Listen to "All Things MSP" on Your IT Podcasts!
Justin Esgar:
So I got our friend Mark Copeman's book. Yeah, I
Eric Anthony:
Have mine.
Justin Esgar:
Yeah, we've talked about this. I'm quoted in this book, which is really good. I like that. I'm quoted you right? I'm on page 2 0 5 and I talk about mergers and acquisitions, and this is a really funny story. It says that somebody had posted on LinkedIn about the book and said, oh my god, Justin, you and I, we have the same book recommendation, software recommendation. So I have in here, my book recommendation is Oversubscribe by Daniel Priestly, and my software recommendation was Halo, PSA. And I scroll back pages, go back a couple pages, and I see this person had the exact same book recommendation, software recommendation. The problem is I've never read Oversubscribed by Daniel Priestly and I wasn't using Halo when I gave Mark my suggestions. So clearly there's a typo. Someone accidentally put this other guy's book suggestion and software citizen in my section because I didn't know that. But you know what? I love Halo now and I've never read Oversubscribe, but maybe I will. What page are you? 1 0 6, I think
Eric Anthony:
It's 1 66.
Justin Esgar:
1 66, 65, 1 66. Here we go. Invoice as often as possible. Eric Anthony. All Things MSP Change My business, which I discovered while running my MSP. What's the invoices Often as possible. I'm going to read this as if it's a sultry sex story, especially for the smaller MSPs. The tendency to invoice once a month, and this has become a huge issue the moment you begin to hire employees because there's a gap between work done, the payroll paid, the work invoice, and the payment received. Sorry, I can't keep going. What's up everybody? Welcome to the All Things MSP podcast. I'm your host, Justin Esgar, as always with me is my good friend, podcast producer, Chardonier Pirate, co-host friend to all animals. Mr. Eric Anthony. Eric, what's shaken?
Eric Anthony:
I actually get to dress up as well kind of a pirate tonight. I am technically tonight I am an ex pirate called Sea Leg Sam.
Justin Esgar:
Okay.
Eric Anthony:
Yeah. It's a murder mystery birthday party pirate thing. Oh,
Justin Esgar:
Okay. I didn't know where you were going with this and I was really in my head I was going like the listeners are not going to
Eric Anthony:
No, we've already
Justin Esgar:
Lost them. We've already lost them in the first 30 seconds.
Eric Anthony:
Oh, are you kidding? After that, it's only going to go up from here.
Justin Esgar:
Yeah, exactly. Murder mystery parties are fun. I haven't had one since I've been 13 years old. See, if you're not watching the YouTube youtube.com/at all things msp, you don't get to watch Eric giving me dirty looks, but you're listening to this in your car, so pull over and go to youtube.com and then look for the all things MSP and then look for the dirty look that Eric's going to have is the thumbnail of this episode where we talk. So a lot of stuff's been happening. It's towards the end of the year people are starting to plan for next year their businesses and what they're going to do. And something that's been on our radar a lot lately has been the talk around compliance. And the problem here is that compliance is such a broad topic and I know a lot of other M MSP shows are talking about this and I feel like we really should cover it.
Also, we do want you, the loyal listeners to get ahead of this one if you're not thinking, talking about compliance with your clients. Now, this is the immediate time to start, but we're going to kind of dive in a little bit today about what does it mean for a client of yours to be in compliance? What does it mean for you to be in compliance? What does it mean for your clients clients to be in compliance? The problem is that it just trickles. It's trickled down compliance. It's Reagan appliances. This isn't a joke. This is a good joke for anyone who's in their mid forties who gets this Reagan joke. But if you younger than I'm or older, if you're younger than I am, just giggle. So here's my thing about compliance, right?
The problem with compliance in general is that it's such a broad topic and on a regular basis a client can be out of compliance for literally anything because there's so many different services and there's so many different things that we need to worry about. Excuse me. You have the computers, you have the chat, you have your email, you have your file share, you have data storage, you have, I don't know your network, you have your physical location. If you're doing anything with credit cards, you have to have certain network requirements. If you're doing anything with hipaa, you have to make sure everything's locked down and no one can get the thing. It really can go down this rabbit hole if you don't know what you're doing. And let's be honest, man, most of the people who are listening probably don't know what they're doing. They're just taking words of advice from people like us and hoping for the best. And I'd rather it be more than that. I'd rather the listeners learn and go do some research and figure this stuff out and based on the things we're talking about and not just taking our word for it. So I'm hoping that's what going to come out of today's episode
Eric Anthony:
And that's why I spend a little more time in preparation for this episode. And I put together a small slide deck that think we'll kind of go through as we're talking about this today. And I really intended it for just that purpose, Justin. I really wanted it to be a place for them to start. Not a comprehensive, this is what you do because everybody's situation is going to be different. Now, I think that this is critically important for a couple of reasons, and I didn't make a slide for this because I talk about this all the time. It's important because number one, there's a risk to the client. Number two, there's a risk to you, the MSP, and it's not just a financial risk. There's other risks of reputation and all these other things that can come along with it that really mean that if you're not on top of this, you could literally go out of business if you had an incident and weren't prepared.
