Email Automation Overload

[00:00:04] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions a journey together not alone. Welcome everybody to another episode of MSP 1337. I'm joined this week by none other than Charles Love of Show Text Solutions Charles Welcome to the Show.

[00:00:31] Thanks Chris, appreciate being here. It's I think one can argue that we might need to have some badging for when I have Charles on because the cadence, I think while somewhat random tends to be about once

[00:00:45] a month. So maybe we need to have it. We could just have like the music factory as the logo. So it's CNC. There you go. So you brought up a good idea for topic today. I think the best way to describe it is,

[00:01:02] are we sending too many emails and whether we're sending too many or not? How do we know if they're being read? And if they are, are not being read, is the action that we're expecting of them being taken. So too many emails, not enough emails,

[00:01:19] I'll figure out a label for it. But I don't know. I just what you shared with me kind of made me pause in my tracks a little bit. Yeah, it's almost like automation isn't always the answer.

[00:01:31] Right? There's there's got to be human behind it, right? So I'll kind of explain to everybody. What I have uncovered as I've, as my role has been changing here at Show Text,

[00:01:46] I'm getting out of the day to day, let's call it the weeds. And I'm really starting to focus back on the operational side of the company, making sure that the things that we do were doing to them the right way. Right? It makes sense. Yeah. All the process.

[00:02:05] Yeah, yeah. So I'm trying to revamp our processes, our procedures, try to figure out my favorite line is, you know, to the person fail the process or the process fail the person. So what I'm really focusing on that and this month's focus has been our security awareness system.

[00:02:23] I've kind of been living in a a false sense of reality with our security awareness system because in my brain, it sends out an email every month and it goes, hey, Chris, you have not taken

[00:02:41] your assigned course. So in my brain, I just assume you would do it. Right? And when you don't do it, you get a message next month. Hey, Chris, this course is still pending and then every month after that.

[00:02:57] What also? This is to multiply them too if I have then the following month, they don't take that training. Now I'm getting two emails a month for two not taking courses.

[00:03:05] Well, so we, so our system, it's a little bit different. So we do one yearly training. It's about an hour long and it's broken into six sections and they can do them over a short amount of time.

[00:03:17] And then we also send out 52 two minute videos. Right? We call them security shorts. Those are more ancillary like, you know, don't buy gift cards at Walmart for, you know, your friend, you know, that stuff. That's, you just met online. Yeah, yeah. And I always laugh

[00:03:38] when I'm at the register because like, I was at Walmart yesterday there's a big sign. It says, do not buy gift cards for people you do not physically know and it's such physically. So that kind of

[00:03:48] made a laugh. Right? Because that's the people do. That by gift cards because they're boss. And then, of course, they always tell you like, make sure that you walk to best buy to get the

[00:03:59] gift card. Like, I always wondered like, oh, my mom shared that with me. I'm like, I wonder why they suggested that you walk there? Like, why would you not drive there? And then I got thinking like,

[00:04:09] they're not just profiling her from a, you know, vulnerability, vulnerable state of, you know, being, you know, what is it called? Uh, goalable. But they also have age profile and said, well, probably can't drive anymore. I get that I figured out they live in a big city like

[00:04:30] they're in an urban area like best buy or some of those box stores might be relatively close. So I started processing it. Okay. Maybe this does make sense a little more than I originally

[00:04:39] gave it credit. But yeah, it's crazy. Yeah. People are willing to do that they think they are under authority from someone they trust to go and buy gift cards because that seems like a logical

[00:04:49] thing to do. Give amount of people who fall for it is just it's sad. But that's a, I give it. But it's always, but it's always gift cards that are like can be used almost anywhere, right? Like

[00:05:02] it's not like, hey, could you go get me three, fifty dollar gift cards for red lobster? Like, that's not the kind of gift cards you're asking to get. Yeah, yeah, it's like Amazon. It's,

[00:05:11] you know, one of the cards. Yeah. Yeah, exactly. So go back to the thing. Yeah. So in my brain, if the employees are getting the notices and we have the liaison at every customer,

