As an MSP, many decisions go into taking on a new client or getting rid of an existing one. I sit down with Charles Love of Showtech Solutions to discuss when the decisions are tied to cybersecurity and where one should consider drawing a line in the sand.
[00:00:00] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:17] Welcome everybody to another episode of MSP 1337. This week we are talking about the MSP client deal breakers inside of security, so this could be with an existing client or with a prospect but it's the where do we drive the line and I'm joined this week by Charles love of show tech solution Charles welcome back.
[00:00:43] Thanks Chris appreciate it.
[00:01:13] I'm sure there's something every week if you wanted to so as you know, I with the trust work and some of the other stuff that I've been engaged in over the years, I have a tendency to be put in front of more than a few MSPs in a given week.
[00:01:28] And I started listening to the dialogue surrounding working through a framework trying to align with safeguards maybe they're doing even talking about the new CSF 2.0 that came out from NIST but what was interesting is,
[00:01:41] I had this happen now a couple times in last two weeks where the MSP said and I could never do that with my client, I would never be able to implement that level of security with my client.
[00:01:55] And so this is getting into that area of what I, you know in my having been out of it for six years now going these should be deal breakers in my head.
[00:02:04] And I'm not saying I'd say it's a it should be for you because I'm not an MSP anymore and I understand the financial decisions and some of the other stuff that goes into prospects and existing clients when we look at security and go how do we, how do we adapt?
[00:02:20] How do we appropriately put the right security measures in place and in order to protect ourselves and our clients that have entrusted us with protecting them.
[00:02:28] And the one that came to mind was a local admin rights on end user client machines and it was funny because this particular MSP has finished implementing that internally and still believes that they'll never be able to pull this off with most of their clients.
[00:02:45] And so I just thought I would start with that one kind of get your thoughts and kind of walk through, you know what are some of the challenges with this that you guys deal with on a daily basis when working with existing and prospective clients.
[00:02:58] Yeah and times have changed obviously right.
[00:03:03] The conversation a bunch of years ago was nobody's ever going to pay for email in the cloud.
[00:03:10] That is the dumbest thing I've ever heard right and like back then, like even I'm talking pre bee pass like pre like you're talking like Google and some of those it just kind of started launching.
[00:03:23] Even the hotmail was like you're getting it via you know pop three.
[00:03:28] Yeah but back then everybody had a server that they can smell touch and there it was.
[00:03:33] And that's yeah and that was probably 15 years or so before we were starting to have these conversations back when facial hair was not white.
[00:03:45] Yeah exactly and but it has changed because now the conversation is nobody's ever going to want to have email in their building right.
[00:03:54] It's the same conversation just replaced a word in their building with the cloud as as the industry and as companies mature things change right things change.
[00:04:07] The days of a fold where I want to see it touch and smell it.
[00:04:12] It's still there a little bit but that is the exception not the norm.
[00:04:20] Admin access is kind of a slippery slope right so we use a Pam solution just to kind of address that where the if a customer comes to me and says hey if we're going to do business together.
[00:04:35] I need admin access to all my PCs. I want to say well it sounds like we're not doing business together right but in a much nicer way but I go but let me tell you how we do it.
[00:04:48] You don't explain how the Pam solution works or if you try to do something.
[00:04:53] You know it'll buzz our phones and then we can say yay or nay on our phone.
[00:05:00] And we tell them you know hey most of our most of those things are handled within 60 seconds right.
[00:05:07] But I mean let's clarify that you're talking about like when you say Pam you're not talking about like your accountant you're talking about privileged access management.
[00:05:16] Yeah so like we use a tool we call it Pam solution but we use a tool where we remove everybody's admin access.
[00:05:22] But if they need to run something at an admin level it they get a little window that says hey you sure you want to do this.
[00:05:30] It's like that's their first window so they say yes I'm sure I want to do this and then my whole team gets a buzz on their phone that says hey Chris Johnson is trying to run Winamp as an administrator.
[00:05:41] Yeah and I'm going to look at that go win amp why is he running Winamp.
[00:05:46] And it's going to do one of two things like you need to say approve deny or let it sit and it'll create a ticket for us and then we'll call that user.
[00:05:55] I'll be like Chris it's 2024 why you run in Winamp right like.
[00:06:00] When does my windows machine they took away iTunes yeah no but like but that's that's a thing and I would say honestly because we have a dashboard that tells me this but.
[00:06:09] Like it's almost like 90% of our things are handled within a eight minute window right which is our timer so what the way I explain that back to the customer I said think about this old school ways we remove your access every time you want to do something you have pick up a phone.