And what all of this is, is it's not necessarily about preventing something from happening. It is figuring out, I mean that's number one is trying to keep it from happening at all. But number two, it's defensibility. And this is a concept that Matt Lee talked to me about, I don't know, a couple years ago. I've actually got it on video. And it's the idea that you need to be able to defend what you did. So in terms of what you set up for your client's protection, for the protection of your systems, that could be an entry point into their systems. If you can defend what you did, even if something happens, this is what is going to save your bacon. And case in point right now, you have and full transparency, I used to work for SolarWinds, MSP. SolarWinds is in the news this week because SolarWinds and their CSO just got charged by the SEC for violating different SEC regulations around their disclosure of the SolarWinds incident a couple years ago. That was what, three years ago it was announced. And it's all going to come down to whether or not SolarWinds or Tim Brown and or Tim Brown can defend what they did during that period of time. So Justin, I don't know where you want to start with this. We've got a bunch of different slides. I think there's kind of an order to them. Do we want to start with the checklist that I had real quick or do we want to go into virtua's five point plan and then kind of go into the checklist?
Justin Esgar:
I think we should start with the checklist, but I do want to start before we do anything, which is that no matter what we talk about today, confirm with your lawyers and if you don't have a lawyer, there are lawyers out there who specialize in compliance to make sure that your stuff is right, because again, much similar to what you said, this is about defending yourself if something does happen. So before we get anywhere, before we give you a single checklist, before we give you a piece of information, make sure you have a lawyer, make sure you have someone who understands your contract. Make sure your contract is solid. Make sure that you're doing the things you say in your contract in the best of your ability and that you can prove that because you don't want to be on the other side of let's say an SEC filing. I think we should start with the checklist.
Eric Anthony:
That's your disclaimer.
Justin Esgar:
That's my disclaimer and I
Eric Anthony:
Think it is very good. I'm going to add that these are recommendations for you to go research and then apply. Don't take what we're telling you and then just apply that and think you're good. Do your own research first.
Justin Esgar:
Alright, so let's start with the checklist. So I think let's just start with by defining the fact that most of the stuff we're going to talk about is your client's compliance, not yours as an MSP, but you taking care of the stuff for your client because they're the ones who typically need the compliance. You are not regulated by hipaa. They are, and therefore you're going to take care of them. So let's put that out there. So we have our checklist for MSP client compliance. And if you're not watching this again, go to youtube.com/all things at all things msp. And you can see the slides, but this is a big one. Do they do business in a region that has privacy compliance regulations? I mean, show of hands, how many of you are in the EU and have to follow gdpr? Right? And what's funny is how I have clients that are in the states that do mailings in Europe and we're like, you have to follow GDPR.
And they're like, but we're not in the eu. And it's like it doesn't matter. That's what their rule is. And it's understanding that. So understanding Regency I mix region and privacy together. Regional privacy compliance laws is majorly important. One of the big things that I think we've talked about this a little bit, that the privacy laws in the United States at least are state by state and think, I thought it would be by the end of this year, I think it'll be by the end of 2024 that it's going to become a federal thing as opposed to a state by state thing. So understanding that,
Eric Anthony:
Well, because I just had this conversation with somebody I think two days ago about that very thing. I was talking to them and who was it? Oh, I was talking to Waynes, the cybersecurity guy over at CompTIA, and he was saying that the federal government is actually, it seems staying out of privacy law intentionally because the states are coming up with their own. Oh wow. Yeah. I was surprised because I literally asked the question, you just proposed it that I assumed that the federal government was going to be doing something so they could collect all of these up and have one rule because this is one of those things where you really shouldn't have a law in California affecting businesses in Utah. But it does because just like you mentioned with GDPR, it's a law that protects the citizens of that state or that region. It's not about the businesses reaching into that area to do business.
Justin Esgar:
And I think that California probably has the strictest in my opinion. So I tend to just blank at all states with whatever California says. Yeah, I don't know if that's
Eric Anthony:
True or not. They've been around the longest too.
Justin Esgar:
They've been around the longest, right? So I just say like, okay, and granted our clients are in New York for the majority of them, and when we get to my five point thing, what we do to check for compliance on our file share, but I always just follow the California Consumer Privacy Act. So checking to figure out what region the rules are, that's really important. So our second thing we have is are they in an industry that requires IT related data privacy and security compliance? And clearly if you're taking care of anyone who's in medical right there, the answer, it's hipaa. But there's a lot of others, and I've gotten to the point where I'm not even sure what industries are and are not compliant. And so when we're picking up a new client, I don't care if they're a nonprofit, FinTech design firm, doctor, whatever, I will ask them, are you beheld to any sort of compliance to which many small businesses, which is the type of business we take care of, go? I don't know, you tell me. And I go, I can't tell you, you should know this stuff. Obviously some of them are easy doctors, HIPAA dentists, hipaa, FinTech I think has got something.
Eric Anthony:
A whole bunch.
Justin Esgar:
Yeah, there's a whole bunch of them. But the problem is, and we'll get to this, is that there's so many different types of compliances that compliances.
