The Business of Tech Lounge - Wednesday, March 13 2024

[00:00:00] It's Wednesday March 13th, 2024 and I'm Dave Solbel. Welcome to the Business of Tech Lounge.

[00:00:19] Today on the show we talk about that case of a law firm suing its IT provider with insights

[00:00:25] from attorney Brad Gross, IDC data on the change of the CSO role will talk cloud storage budgets

[00:00:34] we'll also talk about Clawed 3 might know it's being tested. We'll recap and discuss my interview

[00:00:41] with Tabitha Scott and a preview of this weekend's interview with Mike Semmel.

[00:00:46] I want to do a call out to my vendor patrons in fact their space for your logo to go right here

[00:00:55] want to advertise the easiest way to the largest collection of MSPs in a podcast you can do so

[00:01:01] easily by visiting patreon.com slash MSP Radio and signing up our patreon vendor supporters will

[00:01:09] get shout out to all the live shows mentions on the regular business of tech show as well as access

[00:01:16] to me and additional insights information and materials all at patreon.com slash MSP Radio.

[00:01:24] A reminder I'm going to be taking questions and comments throughout the show so make sure to put

[00:01:30] them in chat we'll have a dedicated question section in the show both with your live questions

[00:01:37] and listener submitted ones but now our top story let's talk about a piece in cyber scoop

[00:01:47] a White House advisory group recommends creating new economic incentive programs and liability

[00:01:55] protections to improve cybersecurity in critical infrastructure the group found that market forces

[00:02:01] alone are insufficient to prioritize cybersecurity and stakeholders are unaware of existing

[00:02:08] federal assistance the report suggests financial incentives increased education about federal

[00:02:14] services and the development of liability protections for information sharing the report comes from

[00:02:21] the national security telecommunications advisory committee which is made up of representatives from

[00:02:27] the nation's largest telecommunication companies as well as cybersecurity firms now why do we care

[00:02:36] market forces alone don't support cybersecurity this is an important finding for every discussion

[00:02:43] we have about cybersecurity there's this implicit thought that the market demands it well government

[00:02:51] researchers are now saying it doesn't market forces alone are not going to do the deal and this

[00:02:58] is important because remember they're focusing on critical infrastructure if you're a managed

[00:03:04] services provider an IT services firm you need to think about the fact that if you want to be selling

[00:03:10] cybersecurity you want there to be other forces like regulation you need these other conditions

[00:03:20] regulation insurance conditions to drive cybersecurity sales because market conditions alone

[00:03:29] aren't going to do it this is an important set of insights as you think about your market opportunities

[00:03:34] and where you're going to spend your time I get it there's cybersecurity opportunity here but

[00:03:41] market opportunities alone will not push it based on market factors now let's talk about that

[00:03:50] case last week as I reported last week a Sacramento law firm like Mastinani Holsted is suing a

[00:03:58] computer firm land tech LLC for over one million dollars after falling victim to a ransomware attack

[00:04:06] the lawsuit names land tech LLC former owner Terry Berg and backup data storage company acronis

[00:04:14] incorporated as defendants the attack is attributed to a Russian speaking group known as black

[00:04:21] bastard which has been responsible for numerous ransomware attacks Mastinani Holsted claims negligence

[00:04:29] and breach of contract and seeks damages for economic losses caused by the cyber attack

[00:04:36] so let's quote from Yahoo news quote the firm which includes lawyers handling cases for law enforcement

[00:04:43] officers accused of disciplinary transgressions or crimes set in the lawsuit that it retained

[00:04:49] land tech after informing the company quote of the nature of the plaintiff's business as a law firm

[00:04:55] and the importance of cybersecurity for its computer network and data under the terms of the

[00:05:00] commitment of the agreement land tech quote was responsible for the cloud based backup of plaintiff

[00:05:06] and data the suit says on February 24th 2023 plaintiff began to experience connectivity issues

[00:05:13] when its employees tried to log into the firm's terminal servers the suit said the Mastinani firm

[00:05:19] notified land tech which reported quote the problem had been resolved and quote but computer

[00:05:24] network difficulties continued the suit says on February 26th plaintiff suffered a major outage

[00:05:30] of its servers and computer network which resulted in the loss of access to its servers and data

