Doug Houser:
From Rea & Associates studio. This is unsuitable, a management and financial services podcast for entrepreneurs, tenured business leaders, and others who are ready to look beyond the suit and tie culture for meaningful, measurable results. I'm Doug Houser. On this weekly podcast, thought leaders and business professionals break down complicated and mundane topics and give you the tips and insight you actually need to grow as a leader while helping your organization to grow and thrive. If you haven't already, hit the subscribe button so you don't miss future episodes. And if you want access to even more information, show notes, and exclusive content, visit our website at www.reacpa.com/podcast, and sign up for updates.
Do you know the difference between a managed service provider and a managed security service provider? While they may have similarities today's guests tell me that there are some important differences between the two starting with the fact that managed security service providers lead with a security and risk first approach. Today, Shawn Richardson and Jorn Backstrom, leaders on Rea's cybersecurity and data protection services team are here to explain these differences and why your business should be paying attention to who is responsible for your data.
Welcome to unsuitable, Shawn and Jorn.
Shawn Richardson:
Hey Doug, how are you?
Jorn Baxstrom:
Thank you.
Doug:
Great to have you guys on, and boy, this topic is really at the forefront of, I think, one of the most important things happening right now. And perhaps that's just a little, maybe I'm a little biased because we've had some clients going through these situations here, unfortunately. I know Shawn you're in the midst of an incident response right now, which may be, we'll get into a little bit, but talk a little bit about these terms here, managed service provider. That's something I hear quite a lot. It seems like as accountants, we hear that when we're out talking to businesses, but I don't hear this MSSP managed security service providers as much. So Shawn, maybe you can enlighten us a little bit. What, what're the differences is there.
Shawn:
Sure. Really, Doug, the biggest difference is to think of a managed service provider as folks that keep the lights on, keep the network running, ensure that computers are fixed when broken, make sure that people can communicate. It's frankly it's the A in the CIA model and what the CIA model is, is just the confidentiality, integrity, and availability of information and networks, data, identities, and so on. That triad really focuses more on the availability of computers and networks and information systems. Their job is to make sure that they're focused on, on solely that.
Now, frankly, some of them in the last five to 10 years have pivoted a little bit, but then you get in the space of kind of being everything to everybody and focusing less on security and more on just availability of, of those information systems and data and identities. So Jorn actually leads our managed security and information technology practice. He's our manager within that practice. And so he oftentimes sees the stark difference between those two concepts, between service provider offering those solutions, just daily solutions and really a managed security provider, looking at the risk, it's a data first type approach for us.
Doug:
Okay. So, so Jorn, talk to me a little bit about that kind of data-first approach and the risk, and what are the things we do to mitigate that?
Jorn:
Yeah. So just for an example, I don't know how many times I've walked into a company, small and mid-sized business, they have an MSP, but they don't really know what that MSP is doing. And they don't know anything else beyond that. They just know this person is here, they're supposed to be keeping my lights on with the computers and beyond that, they have no visibility into the security of their information systems and their data. So a lot of times I walk in and can easily point out huge vulnerabilities with these companies because that's not what an MSP is there to do. They're just there, keep the computers running and keep everybody happy. If the phones are ringing, then we're good to go.
Doug:
So the security part really doesn't play much, if at all, into what those quote-unquote MSPs do, correct?
Jorn:
Correct.
Doug:
Yeah, because one of the things we hear when we go out to a client, I'm talking to them about this stuff, and I know in a few keywords to try to identify situations to then get the experts involved like you guys, but when you ask them, they say, "Oh, we've got this great MSP and all our stuff's up in the cloud. So we're good." So I'm sure you hear that too. So Shawn talks a little bit when people say that though, what are they missing?
Shawn:
Yeah. So I'll be direct, the biggest mistake there is just making that statement that we're in the cloud, so we're good. You know, so data has an identity. So what does that mean? Data, it's tied to someone's identity, it's tied to some action or some project, or frankly, as everyone's very well aware, HIIAA data, healthcare information, private identifiable information, confidential information, as it relates to businesses. Maybe it's a manufacturing company that has a special sauce or something of that nature.
But flip it on its head and think of it as simple as daily things in HR that happened, right? When people are sending out tax returns to partners, K1s, whatever the case may be, that all have information. And so where I'm going with this is to just put it in the cloud and not put a control around it is unacceptable. It's conduct unbecoming of an information technologist. And it's what differentiates us from an information technologist versus a security practitioner. Someone that leads with that security-first approach.
Doug:
So Jorn, talk a little bit about some of the controls then that you can put around that data. What are some things as a typical owner-managed business, the mid-market business that we deal with? What are some of the things that we should be doing and thinking?