Eric Anthony:
Compliances,
Justin Esgar:
Right? That's right. The first one, it's not a Greek word Greek, it's not like octopi. That doesn't make any sense. Shout out to my friend David Farkas, who when I was younger, when he was with his whole family, we used to call him the group of guy because he took that joke on for many, many years. But understanding what they're responsible for, a great one. I think we've already mentioned. It was just like if you run a retail business, you're going to be held to P-C-I-D-S-S compliance because you run credit cards. So there are things there that your clients probably don't know about. And I think if you as the MSP understand the broad strokes of let's say the big five, you'll be better off.
Eric Anthony:
And another thing to keep in mind when you were talking about that is also what industries do your clients serve? Because they may have waterfall requirements. I mean that's what CMMC is, right? I mean, manufacturing itself doesn't have any requirements, but if they sell what they make to the federal government, especially the Department of Defense, there are definitely things that come in there.
Justin Esgar:
And that's another big one. If you have clients that work with any branch of any part of the government, you probably have a lot of compliance things that you're even missing. We were talking to a potential customer who does work with the government and we were looking at the MDM on their phone and they were allowing data to leave managed apps and go into unmanaged apps. And I was like, I don't know what compliance you're beheld to, but right out of the gate that seems like this one here is something that needs to be locked down better because now you have the potential that governmental data could be leaving the system and things like that. And I don't even know which compliance they would be needing to follow, but I was like, let's just try to hedge our betts on this one. So there's even so many minute details and so many pieces to it to understand what's needed.
It's again, the reaganomics of compliance. It's you. You're taking care of your client, but it's your client's clients. So you need to be worried about. And then the last thing you have on your checklist here is does the insurance carrier require any type of compliance? This I think is hilarious because the amount of people who have cyber insurance, I guarantee you every MSP that's listening to this and in the all things Facebook group has cyber insurance, and if you don't go get it, but that part's irrelevant because I highly doubt any of them will be able to survive a cyber insurance case because they're not in compliance compared to what the cyber insurance requirements are.
Eric Anthony:
And that's actually a selling point for your services because you are the person who can make sure that they are in compliance with most of those requirements from the insurance carrier. And again, it comes down to that defensibility that I talked about earlier. If you can defend that you are doing everything on that insurance carrier's checklist, you're going to be able to defend that claim. And that's really what it comes down to is dollars and risk.
Justin Esgar:
Hold on. There is a break point, the amount of risk versus the dollars gain, but at the same time, and again, depending on what industry you're in, your risk tolerance is going to be higher or lower. My graphic design firms who are doing stuff for Fortune 500 companies, their compliance risk is zero, right? Because they're just drawing pictures. But obviously any medical companies we take in many small doctors offices, they have HIPAA and EMR and that risk is very, very high, and you don't want that getting out in the open. The other thing to think about when you're dealing with all of this stuff is looking at your client's software stack because a lot of the time they're going to try to pass the buck on things. MAC practice is a major, major medical software for Mac users and there's a version for doctors and a version for dentists, and I think a version for vision or whatever, and all the data is stored in Mac practice. Ideally, if something were to go bad, it's mac practice's fault, but at the same time, it's also the doctor's fault and it's also the person who built their network and the person who takes care of their computers. So all three of you will be named you, your client, and the software could all get named in a lawsuit if something goes wrong. So just because the software says it's going to do something, don't believe it.
Eric Anthony:
Well, and you said something in there about who's at fault, right? Yeah. The problem is the client is always going to point back to the MSP even if it's in your contract. Now, if it's in your contract and they declined something and they signed something saying they declined it, again, that's defensible. And so those are the kinds of things that you need to cover, but you need to be aware that they're going to point the finger at you and you have to be able to point the finger back and have a piece of paper that says, I told you,
Justin Esgar:
How many times have we seen in the news an MSP got crushed over the fact that a client of theirs who happened to be a big client, look at the MGM breach. I mean that MSP who fell for the breach that allowed them to get into MGM, they're out of business. There's no way they're surviving this lawsuit. It's just not going to happen. And there's plenty of MSPs who have gotten eaten alive just the same way because of these kind of, I wouldn't say simple mistakes, but they're just mistakes in general that need to be done. Alright, so we have this checklist, right? C, check your business regions, make sure you understand the laws, check to figure out what industry they're in and look at their cyber insurance. So I want to talk about something that we are doing at Virtua starting next year already.
We're recording this if you're not listening in order. We're recording this at the beginning of November of 2023. So by 2024, this is our new kind of package deal that we're trying to sell for clients, new clients that are coming on board where I know my clients well enough and I know what they're using. So these five points fit for us. Again, your mileage may vary and this is all advice, not legal. So the five points that we want to cover for our clients, we have our endpoints, email and chat, file share, collaboration, and then we're doing a pen test, which will penetration test on the inside and external. And we're going to do vulnerability scan for external for things like that because in my mind, if we run those five things, we have a compliance checker for endpoints built into our R-M-M-M-D-M software. We're using a third party tool for security and encryption and anti-malware, anti phishing URL rewriting for emailing and chat.