[00:06:27] You got to call you have explained the story we got to validate you that's a five ten minute procedure versus me going.
[00:06:34] Well Chris is trying to install doby and it looks like it's coming from Adobe okay.
[00:06:39] So this was a I mean so this is I want to say we jumped ahead on what was in my head but that's what happened so but to your point if we went back ten years Pam solutions were non existing to it like.
[00:06:54] And installing software on an endpoint with privileged access being a requirement there was a lot of power user modes happening because you know admin rights I mean it would have been you had a lot of tickets going for every time an application did an update.
[00:07:09] Fill in the blank it was yes it was painful and I think to some degree we probably still have a world of clients that still believe that that would happen if we took some of those privileges away just because of.
[00:07:22] Still the brain is still ten years back in time because unless someone's come in and educated them on what's available today that may be it wouldn't have any other awareness around a lot of those tools it's not like you see them on you know next to.
[00:07:39] Fill in the blank draw that's made the you know the 30 second who do advertisement we don't it's not like it's in our feet these are not things that we see outside of an MSB bringing it to us for sure but what I'm trying to draw parallel to here is that's today that's twenty twenty four yep the conversation is far easier now.
[00:07:59] Because I can show them right I've had the customer who says I want to have an access so I'm like no you don't do you have cyber insurance yes well then you can have it that's my.
[00:08:08] I love it I love that you.
[00:08:10] You have you yeah there's not a cyber insurance plan in the universe that says you could be a local admin right so technology has helped with the issue which is awesome right before five ten years ago all right right here
[00:08:27] signed a speech paper that says if you screw it up it's on you but then I'd have to prove you screwed it up so the conversations a little easier so if a customer says I want to have an access we kind of dance around it by saying well you kind of have it sure it's just I like to call it a two key system so yeah they are key number one and we are key number two.
[00:08:48] And when we all know that you generally go through some steps like break glass before you decide to turn the keys for the launch code to take effect right like this is something that you threw.
[00:08:59] The knee jerk reaction I know we've talked about this before of like why do we put the banner on the top of an email that says this is from an external source or you know like the warning signs right and it's like well that I'm at a stoplight I won't be able to click on the link if the link is there I won't be able to do it and it's like yes but if you have to read the banner
[00:09:17] maybe you will just take one more second to go wait a second this was not from my HR department this was from somebody.
[00:09:26] Exactly so so this makes me think of another question that kind of goes hand in hand you're talking about the easier how it's become easier to have the conversation but it makes me think about the vendors that we all have worked with over the years and the challenges there so like for example letting a client know that they they need
[00:09:44] fill in the blank I'll use an easy one like maybe they need to do it's it's and it's an added cost right like and you're talking to the client about how they need to implement this tool for MFA because let's just say that the vendor still doesn't support it.
[00:09:59] Getting that question that says well why can't why isn't this provided to me by the on the blank vendor we could go back to the Microsoft days when we didn't have MFA as an option through Microsoft right like that wasn't always a thing.
[00:10:13] How do you handle on you handle those types of conversations because I feel like sometimes that's a more difficult bridge to cross than it is to you like why do I need to third party backup solution doesn't Microsoft back my data up.
[00:10:27] Yeah that's that's the that's the big one that we have to enter all time right yeah but it's a lot of it's unique to the situation right.
[00:10:36] A lot of people on the MFA thing are like well when I go to office 365.
[00:10:41] It it pops me a code or I have to type something right but a lot of people don't realize that there has nothing to do with windows right I am still amazed that we're in 24 and Microsoft.
[00:10:54] Kind of has figured it out but hasn't come up with the duo killer right sure I love duo don't give me wrong we use it with sell it all I could stuff I.
[00:11:04] I log in every day and I approve my duo right right so but Microsoft came out with the.
[00:11:11] A light version where you use a pen it's not the same it checks a box but but let's let's cover that for a second because there's a unique element to do that we've seen with other like apps so this isn't just duo has it but the push notification to approve or reject right like that's what.
[00:11:33] One of the biggest like yes it's me trying to log in no it's not we haven't gotten that far I don't believe with with the Microsoft not yet not yet and then to your point that's kind of in some respects that's only a partial killer to the application.
[00:11:51] I can show things like no you do not meet the the and we're seeing this from other vendors I don't know if you saw the one password octave.