[00:05:24] it could be the office manager could be CEO kind of depends on the customer. As we're talking about before, this is the primary point of contact for that client. They're like, yes, in Comtea world we call them the yes record. Yeah, absolutely. So so the system

[00:05:40] tattles on all the employees. It's a, Charles and Chris have not taken their test yet. Right. I haven't taken the course. So in my brain, that's enough, right? And I have learned that that is

[00:05:52] completely incorrect. So what we have started to do, we started this a couple of weeks ago, is every month. We're now starting to reach out through email, to set up a call because we try

[00:06:05] to have monthly quarterly cadence calls or customers. They still want it. Right. So we, we try to do what we can do. But what I've done is I've built the process and for the account management team

[00:06:18] to eyeball these reports. And depending upon how the account manager team feels, it's best to work with that customer, you know, some prefer text, some prefer teams, some prefer phone calls, some prefer email. And the account manager knows all that stuff. Right. But as a part of the

[00:06:37] security awareness package that we offer, we're now extending a human eyeball, calling it to human eyeball. And that's for somebody to be able to call our yes person early as on whatever. It would

[00:06:53] be like, hey, just you know, or contact, right? Because it depends on how the customer wants to be contacted. But I want to record that Tracy reached out in July because Charles and Chris have not

[00:07:05] taken their test. And this is my call absolutely. And I've armed him with a little thing that says, hey, most cyber insurance requires, you know, carriers require you to have security awareness

[00:07:20] training. God forbid you have a breach. Right. This is an exclusion criteria. Right. So we want to make sure that you guys are covered. I, we can't make your employees do this test. You have to do it.

[00:07:36] HR may need to get involved with CEO may need to say, hey, do this rouse, right? Because the current way is broken. So we're not being followed. So this is where people are failing the process to

[00:07:51] your point, right? So this, this reminds me, I don't know if you remember back in the day when we started really diving into breakage. And I don't know if you remember when we went to wheelhouse,

[00:08:02] one of the clients wanted a help desk view that showed when they wanted to have their own view of like a correlation of when help desk tickets started to open at a high frequency rate on any given

[00:08:13] day against closed rate. And you know, it took us a while to understand what they were really looking for, which was, do we have a problem on our end that we have put on you because of the way

[00:08:23] tickets are being opened that make it near impossible to solve? I feel like you mentioned like, okay, now I'm going to send you another email to somebody at this client organization to help

[00:08:35] solve this people failing a process. And yet we're still using what one could argue is the most clunky burdensome form of communication because we have to filter constantly the noise from,

[00:08:52] you know, I mean, I'll look at it focused here in box. It's like dude, why don't I need focus on my inbox? It should only be getting stuff in my inbox that's relevant that I should

[00:09:00] be reading, right? And yet quite the opposite is true. So that's what made me think of like you almost think like if there was a dashboard that they could have bookmarked on their computer

[00:09:12] that hey, on Monday, the task that you have is to just go check your dashboard that shows you where your staff is at because you're basically giving them visibility to their risk profile for things like, you know, potentially compromising on what they agreed to with their cyber insurance.

[00:09:31] Yeah and so far the feedback has been amazing and it's like, oh my god, thank you. I just, I didn't know how to somebody literally said, I didn't know what to hell the email was that

[00:09:44] you guys kept sending. And I'm like, well, it's the Tantel Tail report, but they didn't have the context to understand it. So going forward, I have a feeling as the months progress.

[00:09:57] Sure. These calls are a not gonna need to happen because everybody will be caught up or at least now they'll understand the context. Right. You may even get the questions of like, hey, are you sure this is all we should be doing? Like, this is absolutely.