We use a really, really powerful file share collaboration that has a secure and governance component to it for the file sharing collaboration and a vulnerability scanner and a pen testing software. In my opinion, and I would love to get torn down by this one, but in my opinion, those five things are what is it going to protect our clients probably the most? And moving forward. Now the majority of my clients are graphic designers and nonprofits. They're not beheld to any sort of compliance. And if they are the tools that we're implementing here, especially on the file sharing collaboration side, which we're using a securing governance tool, and I keep saying that because literally the name of the tool, we're setting those things up to check for the things that they need to be checking for. So if they're working in hipaa, we're checking for HIPAA data. If they're looking for PCI data, we're looking for PCI data within their data sets and things like that. And then obviously there's the remediation of all the problems that are found. This isn't just monitoring and sit back and watch all the alerts come in and do nothing. This is active fixing
When things are out of compliance.
Eric Anthony:
Awesome. And I think that's a really good stack, and this is one of those things that I think in preparation for 2024 like you talked about earlier, these are the things that people need to be thinking about to get ready for 2024. And the time to do it is now. Because to include the tools to do this is going to cost you money, therefore you are going to have to raise the prices on your customers as well.
Justin Esgar:
Alright? That's actually one of the things about the vulnerability and the pen test is that we're in the throes of finding the right software and we think we found it. And of course, every company that's selling this is like, well, when do you think you're can close this deal? And I'm like, I don't know. Because right now my thing is to try to sell it on my clients first. I want to find a client that's going to cover the majority of this so I can then make money on all my other clients. The software, I'm not going to lie, the vulnerability scan and pen testing is expensive as hell.
Sorry, lemme rephrase. It's expensive as hell over the course of the year. The monthly isn't terrible, but I still want to make sure that I have a client who's going to be willing to put up that kind of money. And I did the same thing We and what's not on this list, because I think it's less as a compliant, more just security is dark web scanning. When we first signed up with our dark web scanner, I think we were being charged like $300 a month. I sold dark web scanning per domain at a hundred dollars a month, and I was allowed I think 10 domains. So within my first three sales, I covered the cost and the next seven was profit. I'm using that same sales mentality for the vulnerability and pen testing. I think it's going to cost whatever it is. Let's just say it's $10,000. It's not, but let's just say it's $10,000. If I could find someone who's going to sign on board for a vulnerability scan pen test twice a year at $5,000 a piece because that's literally what they're worth for these clients, then anyone else I sell it to is gravy.
It's a great extra offering. And you don't have to be an MSSP to do this. You could outsource this to cybersecurity firms. There's plenty of them out there. If you're a Dolores partner or a Sandler Partners partner, there's plenty out there. And we were using one for a long time. I just feel like if we can do it and make the money ourselves, we might as well. So that's where we're going with all of this stuff. And I think we found a pretty good, like I said, our endpoint one is through R-M-M-M-D-M and for the email and chat, I think I found a really awesome one. If you're a PAX eight person, there's a good one that's in there that the margins are literally like, I can't do the math. If it costs $2 and you sell it for $4, is the margin a hundred percent or is it 50%? It's a hundred percent right? The
Eric Anthony:
Margin is 50, the markup is a hundred.
Justin Esgar:
Cool. So that being said, the markup is a hundred and the margins are 50%. It's not $2 $4, I think it's more like five and 10. But we found a really awesome tool that will do office and Google, which is important for us and Slack and Dropbox and Box and SharePoint and teams and OneDrive like one tool to rule them all, which is really, really nice. And then for the file sharing collaboration, we already talked about that one. So there's stuff that's out there. So that's our point package that we're going to try to sell next year and we're going to become those pushy salespeople because hey, it's 2024, you need to be doing compliance, you got to be compliant for something. Oh no, it's okay. No, it's not. Okay, stop being cheap and do it.
Eric Anthony:
Speaking of the different things that you need to make sure you recognize as things that your clients need to be compliant in. The next one is US states with privacy compliance laws. So right now you've got California, Colorado, Connecticut, Utah, Virginia. The states that are considering or have already introduced the legislation, they just haven't either passed it or it hasn't started yet, is Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. Now what's so important about this is these go east to west, north to south. And so the neighboring states of these, because in most cases these cover the protection of the citizens of the state. So if the citizens of the state are transacting with a business in another state, most likely these privacy compliance laws still apply just like they do at GDPR. So if you are in Colorado and you're next door to Wyoming, if you have clients in Wyoming or if you're in Wyoming and the clients are in Colorado, it could apply. So those are things that you need to take a look at.
Justin Esgar:
There's a couple other states, New York, I know New York has the New York Shield Act and there's one for New Jersey, but it's probably something like the GABA goul or whatever because people in New Jersey are stupid like that. But like we said at the top of the show, the California Consumer Privacy Act is the longest standing one. And if you have clients all over the United States, always look for the hardest set of rules and just follow those, right? Yeah, I would say CCPA is probably the one to follow. This is also the reason why. Similarly, all of a sudden every website makes you accept cookies. I don't remember whose law that was. It was somebody I think that was part of GDPR, right? It was all of sudden
Eric Anthony:
That or the new CPRA from California.