[00:05:36] the lawsuit says plaintiff reported the outage to land tech and it was ultimately determined

[00:05:42] that plaintiff's cybersecurity for which land tech was responsible was breached and that malicious

[00:05:47] ransomware had been installed blocking access to plaintiff's servers and data thereafter a ransom

[00:05:53] demand was named was made by a group known as black bastard for plaintiff to recover an access

[00:05:57] to its data the law firm attempted to recover its data through a cronus quote but discovered

[00:06:03] that its data backup had been deleted the lawsuit said quote as a result plaintiff was unable to

[00:06:09] restore its computer network with the data backup and eventually was forced to pay a ransom to

[00:06:13] the hackers to regain access to its data the suit says even though defendants land tech and

[00:06:18] burglary were aware that plaintiff's network was experiencing a cyber security attack and the plaintiff

[00:06:23] was concerned about the security of its data they failed to take steps to prevent the deletion

[00:06:27] of a cloud-based backup of plaintiff's data which data ranged with a cronus now a cronus issued

[00:06:34] an official statement on the matter and contact the business of tech directly this is that statement

[00:06:42] quote as a cyber protection company we take security very seriously no acronis systems or networks

[00:06:49] were compromised acronis and its partner deny any responsibility for what happened to the law firm

[00:06:55] systems and its data our investigation revealed that access credentials may have been compromised

[00:07:01] outside of our systems and used to delete the firm's backups and execute a ransomware attack

[00:07:07] password protection is the responsibility of the customer acronis has not been served with the

[00:07:13] lawsuit and will not be commenting further on this litigation now i'm no lawyer so i reached out

[00:07:21] to one Brad grossed to get his opinion what was his take is it notable to include the software vendor

[00:07:28] what is the general timeline for a case like this Brad gives a lot of information it was very detailed

[00:07:34] so let's hear from Brad well my first thought is this complaint is not going to survive a motion

[00:07:42] this thing is going to be dismissed first round i'm not saying it wouldn't be refiled in a better way

[00:07:48] but first round it's going to be dismissed and for the reasons i'm about to talk about okay

[00:07:54] I think that there are a lot of deficiencies and problems with this and as far as its impact on

[00:08:00] msp's hang on we'll get to that in a moment now first things first the first thing i noticed about

[00:08:08] this complaint is that the plaintiff the law firm link a cardinary which is it is representing

[00:08:14] itself the plaintiff is the same party that got hacked so i don't know why they're doing it i don't

[00:08:22] know why they filed a lawsuit representing themselves it's a problem not only is it because well you

[00:08:28] know can you be impartial when you represent yourself let's put that aside judging just by the

[00:08:34] facts the allegations that are in the complaint this attorney clearly does not understand i.t

[00:08:41] how systems integrate the value of cloud-based solutions the scope or limitations of managed

[00:08:47] services that's what this case is all about right manage services the scope and and value of

[00:08:54] cloud and cloud-based services he doesn't get it it's very clear so without that knowledge

[00:09:01] the lawyers just sort of went full forcing to the courtroom filed this and said you know i deserve

[00:09:06] money it's not going to happen at least not on the on the on the surface of the face of this complaint

[00:09:12] now let's talk about what this is really happening what's what's going on behind the scenes first

[00:09:20] all of your viewers should understand this the relationship that they have with their customers all

[00:09:26] MSPs the relationships that they have with their customers is based on contract it is a creature

[00:09:32] of contract if it's in the contract then you have to do it if it's not in the contract then you don't

[00:09:40] right away we notice in this case we're talking about an oral agreement an oral contract

[00:09:45] is it enforceable? Sure and all agreements are enforceable but what are the terms

[00:09:51] what's the scope? What are the services that are supposed to be provided when were they

[00:09:56] supposed to be provided? What were the limitations of those services? We don't know nor does the lawyer

[00:10:02] who filed this complaint because it was an oral agreement so right away we see they're basing a

[00:10:09] claim of negligence on an oral agreement without any underlying facts that is reason number one

[00:10:15] why the complaint's going to be dismissed but it's also a sign of don't use oral agreements we'll

[00:10:21] get to that in a moment now second what your viewers also have to understand is that in the MSP world

[00:10:29] who manage services world there is no such thing as a fiduciary duty fiduciary duty you might