[00:10:13] So so I also think that and I was I think I was telling you this earlier about my experience of having my own security training that I'm supposed to go through and it started with, you know,

[00:10:22] the title being a high-criticism, a training course waiting for you. Okay, how long is it going to wait? Yeah, low and behold, I found out it only waits for two weeks before it expires,

[00:10:33] but the way it's written is it says that you've been invited to take part in like, oh, like, I'm special like VIP, but what if I don't care or don't want to do it, it didn't come across to

[00:10:45] me as something that I have to do, doesn't tell me why I have to do it. In order to give me any context as to why this should be important to me. And I think that kind of goes back to your point of like

[00:10:54] not even really clearly understanding the point of the email for what they were supposed to do with it, automated or not, really had nothing to do with you. It just wasn't a assumption that they should

[00:11:05] recognize this email came from ShowTek and they should follow its instructions. Absolutely. And it does work, right? And I get it everyone's like, oh security, we're just training. No,

[00:11:19] but it does work. Right. So let me tell you kind of a fun story. We have a brand new employee here like new to the industry, just graduated college, right? Like super new, right? Eager ready to go.

[00:11:32] Is it one of your children? No, no, no, it's not. Okay. So it's not that old. No, no, no, or talking like, I don't know, 20 something like low 20s. But this is officially her first

[00:11:46] real job, right? Because she got graduating college and she walks into my office the other day and she shows me her phone. And it says from, and it has, you know, hey, this is our CEO's name,

[00:12:03] Carrie. Hey, it's Carrie. Do you have time to talk to something I want to talk to you about? And she walks up to me and she goes, this is smishing, right? And I like, I kind of like stood at her

[00:12:16] because that was kind of shocked. I'm like, how do you know what's smishing it? Like it didn't even dawn on. It's now a freshman orientation in college? No, she goes, the, she literally says to me,

[00:12:30] remember I took your security, where I was training and there's a whole section on tech people faking text and they call it smishing. So this is smishing, right? And I was like, well, yeah,

[00:12:45] it is. And I was like so take it back that the brand new person to the business world who has taken the test and passed can now identify a threat coming to her company issued cell phone.

[00:13:02] Right? And I was like, like, I had a proud pop of moment there, right? Like it's working. I'm like, oh my gosh, it's actually working. It worked with her, right? With her. And I think

[00:13:16] there's something to extract from that. That's I think part of the challenge that we have, you know, you and I've been doing this more than a couple years since college. And if we look at

[00:13:25] the patterns that we have added to a adapt to that we're part of our corporate work experience, you know, email and texting and the slack and the team's tools that, you know, when you and I

[00:13:39] were at on tangled, we didn't have all of those things. Like we had very containerized communication paths that were limited to those tools. We didn't have APIs connecting all the stuff together,

[00:13:52] you know, stuff to send, show up on your cell phone just because and a lot of the stuff didn't have mobile versions of it makes me wonder if I looked at it through the lens of all of us taking

[00:14:02] the training through all of us respond the same way given that, you know, we've become desensitized to a lot of that stuff because the training largely hasn't changed. The training has largely been like watch out for these things. I like your example of Walmart and saying, you know,

[00:14:20] the physical, like, unless you know this person, like 10 years ago, you'd have been like, what are you talking about? Like physical person, like we're talking about a gift card. Like I only give out gift cards like Christmas time to my staff, right? Like it hadn't been experienced

[00:14:36] on a broad scale where lots of people had been impacted by it. So the context for a lot of these warning systems without context until it happens, you've got no, just kind of ignore it or you're,

[00:14:48] I don't know, I just, I always look at them like, oh, this is another simulation, delete. Yeah, and you know, going back to the it's working. I mean, it worked this one time.

[00:15:01] So the, the idea here is we need to, we need to keep on that, keep on that cadence, keep the information coming fresh because just because you took the test doesn't mean you're not going to fall for something down the right way. Definitely it's more of a continual

[00:15:17] a continual thing, but what this employee doesn't know is we have our first Friday meeting coming up and she's going to get a thing. I don't know what the thing is. Maybe like a stack of Amazon gift cards for $5 a piece. Yeah, I'm probably going to print

[00:15:34] something like on my printer, on my 3D printer just as a, as like an award or something, right? Like I don't know like a spy glass or something like that. You caught it. Something to make a big deal about it

[00:15:48] because man we tell you now when she talks to customers, she's on the sales team. She's like, let me tell you about her security awareness training. I'm, I'm new to the industry and I was able

[00:15:58] to identify like she has a real world story. Yeah, I like the spy glass idea. Yeah, but nobody wants to hear speeds and feet, right? They want to hear real world stories. So she, she has a perfect story