Justin Esgar:
From California, right? Yeah. So it's part of that. So try to follow their rules, look up their information. I'm sure it's on Wikipedia, but if you're driving pullover and pull up your mobile browser and type in CCPA work around that methodology, because if you're following that and you're in, let's say Montana or Oregon, you're covered. Now there might be some slight differences. So make sure you do understand your local laws and again, get a lawyer. But I think if you follow CCPA, and I think that's a golden rule, I think that's a good rule. I dunno, do you agree with me?
Eric Anthony:
I mean, for now, yes. I think that at some point, even though the federal government isn't looking at this right now, I just had a conversation with Wayne SE over at CompTIA about this a week or so ago.
There's going to have to be some type of compilation that says if you follow all of these, you are following all the different ones for the different states. So it's going to get a little confusing as more and more states pile on different flavors of these compliance laws. Now, I also came up with a list of the international ones. I'm not going to read through these. If you want to go to YouTube, watch it. Fast forward to it, screenshot it, whatever. We will probably go ahead and put a version of this, at least somewhere where you guys can download it and I'll include it in the show notes. But that's it for those. I think
Justin Esgar:
The big one, the big one off this list that everybody knows or at least have heard of, is GDPR, right? And the rule here is that, and Eric, you'll correct me if I'm wrong, but it's that you can't just blindly mass mail somebody. That's what started this was like you can't blindly mass mail people in the EU unless I think if they have to double opt in, they have to sign up and then get a second email to confirm that they've
Eric Anthony:
Something like that. Something like that. But it's also, it's more than that because from the provider side, from whoever's sending the information, you have to have the ability for that individual to send you a request to be removed and then be able to go in and remove those people. Now, this is really complicated because there are certain records that you have to keep on them, especially if they transacted with you for tax reasons and legal reasons and all of those financial reporting reasons. But there are certain things where you need to be able to forget them. And so if their name and personal information is in a spreadsheet somewhere, technically you need to be able to find that and remove it. And there are tools out there that can help you do that. And hit me up if you want to hear about one. But in addition to that, because this is probably going to be one of our longest podcasts ever, and so we need to get through some of this stuff quickly.
But the next one is industries. These are just a couple of the industries that I looked up. Financial services, we've already talked a lot about this. P-C-I-D-S-S, FINRA Healthcare, hipaa, high-tech, EHR certifications, government and public sector doesn't even include CMMC on there. That's probably down Aerospace and defense, I-A-R-D-A-S, nist, all of those things for aerospace. But there's some for education, there's some for legal pharmaceuticals, energy, telecom, retail, almost everybody takes credit cards. So you have to be P-C-I-D-S-S compliant. And so just a lot of different options there. Now for you, Justin, do any of these stick out to you in particular?
Justin Esgar:
I mean, NIST is a big one because we've actually, for a while, we were working with a securities firm and we were running our clients through a NIST framework to just say that they've done something right, because their clients were asking, have you done anything? And we can say, we've done something. Now, for those who don't know, NIST has scored on a zero through five. There's 150 questions. And the weird thing is that the questions don't match up to what my clients were doing. My clients who were doing market research or graphic design or website development or whatever it is, would go through this. And it was talking about the deliverables as if the deliverables were a physical thing being delivered as opposed to a digital item or something like that. And so I had a client who got a 3.1 out of the gate.
Now, this client, we do their file share, we Eric's product and securing governance, and we take a lot of time to make sure that their single sign-on is locked down. They're doing two FA everywhere, and they're doing all these things. And I was like, wow, 3.1, that's amazing. And then I ran another company through it and they got a 0.8 is like 0.8. And I was like, oh, wow, these guys did really, really badly. But the securities firm who did it was actually, this is the average. Starting that 3.1 was a random fluke. I was so taken aback by that sentence because it's not like the client who got the 0.8 was doing anything wrong. They had two factor authentication on, but they're a smaller firm and they're using a Dropbox or Box or one of those online ones and email from Microsoft, and that's basically all they need. But there were so many pieces that were missing from how they do things from a perspective, and I was just like, oh, I get it. Now that 0.8 is okay, and we've moved them up the ladder by doing certain things and putting certain things in place, but them saying that they're N certified means zero because they're not doing stuff in the government public sector. But it was something to keep an eye on.
Eric Anthony:
Big one is one of those frameworks though that
Justin Esgar:
Yeah,
Eric Anthony:
If you,
Justin Esgar:
It's the most complicated one, I think, right?
Eric Anthony:
It's one of the more complicated ones, which is why a lot of people go with CIS rather than nist. But
Justin Esgar:
So our M-D-M-R-M-M software just released a new compliance module, which is why we're going with it for next year. And the options we're given are we could either monitor for CIS per oss, so Mac os I think it's 12, 13 and 14 can do this. We can monitor for CIS, we can enforce CIS. It's two separate options and it'll check like 84 different things. We could also monitor for nist, and it's like 170 things and we can't enforce on nist. But there are things on there you never even thought to think of because some of this technologies outdated because it's really funny. I accidentally opened up the DVD player application on my laptop the other day. Max haven't had DVD players in, I don't know, seven years, eight years. And the app still exists. But in the CIS certification is the DVD disabled CD and DVD sharing from the sharing preference in MAC oss, which still exists even though not a single MAC device that CHIPS right now has a CD player. So there's no way for that thing to even function. It's still baked into the oss.