[00:12:00] They've got a new thing together where I think one password actually just recently acquired octa and that's getting incorporated into do one password with device level security so like we're seeing other players like so back to the to your point here with Microsoft like what we're talking about is like why haven't they created the killer and maybe it's.
[00:12:20] And obvious because they're doing a great job why why invest resources there when I can just say not my problem right now.
[00:12:29] Yeah and you know it's companies kind of like it's always funny like Google has always been like ahead of the industry right they've they've seen that pixel it came out after the week.
[00:12:40] Yeah but they've they forced Google force to factor and password lists years it years ago right where in March of 2024 and Microsoft has finally said okay.
[00:12:53] Maybe you're the default yeah no it's they finally have said it yeah security defaults is being turned on across the entire ecosystem right in 2024 we're like five years late.
[00:13:07] But you know you're seeing vendor start to catch up but going back to the whole reason for the call another good thing that we get a lot of is I don't want that to factor stuff.
[00:13:18] Yeah that's right yeah and that's that's another killer for us because we completely recommended it we absolutely have people saying I want to turn off for ABC and D.
[00:13:31] And we won't do that I actually told somebody today.
[00:13:34] That we will not be doing that.
[00:13:36] And here's why you have cyber insurance and you tested the fact that you have it please call them first.
[00:13:43] And then come back to me and see what they say is literally what I would say something to that though that I think is interesting as an industry we've pushed really hard on due MFA.
[00:13:54] The do MFA just do it and instead of saying like what are we doing MFA on because there are some sites like my my space account.
[00:14:03] That probably mean MFA is not terrible but what's it going to gather I mean there maybe that's a bad example but there are definitely websites that don't store sensitive data that maybe MFA might just be overkill.
[00:14:19] Yeah let me just say that I start laughing because I have an analogy here that is the best thing.
[00:14:27] Oh I thought you were going to say we're friends on my space.
[00:14:29] No no no no just because all right so a lot of bathrooms say employees must wash hands right.
[00:14:38] Yep so I don't know about you but I always wait in the restroom for an employee to come wash my hands never happens.
[00:14:44] Never have been in the bathroom for a long time.
[00:14:47] Yeah but what happens and you'll understand where I'm going what happens when you go to that restroom net doesn't say that right the idea around the sign is hey everybody and employees to wash your hands right wash your hands.
[00:15:02] But if there's no sign does that mean you don't have to wash your hands no it just means there's no sign right so when we say hey you should MFA you should turn on MFA it's kind of like the bathroom sign.
[00:15:13] Just because there's no sign you should still be doing it right right and there's no sign that says I have to wear clothes but I do you're welcome.
[00:15:24] But you know there's an app you've stayed in the bathroom until an employee comes in yeah but it's not saying you have to wear specific clothes made of a specific no no no it's just like two more clothes so when an IT folk says turn on MFA we mean wherever the hell it's available.
[00:15:42] If it's if it's your Myspace page and you want to listen to whatever roses on your page or whatever it was right so like it's just it's kind of a part of culture now yeah where you know I put on clothes I now do MFA you know it's it's that kind of thing and a lot of times people are they don't think right and I think I've told you this before I've had people say Charles would be so proud of me.
[00:16:11] I've turned on you know I'm using a password manager I'm like cool did you turn on MFA to that password manager.
[00:16:18] Oh no it's like yeah remember so always yeah it's just you're there you're worse off now here's the five cyber hygiene things that you need to do all the time and don't do anything else until those five things are done you know if you need to like you know touch your toes three times before you cross a threshold don't suddenly change your routine
[00:16:39] just because no one's there to tell you don't forget to touch your toes.
[00:16:44] Yeah and I think it was Matt or somebody I saw speak once said a lot of times vendor will ship a product with a lot of the I'm going to say terribly but you'll get to just with a lot of the guards down because you don't want to ship a complicated product MFA for example is a complicated feature for many
[00:17:04] and if they can't figure it out they're going to give up on it move on to the next one so a lot of vendors are doing this kind of bare minimum thing.
[00:17:12] And they're saying hey you should probably turn on all these 89 features that are off by default which is kind of where Microsoft was before right security default wasn't by default turned on that would have forced you during setup to enable some of those things in order to move.
[00:17:26] Yeah so so along those lines do you think that we're at a we're at a place in time then where.
[00:17:34] I mean I just think about like all the things we just talked about those aren't necessarily security best practices they are compliance to a security standard right so like thinking about MFA you're saying like hey turn on MFA like any MFA is better than no MFA which is true but.