[00:16:13] to tell and you know, we don't really sell security awareness is kind of part of our package now, but it all shows to the value of what we bring to the customer. And I think that's a pretty cool story

[00:16:27] and the takeaway, I would want other MSPs to kind of take from this, the session that we're talking about is if you're thinking and this is, this was news to us, if you're thinking that your customers

[00:16:44] are reading and understanding the automated messages that they're getting, you may want to think again. I would recommend you analyze your security awareness structure, how you report to them who hasn't taken the test and maybe build it into your account management team, give them some

[00:17:03] responsibility here to be like to help not, you know, account management, customer success, whatever you want to call it. Because what happens? God forbid that customer does have a breach. They've been paying you for that security awareness offer for five years, but you did nothing to ensure

[00:17:22] that they were actually doing the thing. Right. And there's a responsibility matrix here, right, that doesn't truly fall on its entirety on show tech. But I think there's something really interesting that comes along with this and it was kind of something that I've been thinking

[00:17:37] about as we've been going through our conversation and that's the broader picture. So we've been talking largely about security awareness training in that whole automated process, but like if we blow this up a little bit and go further out and we start looking at account management or billing

[00:17:58] and HR and hey, we're onboarding new employees and you're sending them directions for what needs to happen for that user to get their account set up and certain things along those lines.

[00:18:09] The certain makes me, it starts to make me think about, well what if that were to get impersonated? Like how are we educating them on things like, you know, hey, you hired a new employee and you got

[00:18:19] the email like, well, did you hire an employee? But because we've been so entrenched with using email or that communication, I almost wonder as the giant, or the elephant in the room,

[00:18:34] become something that we need to start trying to push the elephant out of the room and change up how we're doing these communications with our clients. And forcing the conversation to happen, right? Because as far as I'm concerned, if you're not going to take like what you're scared

[00:18:53] you're in us, if you're not going to take it seriously and you're not going to mandate your employees to do that, why have it? Why is it for it? Or even if I'm given it away, I'm just going

[00:19:04] to turn it off? Well, it's the whole insurance question, right? And you know, we were talking about this earlier on our other call. The secure outcomes call and I brought up, you know, the cyber hygiene

[00:19:15] that clients should be expecting their MSPs to deliver on. And I think this kind of goes into that, but there's a caveat if the client doesn't take ownership and hold the MSP accountable on the

[00:19:28] things that they should be getting, well what about the other direction? Right? Shouldn't, I mean, the reason that you're in the room is because you provide them with services that they can't

[00:19:38] do on their own. So why would you not take the responsibility to ensure that they're getting done? Absolutely. I mean, I'd almost say stop right there, but so what other forms of communication are

[00:19:51] you, so you mentioned we touched on it a little bit. Obviously now you're doing a human directed email to a client contact as opposed to the automated system kicking out the noise maybe. Well, it's still going to kick out the noise and stuff, but this is

[00:20:11] it's kind of like a forced touch for our right. A count team could be able to, you know, hey, I wanted to see if you have any questions on that email you got, right? Like this one's kind of important.

[00:20:22] I don't care if they don't look at the, whatever part we send them, right? But when it comes to something that that is an exclusion criteria for their insurance. Sure. I think that's something

[00:20:35] that as show tech, we were taking a little more stricter stance on than we have in the past. So to somebody's saying this is like a risk profile and if you as the MSP looked at your client portfolio

[00:20:48] and let's just say you're per of us say hypothetically you were doing this security awareness training all of your clients. Where are your, you know, risks, right? Okay. So we've got, you know, we're

[00:20:59] seeing 30% across the board. Well that's not a good percentage like we gotta get this up to like at least 80% success rate to start feeling good that you are protecting yourself, right? Like,

[00:21:09] I mean there's things that they could do that would involve like, yeah, we're not going to get paid by that client because they thought it was show tech and they cut them the quarter of the

[00:21:16] million dollar tech and even though they still owe us money, we're not getting it anytime soon. Well I can see the headline now, right? A customer who's MSP because they feel MSP failed to

[00:21:31] to mandate them take their tests. Yeah. Like yep. Like I could but I have documentation. We have sent it to you every month. We have sent it to the employees. It's all recorded. But I just,

[00:21:42] I want to try to avoid a potential issue and I get it. I know the security awareness training isn't going to stop the attack. And dare I say this a checkbox with the insurance, but if it

[00:21:54] helps one person one time, I mean that's a win in my book. Yeah, and I think we have to remember that one directional one-sided communication is not communication. That's just a bulletin board.