Eric Anthony:
That's not true. That's not true. I could plug in my external that I still have in a box somewhere.
Justin Esgar:
Well, then you would be cis not compliant obviously, right? Only
Eric Anthony:
If I shared it.
Justin Esgar:
Only if you shared it. But there's the point, right? Because I go to a client and I'm like, ah, no one's got CDs here. We don't have to worry about turning that thing off. And lo and behold, someone pulls, opens up a drawer and takes around in here and then, oh, look what I've found. I have an external USB CD drive or a zip drive that's connected with 14 dongles that make, get USBC compatible or some, and then all of a sudden they're have CIS or even this not compliant. And so it was an interesting thing to realize what's on this really how complicated this list is and what's on here of things that need to be stopped that out the box you wouldn't even think about, because there are things in there. Only route can access logs or something like that, right? Of course it makes sense, but if it's not enabled properly, it doesn't count. So those are the ones. P-C-I-D-S-S is the big one for me
Mainly because at our retail shop in Columbia, Missouri, we have to run a scan quarterly now, and we always fail because there's always some stupid hiccup. But the reality is, if you're going to run credit cards, even if you're using APOS system like Toast or Square or whatever it is, you want to make sure that the network that device is on is on its own segregated with no one else on it and all of these things, because if it's not, you're immediately not P-C-I-D-S-S compliant. And I was like, well, damn it, that's another pain point in another cost to deal with.
Eric Anthony:
That's what VLANs are for.
Justin Esgar:
You could do it on a vlan, but in reality it should be on a completely separate. That's why we get cheap DSL for the shop.
Eric Anthony:
Oh, there you go.
Justin Esgar:
Yeah, you do that. But those are the big ones. A lot of these, I mean, because they're not in my industry. I don't know. I'm looking at this list here. I've never heard of IAR or DFARS before because I'm not, there are no Macs in aerospace that are taken care of by an MSP, at least not that I know of. Education's a big one, right? Isn't copa, that's the Children Privacy Act, right? Yeah.
Yeah, that's huge. If you're taking care of schools and you're not protecting the privacy of the children and there because out loud, it just seems so like, oh, no, duh. Protect the children. But there are laws here that you need to follow and that the school needs to follow in order to make things work. Especially if you're doing work with charter schools or private schools, they tend to not do public school. They don't have a choice. You're mandated by the state. But private schools and charter schools, from my experience, tend to not even know what the laws are.
Eric Anthony:
And charter schools, in my experience when I was in MSP, were cheap. They didn't want to pay for anything. Were, I don't remember the name of them, and we're getting way off topic here, but we were using a device. It was a little device. It looked like AUSB hub that you could use to share one computer to six keyboards and screens, and it was just virtualization, but it was, anyway. I'm sure those are not compliant.
Justin Esgar:
What's not on here though, that I think is a big one, because this isn't a compliance standard from a technical standpoint, but SOC type two, because that's an accounting platform, and there are rules there that are unbelievably stupid.
Eric Anthony:
There were two that did not come up on this that I was surprised about. One was SOC two, the other one was the new FTC regulations around things like car sales. Yeah, it's a thing. So if you have any dealerships, Justin, this is something you need to learn about. But yeah, this is not an exhaustive list. You need to find out about your clients. In the interest of time,
Justin Esgar:
Our listeners love us. Don't listen to us talk for three hours if we had to,
Eric Anthony:
But
Justin Esgar:
If you do, leave us a review and let us know. Or put a comment on a Facebook, facebook.com/group says All things MSB, and let us know. Would you listen to us talk for three hours? We'd go through so much Liquid Death hashtag still not a sponsor in that episode. If we
Eric Anthony:
Had to do it. More importantly, if you know what a zip drive is that Justin mentioned earlier, because you've been doing this as long as we have,
Justin Esgar:
Those were the best. Those things were the best. And then maybe the jazz drive.
Eric Anthony:
The jazz drive drive
Justin Esgar:
Was the worst.
Eric Anthony:
Absolutely. Yep. Absolutely. I think I finally threw out my last zip drive about two or three years ago.
Justin Esgar:
True story we're off topic when we moved. I was building out my New Mac Museum, which you can't see because it's all the way on the angles there. And I had an old zip drive and Michelle goes, do you want this? And I go, well, it's an old piece of tech. And she goes, yeah, but it's not made by Apple. And I was like, oh, you make a point. And she just chucked in the garbage, rightfully so.
Eric Anthony:
Omega was one of those though, where they were very equal in making sure that it was compatible with Mac and pc. Loved. So I appreciated that.
Justin Esgar:
I appreciate that. Alright, back on top.