[00:10:35] have heard about it's a it's that higher duty a higher calling that exists between a professional

[00:10:41] and its customer you see this in the medical field you see this in the law field you might see it

[00:10:47] in the outing field this fiduciary duty to sometimes go above and beyond what's right in front of

[00:10:53] the of the parties MSPs do not have a fiduciary duty it is a creature of contract the relationship

[00:11:00] as a creature of contract which brings us back to the first point if you have an oral contract

[00:11:05] and you don't know what the terms are you certainly aren't going to have a fiduciary duty and you're

[00:11:10] not going to be able to prove what the terms you know really should be and whether they were breached

[00:11:15] third there is no allegation in this contract in this agree a complaint rather no allegation

[00:11:22] that the breach would not have occurred if security was actually implemented nowhere in here does

[00:11:28] it say that instead what the plaintiff says is look I had cybersecurity needs and the MSP well they

[00:11:35] know about cybersecurity and then I got hacked so someone should pay me nowhere does it say that

[00:11:42] well had these services been in place I would not have breached have been breached had these

[00:11:48] services been in place my backup would have worked doesn't say that probably just the lawyer

[00:11:53] doesn't know reason number 310 while lawyers should not be representing himself

[00:11:59] fierce he makes accusations of negligence based on the MSP's advice to move his law firm from an

[00:12:07] on-premise storage solution to the cloud a cronus let me make something very clear there ain't nobody

[00:12:16] nobody who is going to persuasively argue to a court that moving from a on-premise a physical

[00:12:24] storage facility to a cloud-based facility is grounds for negligence no one can persuasively

[00:12:31] argue that the cloud is more secure more versatile more manageable I mean it is it's more reliable

[00:12:40] so for those reasons you know when he makes a big deal in the complaint I'm like oh they

[00:12:43] move me to the cloud and this happened no that can't be a it's not going to be a foundation for

[00:12:49] negligence reason number next why this thing is going to be dismissed it is interesting that he

[00:12:54] says that the data backup didn't exist it's not clear whether that's because the MSP didn't

[00:13:02] configure something correctly or or maybe a cronus didn't do something correctly or maybe the

[00:13:08] plaintiff itself it's something to undermine or or somehow prevent the the backup from occurring

[00:13:19] that's something that needs to be looked into that's going to be I think the major focus point of

[00:13:24] this case is this a a warning sign for MSPs right our MSPs like go to look at this case and go oh man

[00:13:33] we're in trouble well yes and no let me tell you yes first yes if you're an MSP that doesn't use

[00:13:40] contracts if you're an MSP that does things on a handshake if you were an MSP that thinks oh

[00:13:46] we can have an oral agreement because I've known this person for years well here's your future

[00:13:52] this is it folks right here your name will be right over here somewhere okay under defendant

[00:13:59] that's your future if you are relying on an oral agreement no this is not your future if you

[00:14:05] have solid agreements in place it is not your future if you have a master agreement that governs not

[00:14:11] just law of realities of the industry manages expectations about what the customer is going to get

[00:14:19] and what it's not going to get what the services are and what their limitations are if you're

[00:14:24] that type of MSP this is not your future okay your futures looking pretty bright I appreciated how

[00:14:32] detailed Brad was and I wanted to make sure to include as much of his answer it could by the way

[00:14:36] I did edit that a little bit just so you know now why do we care again I'm no lawyer why I wanted to

[00:14:45] get us an analysis and as Adrian commented about a lawsuit we want to understand what's going on

[00:14:51] with lawsuits and that's an important observation for us to understand I want to comment first on a

[00:14:57] chronis I have no expectation that the company did anything wrong here a partner use their software

[00:15:04] the credentials were compromised customer lost data they don't have control over that and

[00:15:09] passwords are the responsibility of someone who isn't them as Brad observed seems the customer here

[00:15:15] is pretty lacking on a basic understanding of it now let's assume for a moment that the case isn't

[00:15:23] thrown out or there were projecting to the refiling of the case the inclusion of this responsibility

[00:15:30] for the software provider as well as the managed services provider does intrigue me I don't think

[00:15:36] this is going to be a case that sets precedence but it's something to watch out for I'm going to keep

[00:15:42] an eye on this case and I will report back look forward to continuing the conversation of that