Jorn:
Well, limiting data to who needs to see it is one of the biggest things. And a lot of people think their systems are set up that way. And a lot of times they aren't. So basing the access on credentials is huge. And in reviewing who has access to that data, what systems can touch that data. And then now, I mean, the greatest thing today is two-factor authentication and implementing that into that authentication, so.
Doug:
Yeah, that's important. I know we're working with a client now to get them ready. They're a government contractor and there are some things they have to do to kind of upgrade their processes and procedures. And that's a big part of it, is the multifactor authentication. And although we approach this about them in the past, they really kind of been resistant to it because that's a pain in the butt, who wants to do this multi-factor authentication? So talk a little bit about that, Shawn.
Shawn:
Yeah. So, ironically, that's a great segue talk about clearly defining what controls you should have in place, especially in a regulatory environment, like your client that you're referencing, because now we have, what's called the cybersecurity maturity model certification that's required by the government. And in fact, our team is a registered practitioner for both assessment and certification. And the firm here in the near future will actually be a registered firm. So a certified firm as well. So that being said, we can actually step in in that case and walk through those levels of controls with them so that they meet those standards so they can actually do business. Because there's a point of time wherein the next few weeks and months that there'll be held accountable to ensure that they need to have those controls before they even do any business. So that could affect their bottom line.
Doug:
Yeah. Well, and they're looking at it too, it can be a competitive advantage for them-
Shawn:
Absolutely, absolutely.
Doug:
... Because they're getting ahead of the game at most of their similar-sized competitors. But, Jorn, maybe talk to us a little bit about what you see in terms of making this all a part of your culture and a living, breathing document versus say a check the box, we did this, and it gets thrown on a shelf and kind of forgotten about. How do you instill that culture with a client?
Jorn:
Yeah, I think the first thing is to understand the risk appetite of a company and what they're willing to spend in order to protect their data. Because you can put as many controls in as you can with as much money as you want, but where's that stop limit of the appetite that where "I feel safe enough now I've spent enough money and I have the right controls and the right people in place to keep my data safe." And so that just begins with a meeting, talking it through with the client, discussing the vulnerabilities and the controls that they are willing to move forward with. And then we set a plan with them and work through it with them.
Doug:
So Shawn, if I'm looking at, again, it's the old adage, "An ounce of prevention is worth a pound of cure." I know you're involved in some kind of a crisis incident response now. And we've had a few of those, unfortunately in recent months, but talk a little bit about that kind of lead-in. So if I do all the right things ahead of time to prepare and have the right things in place, you know what you're looking at, maybe in terms of time and energy versus then, "Oh my gosh, it's a crisis. And we've either had ransomware or something like that hit us and we've got a real problem on our hands."
Shawn:
So that's a great segue from Jorn's touchpoints and I'll build upon that. Frankly, we have conversations all the time about risk appetite tied to what's connected to their budget. In most cases, they don't even have a budget. And so we'll help them build that. One thing that we'll never do, though, is we'll never lead them in a direction where we accept the answer of, "Well, let's just do it for cheap. Let's do it for the cheapest cost possible." If we have that conversation, I typically, in most cases, will stop them and explain to them the importance of risk appetite. But more importantly, one thing that we'll never do is segregate our... Bring ourselves down to a level where we're going to potentially bring risks to the business by just saying, "Oh yeah, we can do that," just to get the business.
That's the difference between a vendor that wants to sell something and a partner that wants to build a relationship. Right? And so in the case of this particular client, this was a referral from a cyber insurance representative that we know and we trust and they also trust him, and long story short, they reached out to me and our team and we engaged right away on site. We had conversations around what budget they had. They didn't have one. And in [ingest 00:12:42], they have run up until this point, they've run their business very well, but in a simple form up until this point. So what does that mean from a technology perspective? They're just operating, they come in and log into their computers. There's no real, single source of truth. And that means like an active directory server or some sort of a system that controls identities and actually covers the areas that Jorn was talking about around setting clearly defined separation of duties, controls, who has access to what, and so on.
And so now our goal was for the next 25 years of them being in business, they've been in business 25 years, is we now want to get them there. So we'll get all the regulatory guidelines met, where we've captured forensics information and we're going to run that through some tools to get that back to the parties that need that information. But now we're at a pivot point. And so, again, the difference between a vendor and a partner and a relationship builder is we're at a pivot point where we want to get them so they're safe for the next 25 years.
And business owners have all talked about that all week like, "We probably need to do something different." So that's what's kind of led to the point of where we're at in our conversation is, do you have the conversation ahead of that happening? Because they could have potentially down for weeks where they'd been down for about 10 days, seven to 10 days is when the disruption if you will. But we have clients as Doug, you've alluded to, we have clients who have been down for weeks in some cases, months, and they're losing money day by day.