Eric Anthony:
So
Justin Esgar:
Next we talk about cybersecurity insurance questions. And like I said, at the top of the show, if you're an MSP and you don't have cyber insurance, go get it. And then also read your policy and see what you're going to be beheld to. And then this is a great thing to learn because you can help your clients get cyber insurance because at this point in 2023, every company should have cyber insurance. And if they can't get cyber insurance, this is great sales work for you. But that's another episode. Well,
Eric Anthony:
And the other thing about this is also remember that the cybersecurity insurance that you need as an MSP is different. You actually need additional insurance, and I think it is around the realm of errors in emissions, but it's a special error in emissions policy. So make sure that when you're talking to your insurance agents, you're not just talking about plain standard old cyber insurance because you actually need more than that.
Justin Esgar:
So you need a general, you need an E and O, you need cyber, and you need your special and the special e and o cyber E and OC, I don't know. When it comes to insurance providers, I know that this topic has been brought up a lot, especially on the Apple side of who's a good insurance provider. And for a long time I had The Hartford and I liked them, and then I moved from the Hartford to, oh, the name is escaping me. But because we grew to a specific size, we had to leave that company, and now we're with Chubb's Commercial Insurance, and Chubbs has got everything you need, but I think it's like if you're making less than a quarter million a year, I think it was the cap for whoever we were with beforehand, which it'll come to me or I'll leave it in the show notes.
Eric Anthony:
So some of the common
Questions that are going to be on those forms, what kind of data do they have, how do they collect it, where do they store it, those kinds of things. Other generic security questions around users or what applications they're using. Are they cloud applications? Are they local applications? Is there physical security around the file server or the server room most times not because it's in a closet that's not locked. Backup and recovery, what's your backup and recovery plan? Incident response. This is different from backup and recovery because this is what's you're going to do. In the case of something where it's not just data loss, you actually have an intruder. How do you make sure you've got them kicked out? How do you make sure that you respond to whatever they had access to? That's another important thing. Knowing exactly what they had access to is critical.
When you're reporting this to whatever reporting agency or entity that you have to do it for MFA, okay, turn it on. Leave it on. Don't let anybody not have MFA please. Everybody's preaching this from every corner of the earth. It's important because most issues that we see these days is low hanging fruit, and it's because MFA's not turned on. The other side of that is user auditing. Make sure you have an audit trail for exactly what every user did. BYOD policy. How many small businesses just give the wifi password to their employees so they can connect their phones to the internet while they're in the office? That's a no-go. If you want to provide that for your employees, set up a separate wireless network on a separate vlan. So that stuff is, can I
Justin Esgar:
Just interject? This is the one reason why I love Meraki gear because you can easily set a wireless to be the Meraki DHCP as opposed to the local land. It's one click and boom, you're covered.
Eric Anthony:
Yeah, yeah. Suspicious activity policy. What is your policy around not just suspicious things happening with the computers, but suspicious things happening physically to the environment, right? People coming in, people saying that they're from the phone company and they want to get to the phone room, which a lot of times is where the server equipment is just like a lot of this is social breaches,
Justin Esgar:
Engineering,
Eric Anthony:
Social engineering type breaches. That's another of social engineering is coming in and convincing the secretary that you're from the phone company and getting access, physical access to the equipment, and then of course, employee training and testing. That's a big one. There's a lot of companies out there that do that. Now, I know a lot of MSPs are including that to make sure that it's just harder to fish your employees.
Justin Esgar:
So going down this list, I mean as an MSP, there's a lot of things on here that are sellable items to people. If you know what you're doing, you can write A-B-D-C-R backup, backup continuity, disaster recovery plan for a client. You can write an IRP for a client. It might not be the most in-depth one, and please stop using chat GBT, but you can write one if you have the guise of who to call when something happens, what's happening and what are the steps involved with that. And lay out a couple of examples. If the file share gets breached or someone breaks into the building, if there's terrorism or a hack or something like that, do those things. You can make pretty good money writing those things and doing that.
The suspicious activity policy about the social engineering, you remember the movie Hackers from 1995? Of course. Yeah. So the first scene when the guy is now 18 years old, he calls the television network and he calls the dumb security guard. He's like, oh, Bob, read me the numbers on the modem there. It's the little white thing with the blinky lights. And the guy just reads the phone number. If you think that just because internet is not done over modem now that people aren't still that stupid, it happens all the time. This is how people get phished for tens of thousands of dollars because they think they're paying for Google Play gift cards or because their iCloud account got locked and Apple's calling them at 11 o'clock at night. That's the kind of stuff we're talking about. And you need to have written policies to talk about what to do and how to remediate both the act of and the post of what happened that covers you, and that allows the cyber, that way they know you're doing the right steps. Whether or not they do it or not, it's a different story. But again, like you said in the very, very top of the show, it's about proving in a case of a law that these steps were supposed to be followed or we've written the rules for them or we've written an SOP for them to do these things. Whether or not the client did it or got us involved or even told us that the breach happened is a different story.
Eric Anthony:
Yep. Okay. So next frameworks to start with. We've mentioned two of these and there's more. These are just kind of the most common ones. So we talked about the NIST cybersecurity framework. We talked about CIS controls, we talked about kind of the differences between the two. Then you also have ISO 27,001, 27,002. Those are kind of more international, of course, because NIST is National Institute of Standards and Time. That's definitely a US thing, but these are great places to at least get an idea of the big picture of what you should be covering. And of course, all of these are available. You can just Google these and find them. And like Justin said, a lot of these tools are coming with compliance tools built in so that you can start to monitor and control the different aspects of these frameworks.