[00:15:48] remember if you've got questions or comments put them in the chat we're going to do a question

[00:15:54] section later in the show now let's revisit that interview I had with tab of the Smith from the weekend

[00:16:04] I pulled out a particular clip let's roll it now one of the things that's kind of is in an

[00:16:10] interesting problem for most leaders you know in particular it's exacerbated by those of

[00:16:16] some IT because of the amount of change that we're dealing is oftentimes you know leaders in

[00:16:21] in organizations particularly small ones because these ideas of oh I'm going to try this new thing

[00:16:26] I'm going to try this new thing and it becomes a little bit of a flash in the pan or they come

[00:16:30] back from some on-friends and they get excited about it and it is sustainable you know for a leader

[00:16:35] who recognizes the need to shift their management approach like what are those initial steps that

[00:16:41] you recommend to for them to take the will both be successful and also make sure that it they

[00:16:47] retain yeah I think the most important thing is to go back to the fact that businesses are living

[00:16:55] organisms and every business crisis there is a nature they're so let's go back to that fact

[00:17:03] that for every business crisis in the world today nature has an answer and if you look at the growth

[00:17:11] curve at the growth cycles then you're going to put the right solution in at the right time now what

[00:17:16] I mean by that is if you bring back a very creative solution that you want to create more things like

[00:17:24] design thinking human design you know that's a very creative thing you would want to plug that in

[00:17:29] if you're in a mature organization like a cash cow you would want to jump onto the next curve

[00:17:35] so that's the right timing to do design thinking and things like that whereas if you have total

[00:17:41] quality management or your streamlining things and you're becoming more agile and lean six sigma

[00:17:48] you want to do that as you're growing up from birth into growth phases right that's the time

[00:17:54] you want to implement that because you need to scale and so you have to simplify and stabilize

[00:18:00] so putting the right technique at the right time if you go in with something that's here's what

[00:18:06] Southwest did last year at the holiday fiasco they had a CEO that was constantly being more and

[00:18:13] more and more efficient and so he didn't think ahead hey I need to leap on that new curve I need to

[00:18:18] do new technologies they just kept getting more and more lean and then they hired a new CEO that

[00:18:23] was just like him it been there for 30 years and you know had another accounting you know streamlining

[00:18:28] background well there's a place for that and it's would have been in the birth phase and the growth

[00:18:35] phase not in the maturity phase so if you want to implement something that's going to work if you

[00:18:40] want to implement something that's going to be powerful to your clients then make sure and figure

[00:18:44] out where are they in the growth cycle right now and then what you want to be selling is something

[00:18:50] that is just the next step ahead now I really love digging into business thought leaders like

[00:18:57] Tabitha to get some insight so why do we care her big takeaway for me was this idea that businesses

[00:19:05] are organic and thus also ever changing one of the things particularly for those of us managed

[00:19:11] services we spend a ton of time on process and on discipline and standardization and there's

[00:19:17] an implication there that we can get things to a static point where everything will always be fine

[00:19:25] and ultimately that's not actually true on living ever changing organisms and if we view our

[00:19:32] business that way it gives us the perspective to understand that businesses do always change

[00:19:39] and perhaps we want to plan for that continual ever changing and make adjustments based on that

[00:19:45] we understand where we are in our growth process where we might go and what comes next from that

[00:19:52] that for me was a real key insight into Tabitha's perspective and I do encourage you to dive

[00:19:59] into that interview a little bit further reminder we are going to make sure to take questions today

[00:20:04] put them in chat if you've got them will be taking them very shortly now I want to do a story

[00:20:10] roundup stories that I wanted to include on the show particularly for today a recent IDC survey

[00:20:17] with security leaders across 17 countries confirms that the role of CSOs is evolving they're now

[00:20:24] responsible for both cyber security and enabling business initiatives the survey also highlights

[00:20:31] the importance of strategic thinking for CSOs and the expanding nature of their role including legal

[00:20:37] and compliance advisory risk management and customer support the survey also reveals that the priorities

[00:20:44] of CSOs and CIOs are not always aligned when it comes to IT and security according to a report

[00:20:53] commissioned by cloud storage solution wasabi enterprise customers spend nearly half of their

[00:20:58] cloud data storage budgets on fees related operations retrieval transfer egress and analytics