[00:22:07] That's just an FYI. It's, it's, it can become noise very quickly. So to your touch point, you're forcing them to engage back with you on what is or isn't working. Like I could see

[00:22:21] scenarios where it's like, oh, maybe we need to adjust the subject line on an email. Maybe it was just too close to something else they get that they've been ignoring for months or their previous

[00:22:30] MSP's awareness training happens to me. The exact same thing, no one bothered to change the I think there's plenty of scenarios that come to mind of like we failed them out of the box

[00:22:41] on expectations without even thinking about it because we were so used to this is the process. Like this onboarded the client kicked off the learning path and I mean, we've seen it. Like

[00:22:54] and this is no slam on any of the platforms are out there. But you know, like one of the things that if I was onboarding you with cyberhood platform, one of the first things I have as an option

[00:23:04] is a checkbox that says for every employee that gets added to this platform, they automatically get enrolled in their learning series and I never have to interact with it. Does this employee remotely know why they're getting this email? Yeah. I mean, where's that engagement? I think

[00:23:19] to your point like the conversation with that point of contact, your champion, the yes person from where I'm sitting, I would think that that onboarding process with that individual has a lot more at stake having what you've shared with me about the maybe the

[00:23:39] emails aren't getting checked. The emails are being ignored and the one person that can change all of that did not get that sort of like by the way, these are your burdens of responsibility as

[00:23:50] part of this new arrangement that you have with ShowTek. It's not just because we call you when we're not getting paid or you call us when someone when the printer's not working, like you should also

[00:24:02] be calling us when you're like, hey, I got foreign boys that still haven't done any of their training and I'm not sure exactly what to do. These are good employees. Let's take a look and see what's

[00:24:11] being missed. Why are they not doing it? Maybe it's something that has nothing to do with you know, in subordination. It's like, oh, I'm not getting any emails. Well, says you are. Yeah. Here's my inbox. I've never gotten these emails before and I actually had that happen with

[00:24:25] something else doing with Connectwise for some reason every time the email would come, it never made it to my inbox ever. They had a typo that a typo in my email address. Yeah.

[00:24:37] So well, I think we've buried this one. I think the thing that I'm hearing is that we've got to do better and stop taking the communications that we send out to our clients and just assume that

[00:24:53] they work because no one has said anything. Yep. 100%. So are you seeing that? I know you executed this with, are you executing this with all clients all at once as part of your process?

[00:25:06] Or like, was it one client that pointed out to you like, this isn't working? How did it? How did that come about? I don't know that we covered that well. So here's what I'm covered. A customer had a

[00:25:20] be word, right? Had a breach where they fell for an attack. Okay. And and and speaking with the owner, I'm like, he goes, hey, the owner literally said, hey, I wonder when did he take his test?

[00:25:37] Like, what did he take his security awareness? He goes, I know it's not like the thing. I'm just just curious when this employee took their security awareness training because I want to ask him about it.

[00:25:47] And I was like, you know, I don't know. I will have to look and he had. So that employee has been around a couple years and they only became a customer of hours several months ago, but

[00:26:04] on the customer side too, they realized that I had sent him an email that says, hey, make sure you tell your customers this and I gave him a blur. We had part of what showtank for security

[00:26:14] awareness training, you know. And they never sent that. So they actually never told their employees to do the thing. Okay. So it's kind of a, it's kind of a bit of our fault for not like pushing

[00:26:26] the agenda and it's a bit of their fault for not again pushing the agenda. Let's put it this way. That CEO sent out an email and said, everybody will have their security awareness training done by Friday

[00:26:40] or else you get to meet with me being the CEO. Right. It goes back to when you and I jumped, you know, the free lunch for Charles is never a good thing. Right. Right. I've literally

[00:26:52] got a good thing. Where are we going? That's not important. What it's important is that your lunch is free. What comes with it? That's what you should be worried about. Yeah, I mean, I can't make the employees.