Justin Esgar:
Use them. That's what they're there for.
Eric Anthony:
And then cybersecurity Trustmark by CompTIA, it's big. It's new. If you don't know, they just came out with a new version of the cybersecurity. And this is something that if you want to kind of comply with an industry standard that is current, uses some things from both those control sets, I think, and can give you a lot of guidance, that's a place to look as well. Of course, I always like to plug my friends over at CompTIA. Oh, and that is the end of the slideshow.
Justin Esgar:
I'm wondering when there's going to be an MSP compliance regulatory ruling. You know what I mean? I think it's
Eric Anthony:
Coming.
Justin Esgar:
I think it's coming off. So with everything that's going on in so many, and it's not your fault, right? It's not your fault personally, who's listening to this show because you might be a small company and taking care of some small to medium sized businesses. It's the fault of the people who got MGM breach or who let Home Depot get breached or who let whoever, they got a little too big for the bridges, I guess. But the truth is that somewhere along the line, there's going to be regulatory that we're going to have to follow. So we've talked about this in another episode. Eat your own dog food, run your own. All the devices that you have within your company should be in your RMM and your MZM with run compliance on those. Make sure you have two-factor on and everything. It's funny, I just put this on our, we have a thing in our team click up called audits, and I was just poking around because we had let somebody go.
And I looked and I noticed that a couple of people didn't have two-factor authentication on their click up and click up was the last place anybody would try to break into. But it's another thing, and I'm like, guys, two-factor on everything. We're now going to audit every tool that virtually uses to make sure that everybody's using two-factor and that it's enforced, not just maybe because we can't risk that either. If you're not going to eat your own dog food and not put two-factor authentication on everything that you have as an MSP, how do you expect your clients to do it?
I will say one funny anecdote story, which is somebody that we both know, and I'm not going to mention who they were at ACEs conference in Kansas City years ago, and they were logging into a system and they got prompted for a two-factor code, and they used aui on the computer, of which the thing was asking for the two-factor code. And I was like, doesn't that kind of defeat the purpose? And they were like, yeah, but Aui has its own password. I was like, but you didn't put it in. He's like, oh, no, I have it saved in the key chain. And I was like, dude, come on, man. Yeah,
Eric Anthony:
No, I get it. And that's why things like UV keys are important, and we actually, I think we have him scheduled. We have the CEO of YubiKey scheduled to come on here in a couple of weeks, and so that should be an interesting show. But yeah, Justin, you're absolutely right. Compliance starts in your organization and then goes out from there because especially as IT services providers, we're actually a big risk to our own clients because we have the keys to the kingdom. And actually to your point about legislation or standardization of the MSP industry, Louisiana, I believe is actually the first state that requires certain standards for MSPs who are working with the state government in Louisiana.
Justin Esgar:
Oh, really?
Eric Anthony:
Yep.
Justin Esgar:
Yeah. See, it's coming. So go get yourself secure, follow some laws. Again, this entire episode I'm going to bookend with like, speak to your lawyer, speak to a compliance lawyer. There's plenty of them out there. And just make sure that you're getting, you're covered to protect yourself and then to protect your clients. This way, you can sell it on your clients as well. There's opportunities here as an MSP to protect yourself. There's opportunities here as an MSP to make some money. There's opportunities here for your clients to be protected. And then you could also show your clients how to make money by letting their clients know that they're protected, because that'll help draw more business to them against somebody who's not protected. So there's a lot of avenues here you can take. It's been a pretty long episode. Eric, I think is a good place to end. Do you have anything else you want to say about security and compliance?
Eric Anthony:
Just that it's not a nice to have anymore? I think everybody knows that there are tools out there. There are people out there, Justin and I, we're not experts on this. We rely on other people to give us information. And if you need access to those people, one of the things that all Things MSP is about is making sure that you can connect with the people in our industry who know what they're talking about, who are actual security experts who can answer your question. So if you need those types of connections, reach out to either one of us. We both know plenty of people who you could reach out to and get additional information from.
Justin Esgar:
In all fairness, I don't know anybody, but I know you and you know a lot of people, so I'll just go that way. If you are looking for Eric and I, check us out in facebook.com/group/all things MSP to join the group. That's where all the action is happening. Follow us on YouTube, youtube.com/at all things msp. Don't forget to ring the bell for notifications, like subscribe, all that stuff. Find us on all of your podcast apps. Don't forget to give us a five-star review. Leave us a one-star review. We just like reviews. We don't care. Even write something nice or write something hurtful. It's fine by us. We have fixed skin. That's it for Eric and I. Until next time, bye.
Eric Anthony:
From your host, Justin Esgar and myself, thank you for listening to the All Things MSP podcast. Join the All Things MSP Facebook group or follow us on LinkedIn, Instagram, and YouTube. The All Things MSP podcast is a biz POW LLC production. And even though we drink a lot of it, this podcast is still not sponsored by Liquid Death.