[00:21:06] the other half goes to capacity procurements many respondents exceeded their cloud object storage

[00:21:13] budgets last year and expect spending to increase this year price and billing complexity are the

[00:21:20] top reasons for customer dissatisfaction highlighting the need for better visibility into fees

[00:21:26] and cost optimization etharapics cloud three which is another large language model has

[00:21:32] caused a stir in the AI community by seemingly demonstrating a form of meta cognition during testing

[00:21:40] the model recognized when it was being evaluated and identified an out-of-place sentence

[00:21:46] leading to discussions about the true capacity and capabilities and limitations of language models

[00:21:52] while some are impressed by this level of awareness others attribute it to pattern matching

[00:21:57] alignment data or reinforcement learning through human feedback and I've got interesting data from

[00:22:03] sass alerts they commented on the Russian cyber attack on Microsoft 365 noting that beginning

[00:22:10] on March 7th sass alerts witnessed an increase of over 50 percent above the late February average

[00:22:17] activity on their event types which indicates password spray brute force and non-interactive

[00:22:24] sign-in attacks so why do we care particularly for smaller organizations I want you to consider more

[00:22:32] the idea of the CISO and CIO rolled together as a single role they need to be in alignment

[00:22:39] and particularly as you're smaller they're probably very combined I don't think you can have a

[00:22:45] virtual information officer without a virtual security officer combined with that and it's a

[00:22:51] takeaway that I thought was important from that particular set of research but also wanted to highlight

[00:22:57] the cloud storage cost management is part of the offering that you should consider as you're

[00:23:04] doing vendor management you'll want to make sure that you're helping your customers understand

[00:23:08] where their investments and costs go particularly as it appears only half their spend actually goes

[00:23:13] to the data storage and finally why do we care let's not overread into clause awareness I think

[00:23:20] the model has definitely shown a level of sophistication but it's ability to understand context is one

[00:23:27] of the things we're hoping for out of AI models so it's good news to see it there but I don't think

[00:23:33] it's necessarily anything more than the continued evolutions of a model remember we are taking those

[00:23:39] questions you can still submit anytime in the chat window or submit for next week if you're watching

[00:23:44] the recording sending to question at mspradio.com we'll go ahead and take them live now let's hear our

[00:23:53] first submitted question. Dave I was speaking with an AI service provider who created several

[00:24:02] applications using Microsoft Azure Co-Pilot and open AI for banks and healthcare clients they came

[00:24:09] out of the custom code space should msp's try to partner with these code developers or bringing

[00:24:19] custom or near custom AI projects to their clients. Steve I love the partnership question so

[00:24:27] philosophically I'm going to say I always think solution providers IT services firms need to partner

[00:24:34] on capacity that they don't have whether or not they choose to go with a specialized provider like

[00:24:41] you outlined or leverage something like distribution to get that partnership it's going to be up to them

[00:24:48] it's probably a little easier and more scalable to do it through distribution versus the idea of

[00:24:55] doing it through those intimate relationships. That said the ability to develop one of those

[00:25:02] relationships with like a code generation specialist or an AI specialist house is probably going to

[00:25:08] bring deeper insights and better levels of engagement so it's while more difficult probably the right

[00:25:14] way but the generalized answer is always partner when you don't have capacity your best role as an

[00:25:23] IT services firm is being that conductor to help connect your customers to solutions regardless

[00:25:31] of how it's delivered that is not necessarily mean that you have to do everything yourself but you

[00:25:37] want to be the best referral and answer engine you possibly can. Let's hear our seconds submitted

[00:25:44] question today. Have any advice for msp's on how to up their marketing and sales game using AI tool

[00:25:51] are there any tools or services you recommend looking at? So I don't necessarily recommend tools

[00:25:58] and services specifically because I find that in my role as an analyst and market viewer I'm not

[00:26:03] able to do the good hands on requirements to give you good reviews. Now that said I will tell you a

[00:26:10] couple of principles that I do have around marketing and the way that I think about it the first

[00:26:14] thing I'm going to tell anyone in this space is having a marketing system of any kind and putting

[00:26:20] discipline around it is going to beat no system every day of the week and in fact you need to

[00:26:27] recognize that you're doing a system of marketing activities over a period of time not specific

