability is only as good as your willingness to defend it. 

And ultimately, I'll bring this up quickly. I know we have. We're short on time, and Shannon has a few more questions. The DOJ has now said that, and this is a recent release, that was, I'll put this link in the chat that was just yesterday, they are now going to be looking to prosecute MSPs and MSSP who participate in government works through the chain. So you don't have to be the primary contractor for the government. You can be a subcontractor through the chain. And they're going to prosecute MSPs and MSSPs, who are protecting government data. And so no waiver of liability is going to stop the Department of Justice from coming after you is what that means. 

Further Reading: Government's False Claims Act and Justice Department's newly announced Civil Cyber-Fraud Initiative.

Q: What are some of your recommendations to have in your own tech stack?

Shannon: 

There were a bunch of questions that I'm going to kind of consolidate around tech, which is somebody was asking about a PSA slash ticketing system that really works. Somebody else was saying we're reviewing several RMM solutions, which would you recommend? And then even also, What is your backup solution for appliances for agents? I think in some regard, people are here. Also just looking for recommendations around what do you guys have in your own stack? 

Harry: 

So well, PSA - we're actually in the process of working with a long-standing company where we are new to them - Halo PSA. They have grown quite a lot in the last year. They're building a lot of integrations and we're pretty excited to start working with them. We've got some really cool things we're working together on now. The aim is to do it around Christmas Eve, so I'm going to be the evil one in the office. But yeah, I mean, that's where we're going. 

RMM wise we use Connectwise Automate, which we found to be pretty agile, we can use it quite a lot. It's very customizable with things like script and integrations. And there's a lot of AV integrations, although we're not using them and backup integrations, but again, not using them for the same reasons. 

Al: 

Invest in tools that you can automate the most. We’re a Kaseya shop on the RMM side and Connectwise shop on the PSA side. If you consider both of those tools, they are effectively the DOS of their respective categories right. There are kind of clunky and old looking. The reality is, the reason we use them is because I can do more with those two platforms than I can do with any other platform out there. And just, you know, every three years, my entire company evaluates every single tool we use to see if it's still the best on the market at doing what we're trying to accomplish. And I've switched in the past. 

And so, and I'll use my RMM as an example Kaseya, what we do with Kaseya is, I am able to automate the the changing of administrative passwords every 15 Days to a 24 character to a 24 random character, upper, lower, number, special character, password on every system across 1000s of endpoints and domains, and update IT glue automatically. So none of my engineers need to know what the password is, right? That's a simple example of why for me automation matters, because now I've closed a serious hole in the attack surface. 

Most MSPs I know, have used the same admin user and password across their clients for ease of use. Unfortunately, there is a gaping hole in your security posture for your client. And so every single local or domain admin on the network and in our system has a completely different password that's at least 24 characters long and almost nobody knows what the hell it is. Because it changes every 15 days. But I've automated all of that. I automate workflow on our PSA. 

So you need to pick a tool that's going to work best for you, my recommendation is pick one that you can automate the hell out of, because what we're able to do with automation is never hire somebody else to do what a robot can do for you. And our most expensive part of our business is people. And they are also the most unreliable.

Harry: 

When you're looking at tools, there is a lot to be said about, there's three tools, it’s six of one half a dozen of another. When we've looked at other RMM solutions, yes, it does these things brilliantly, and then doesn't do these things. The truth is pick a partner you can work with, pick someone that you are confident you can grow with or have the right integrations, if they're saying the right things, they're showing maturity. If they tick those boxes, you can work out the intricacies there's always a way.

Shannon: 

Yeah, Harry you may have to contribute a blog to the Zomentum site about how to choose a vendor? that applies regardless, if you're using cybersecurity or not right? Making sure that they're saying the right things, that you know that they're growth focused, that you have visibility on the growth map and that they're doing the right things to make you happy and kind of plug everything together.

Shannon: 

So I think we're gonna have to schedule a second session to get everyone together. Clearly, I know cybersecurity is always super popular. I think we only got through maybe half to two thirds of our questions before I just threw it to the group. And we still had a very keen audience here. So please reach out to us guys. Let us know other topics you're interested in hearing about and I'm sure once we get past the holidays and we are in 2022, we'll definitely be doing another one of these roundtables because clearly there's a lot of interest in need. And we're very lucky here to have both perspectives, Al as an MSP as well as a vendor who just has his finger on the hot button with everything that's helped happening with insurance, and Harry as a fellow MSP who's going and building it for himself and tearing it out and is such a great example for others that are looking to scale their business through security offerings as well. 

So thank you both so much for your time. 

I think this is the first one that I've had that's like running completely five minutes over and everybody stayed. Thank you to our attendees as well. 

Al: 

Great audience. The attendees have good questions.

Harry: 

The Q&A has not stopped. Keeping us all on our toes.

Al:

You're doing something right Shannon, that's that I'll say!

Shannon: 

Aww, Thank you. Have a brilliant Tuesday, guys. I'll talk to y'all soon.

Al: 

Bye. Y'all be good.