[00:17:51] Security best practices would say that there's certain types of MFA implementations that aren't great or are no longer considered an appropriate level of security but in many cases still meets the minimum for complying with say yeah.
[00:18:07] And like some vendors get it like the new Microsoft that's an indicator covid was the best thing to have a Microsoft came out with so much innovation right and.
[00:18:16] The number matching is like the best right because I use duo and I have it on my watch and if it doesn't match no you can duo doesn't I don't you know what the way the one duo is set up with the thing is you can just approve it on your watch right.
[00:18:34] So the way you said that was like every client's dream is that the IT guy just talked to me in my language the thing it does the thing on watch with the do Hickey I think we've covered all of the security elements that any client can fully understand by just saying where is it they use when they ask us questions and open tickets yeah so I really think password list is going to be kind of like where we're going but.
[00:18:56] Because now it's like even Google or I go back to them if i'm trying to log into Gmail on a computer it's like hey open up the Google photos app right what like on this other device to verify this one because that's a form of yeah and then I've run into that you're like do I have this up on my phone I don't remember using.
[00:19:16] Yeah i've had to reinstall and after two because it picks up random open maps or something like yeah and you know like and this says are you trying to log in on this other device and you're like am I I think so like that's that that screen oh it is these do go together this is great like I just didn't have put my password in again.
[00:19:36] Yeah and you know so just the whole deal killer thing it's it's always going to be unique right it's.
[00:19:46] The big question when somebody goes hey would you take on this account right because i've had people ask me that I got this one account they're kind of weird in me out would you take them on and my favorite answer to that is will you be able to sleep at night with them as a customer.
[00:20:00] Right so if that customer has global admin to their 365 on their primary account.
[00:20:08] Are you can you sleep like a baby no well then maybe that's not a good fit I mean we also know there's a lot of MSPs that don't sleep at night now knowing that they have you know employees in their own organization have global
[00:20:19] admin rights to 365 yeah I mean I don't know that's a whole no yeah that's a whole other outcome type so we've talked through all of the I don't want to say challenges but more of the things
[00:20:33] that are considered normal today that we would say these things need to happen and the resistance to them has diminished greatly are there so I guess I guess the next I guess the shift gears is to look at as you work with clients and prospects.
[00:20:48] I liked that first one is you know if I take them on as a client am I going to be able to sleep at night with what they are seemingly going to expect from us as their vendor but what about I would assume there's some other things like are there are there things that come up.
[00:21:04] During an existing client contract where you're just like if that's where we're going then we are starting ways yeah I'll give you a good example.
[00:21:14] Hey Mr. Cressmer here it looks like you don't have a firewall using the vendor's firewall right we need to get you on a solution yeah yeah the action tech or whatever rights and whoever gives you
[00:21:26] is like well we if we're ultimately responsible for your environment that can't be here I mean it could be here but I need my stuff and for me.
[00:21:35] I'm not talking about my stuff and for me something in between it and you yeah yeah yeah because I can't monitor manage protect you with that box why don't want to pay the $89 a month for a has unit well then then we can't take you on because our contract state we have to provide
[00:21:55] a safe secure environment for you to do your your day-to-day business right that's a good definition what's the definition at show tech of a safe and secure environment.
[00:22:07] That we have all of our tools running and reporting back to our super secret mega system that tells me when things are going good and bad.
[00:22:17] The one that floats in the sky above the class yeah no but you know it's like you know if you don't have proper network monitoring and you don't have management of the customers ecosystem I'm talking like a on-prem one home users and home offices that's a whole other.
[00:22:34] That's a whole other question like what is the network when you start thinking about environments yeah but if we're talking about a building with walls remember right if we're you know if we don't have network monitoring and the wife goes down you're going to call me pissed off.
[00:22:47] We pay you all this money what do you mean you didn't know the wife well you didn't buy the.
[00:22:53] $49 a month monitoring package i don't know how to tell you this is why I see through the different lens of like when we're talking about compliance and safeguards whether it's the trust mark fill in the blank.
[00:23:03] There are safeguards in the talk about like how you secure wireless and I had someone asked me like well we don't have wireless in our office and I'm like that's great what happens tomorrow you do.
[00:23:12] So like what do you mean they go what happens if tomorrow whatever box it is whatever end user you have in your office employee that comes in and plug something in what now.
[00:23:24] Like if you don't have something for it then you are truly going to be non-compliant and the remediation could be catastrophic for you because it just happened under your nose and none of the tools are in place to let you know like oh by the way there's now wireless in your environment.