[00:27:02] I can't touch their mouse, right for them. No, next to be awkward and uncomfortable and probably in a conversation with HR. Yeah. Totally. But if, if they're not being told by their team to do the

[00:27:15] thing, they're not going to do the thing. They're busy. They got things to do, right? They got their customers to serve. Nobody wants to take an hour long security test. Right. But we have to.

[00:27:26] Well, I think this comes back to priorities and I think that if the organization doesn't have a culture and a strategy that aligns with the governance of the company, then the things that are, quote, not articulate it as court to the organization's success. Well, either get ignored

[00:27:46] or they will just, you know, intentionally, you know, fail to do them because they prioritize other things in front of it. Yep. Absolutely. Right. I think that if it was me and I was, I was

[00:28:01] looking at if I was a client to an MSP today and I had some of these things that I know now. One of the things that I would want to have in place immediately is that there's an hour that's

[00:28:11] probably broken out into two 30 minutes sections somewhere in the morning and somewhere near end of day that says, these are the things I want you to prioritize to do during that window.

[00:28:22] I know there's other things that will get in the way. I know things happen and obviously there's but if they don't intentionally start adding, I think it's crazy. I would say ludicrous but I

[00:28:32] feel like I've subbed that too many times. To say that, you know, employees should have to do education outside of work hours. Like if you want them to be better employees, you have to give them windows

[00:28:45] to earn or to pursue some of that learning that just can't just happen outside of working out. Yeah. So it should employees do things outside of working out? Yes, fine but but I think you have to prioritize even during the normal work day to do some of that.

[00:29:02] Yeah, yeah and I mean our training is to split up until like six chunks at about 10 minutes each. Yeah. So in theory, you can get it done on a couple days or just hammer third in one hour.

[00:29:14] It makes me think though that because of that there should be if you started to think about this on the perspective of more frequent cadence. So like your 10 minute videos, if you were to

[00:29:26] stretch those out, you could say that that's going to be over a six week period of time, right? You know, six 10 minute courses, right? So no, we're six weeks in. So what if you had 10

[00:29:37] minute courses, you know, basically all 52 weeks or roughly 50 of the weeks of the year, you are creating a habit. Once a year I think it's hard having employees remember in 11 months I'm going to have to do this six 10 minute courses again. Sure.

[00:29:53] Yeah, and I think that's part of the change we're seeing, right? The demand for what you're providing is increasing. So the cadence and those other pieces I think are just a natural

[00:30:04] byproduct of, hey, we have to do this more often than once a year. And that's not due to drive. It's the client to recognize the importance of doing it just like your employee pointing out, hey, smishing. Like, as a minute long enough, you know, depending on how long,

[00:30:21] you know, she's been with the company, would she to miss it because it's not a habitual process that happens on a frequency that keeps putting it back in front of her? Well, and it also goes back

[00:30:32] to how, how do I normally communicate with this person? Sure. So Carrie doesn't text right, he uses teams. So it didn't come through teams. It didn't have his color ID and that's

[00:30:45] some crazy name. Like it's just there were so many red flags. Right. So but you know, and that's a good one to point out. And I think the secondary would be, you know, how well are you or how well

[00:30:58] are we communicating like, hey, the habit of Charles communicating with staff is not through and filling the blank. I will always use these mechanisms to avoid it being not me. Yep, for sure. Yeah. Wow. So um, overload of email communication, obviously was one. The

[00:31:19] second piece was making sure that you're checking in with the client to make sure that the emails that are being sent in an automated fashion aren't fact being read and actions are being taken. And the third one is don't assume that what the client has signed up for

[00:31:33] and the execution is going to happen unless it's been clearly articulated, what the action items are to the point of contact to kick those things off. Do I miss any?

[00:31:45] No, I think that's it. I think it's good. It's good. Well, there you go. If you've been pay attention, hopefully you got something out of this. This has been an episode of MSP 1337. Thanks. Have a great week.