[00:26:35] single marketing tactics. So from a tools perspective they're actually far less important than

[00:26:42] making sure that you're leveraging marketing over time consistently. I'm going to tell you that

[00:26:48] you're going to look for things that help you systemize that that use content in multiple different

[00:26:56] ways as efficiently as possible and that are going to help you reach a specific target audience

[00:27:02] that you've identified. Remember that if you're identifying a marketing target of anyone with money

[00:27:08] you are far too broad and that you need to be much more specific about the people that you are

[00:27:13] targeting as you think about your marketing strategies. We have a third submitted question let's hear

[00:27:20] where have any simple easy to use customer service tools for small MSPs to deflect tickets.

[00:27:27] So it's interesting again I don't make tool recommendations but I do want to get at the core of

[00:27:32] this question think about the idea of deflecting tickets that's not necessarily what I'm going to

[00:27:39] advise anyone in this space first off I'm going to give you two thoughts tickets are an awkward

[00:27:47] construct put together by providers which you want to deliver is service you generally use tickets

[00:27:54] to do it but the more you can insulate your customers from that the better you're going to do.

[00:28:01] And second I'm going to dissuade you from the idea of deflecting tickets remember you actually

[00:28:07] want to engage your customers as much as possible every opportunity to engage them answer their

[00:28:13] questions and solve their problems is a good thing for you to have that touch point now we know

[00:28:20] is good service providers we want to reduce the number of issues that our customers are seeing

[00:28:26] but note that's different than the number of communications we have so we want to make sure that

[00:28:31] we're not doing things to deflect tickets we're trying to minimize the number of incoming broken

[00:28:37] service requests versus deflecting their conversations so I will say these are great questions

[00:28:45] I want to recognize that that Brad that Adrian also recognizes that Brad the lawyer has great

[00:28:51] insights I too think very highly of Brad and I wanted to make sure that we had him on the show

[00:28:57] in order to give us particular insights there and I really did appreciate both his insights

[00:29:02] and you listening got any other questions put them in chat I am going to be here taking those

[00:29:08] questions today and I want to make sure that I answer all of them now we're going to go ahead

[00:29:15] and as we do that I want to highlight our upcoming interview I want to highlight Mike Semmel who examines

[00:29:22] the change to CMMC 2.0 and its potential costs to MSPs here's a preview of that interview

[00:29:31] CMMC is going to affect about 300,000 defense contractors and they're saying these are government

[00:29:40] estimates not my guesses that roughly half of them are going to be at level one and that means

[00:29:48] that they don't have what's called controlled unclassified information CUI in CMMC or in the

[00:29:56] defense world is the equivalent of like PHI protected health information and health care PII or

[00:30:02] suddenly identifiable information that's covered under other laws so half of the defense contractors

[00:30:09] don't have them so think of somebody mowing the lawn at an Air Force Base and they're an outside

[00:30:14] contractor they're not going to have that kind of sensitive information or if they're sweeping the

[00:30:18] floors or whatever so roughly half of the contractors in the defense contracting industry

[00:30:26] Mike always brings these A-game in terms of insights that interview will be coming out on the main

[00:30:34] podcast feed and YouTube channel on the weekend but a reminder my Patreon supporters already have

[00:30:40] this video and you can get this all my interview content early as a supporter if you visit patreon.com

[00:30:48] slash MSP radio you can sign up and support the show directly and get this content and vendors remember

[00:30:56] you can support the show too I have this new option we can put your logo here right on screen and get

[00:31:02] a shout out on every live show it's a simple monthly subscription you can visit patreon.com slash MSP

[00:31:09] radio for more information and remember listeners you too can support the show it's super easy like share

[00:31:16] and follow on your favorite platforms if you make sure to support the show by telling everyone

[00:31:23] what great coverage and information you're getting from the business of tech remember you can

[00:31:29] support directly with our give what you want model at patreon.com slash MSP radio and if you have

[00:31:36] a question make sure to send it in at question at mspradio.com we answer those questions every week

[00:31:44] when this show is live the shows come out available on the podcast feed on Saturday so that if you

[00:31:50] missed it in the live show you can catch it on the replay I do appreciate everyone to join me

[00:31:55] today live look forward to talking to you again next week have a great rest of your day

[00:32:20] you