[00:23:43] Yeah I was at a conference and somebody brought a travel router.
[00:23:49] And they somehow uplinked it I guess to the wrong port in their hotel room and their goofy travel router took over all DHCP for the entire conference right there's a lot of questions about the setup for that hotel.
[00:24:06] Yeah they figured it out but still there was a good day like I saw them there was a five IT guys from the hotels thing like running around all the rooms and stuff to be clear that was all of the IT guys.
[00:24:19] Yeah yeah but like for me I would have gotten like hey there's a new router detected on the network ticket that we could have addressed these poor guys are running around like crazy trying to figure out what they figured out what building it is
[00:24:34] and then they had to like play the old school unplug and plug and plug and plug and plug.
[00:24:39] Yeah yeah to try and find that.
[00:24:42] And we know that this is interesting you say that it's 2024 that having something like that happened shouldn't be a normal thing right but 10-15 years ago.
[00:24:50] I mean I remember you probably had the little device, the link sprinter where you can plug it into any data port in any building and if it was connected on the other end to a switch it would tell you what switch, what port.
[00:25:02] Can I get DHCP is it P O E and can I get to the internet and even tell you what voltage to P O E is the distance.
[00:25:12] It was crazy is how much those were like three five six years ago they're like I think I got my I have yellow one before they sold to an ally but it was like I think maybe it was all of 150 175 dollars and now they're going for the same little unit 400 bucks.
[00:25:29] Because it really solves problems right click this is what's going on right and now you look at what we're dealing with today and it's like wait what do you mean you had to run around you figured out what building and it's a hotel there's how many rooms that would tell good luck.
[00:25:46] Yeah exactly and you know think about that kind of it's just for a customer right it's it's the you got to like kind of figure out where their mind is at is is is IT a thing like a paper clip or is it a part of their business.
[00:26:05] And the ones who view it as a paper clip that means they don't value it that means they don't invest in it that means it's just you don't care what brand like do you know what paper clip brand.
[00:26:15] I don't have paper clips no I for sure right it's the same customer says down time is fine like we don't need an H a firewall if we're down for day it's not the end of the world and the moment the internet data we care about.
[00:26:30] The moment it blips I get 32 calls why is the internet down wait a minute I thought it didn't matter.
[00:26:38] Yeah and i'm sure as you draw in the line of the sand that's how you answer the phone to.
[00:26:43] Yeah yeah all this day yeah exactly let it be known hold on we go open the window tell the world yep wow i think we've covered all of the sort of key pieces you've highlighted if you know
[00:26:59] that our security if our keep you safe isn't followed then really they're just not going to be a client or they're going to stop being a client if you can no longer keep them safe.
[00:27:10] Yeah and let me just add one thing we're asking different questions now sure right to try and fish out if they treat us like a paper clip or if they're going to treat us like a business partner.
[00:27:21] We're also starting to ask as a part of our so basically nobody's a customer until they prove that they're worthy of being a customer kind of mentality which is kind of the new ship for MSPs yeah one question we asked to somebody last week I think.
[00:27:36] And they're like you're the fifth IT company we've had in which led flag right there but whatever you're the only one who's asked for a copy of the last i'm going to put you the word.
[00:27:48] You say it it's the insurance for the questionnaire no the asset as a patient I struggle with that station that one okay i asked them for the last time they have done the yes no questionnaire yeah and I want to see it and people like nobody's ever asked me for this i'm like yeah i want to see how bad you lied right to just kind of review or they're going to say what is that what is cyber insurance we have.
[00:28:17] Those are wins right if you can get both those and either one of those answers is still a win right because it least gives you a place to go if they said if they they're like no i'm not showing with that that's a whole different conversation like as in i'm out of here.
[00:28:30] Chances are they're going to say we've never had to fill one out which tells me you know IT is a paper clip or or you need to check on there who they have insurance from if they haven't at all yeah because there are still some carriers out there particularly some smaller carriers that they're going to be.
[00:28:46] Some smaller carriers that if they've been a good client they've never had an incident be word they still issue them the policy every year and then to them there are low risk a low risk profile right for sure for sure.
[00:29:01] Well i think that's a that's our time limit i hope you're looking forward to the awards dinner tonight since tonight is the ccf awards banquet i trust you'll be in your special attire your what they call cocktail attire yeah i'm bringing my top hat you just just you wait.
[00:29:24] I will just be carrying a cocktail.
[00:29:28] For everybody listening this has been an episode of 1337 thanks and have a great week.