Doug:
Yeah. And that's the thing, dealing in the construction world and commercial real estate. A lot of times I hear, "Well, hey, they're not after me. I'm a twenty-five million dollar a year HPAC contract, or what do they care?" And we keep trying to beat on them, they do care. First of all, you're, an easier target right now, and think about the clients that they deal with in the information that they can be a gateway to large public projects may be where they're just a sub or other things that can happen there. So Jorn, talk a little bit about your experience with some of these clients and trying to get the sort of prepped and over the hump. Do you sell them on like, "Okay, here's the ROI on this?" Do you get that kind of granular? Or is it more like, "Hey, here's the real risk you have." How do you really approach that and convince somebody that, "Hey, this is an investment that you need to make for your business."
Jorn:
Yeah. And just to reiterate real quick on what Shawn said, we're never there just to sell you guys service and to collect a monthly fee for monitoring or anything like that. We want to build a team. We want to be trusted advisors, such as a CPA. We want to build and help your company grow. So to go on with that, the first thing we like to do is a quick risk assessment and kind of just scan the network, scan the devices, scan from outside of the network and just see where the high-security risks are.
And then from there, basically just take those to upper management, and so their team can work with our team and we just lay them out there say, "Here are the issues. Here are the huge glaring open holes that are causing severe risks to your company." And then we can work with you and develop a plan to work through those holes and those threat factors just kind of move forward with the company.
Doug:
And it doesn't have to be necessarily a major investment, immediately upfront. It's overtime, you build the culture and the processes and the procedures, but when you look at it versus... Shawn, we've had some recent ones here. I mean, talk about ransomware, you think of a typical company. What do we see right now in terms of ransomware activity and how much they're asking for those kinds of-
Shawn:
So I'll give you some small examples and I'll give you some much larger examples. Start with the smaller, more intricate ones. Building off of your point in these HVAC companies or construction companies that they're doing 20, $30 million a year, and "We're not at risk." Well, they're absolutely the first target because their controls don't exist. Right? And so they're attacking their financial systems. They're attacking their backups. That's what the threat actors are going for, frankly. And as soon as they get control and they blow through the base basic controls that they have on in most cases a firewall or a router that they've bought for Best Buy, just to pass the network, pass the traffic rate, once they blow through that and get access to their system, they'll lock them down and then they can't operate.
Perfect use case example in a smaller organization, we've talked about this, I think on one other podcast. And it was a small stove and a retail store in the Amish community. Yes, they have information systems and I've been given clearance to buy the owner does to speak about his experience because he wants everybody to kind of feel and understand what he went through for 10 days. I mean, I'll never forget, it was my birthday last year. I got the call and two hours later, I was on his doorstep and during COVID. And so what happened was all of his QuickBooks and all of his backups for lockdown. And there comes a point where you talked about how much that costs. So there are costs of being down, there are costs of degradation to the business, potential future business.
And more importantly, how do you restore that data? In our case, we were lucky. My IRT and forensics team reached out to the extortionists and actually negotiated a reduced cost. The business owner made that decision. And when we got the data back. We, of course, forensically captured the data, tested it to make sure it was good, and they were back in operational about six days. So a positive outcome there.
Another use case, there are several, but as of late, I was actually having dinner with the COO of this company last night. Her husband chimed in and said, "I have a friend that's in a $3 billion steel company. And they had been down for six months. And the first 30 days they lost almost a million dollars a day." Think about that. I mean... And you don't believe that you're a target. Probably just... It goes back to what Jorn said, I mean, our approach is very, the difference between a vendor and a partner in a relationship organization like ours is we want to build that relationship, but more importantly, I want to understand your business. I want to reduce your risk first. Let's get you there. Let's get you safe. We talk about that all the time. Find anything that's hot, sharp, and dangerous, mitigate it right away, and then get you safe.
Doug:
Yeah. I love that. That's a great synopsis there. So, Jorn, any final words of wisdom that you might have as we move on? I love Shaun's tagline there. I'm going to have to remember that.
Jorn:
Yeah. I don't think I can beat that one. That was pretty good. But, everybody's a target.
Doug:
What's the old saying, "If you haven't yet been hacked, you probably just don't know it" or something like that.
Shawn:
Yeah, "So if you don't think you've been hacked, you probably just don't realize it, that you have."
Doug:
Yeah, yeah. So we're all at risk and it's best, like anything today, I mean, you've got to get real professionals involved like yourselves, because I know enough to be dangerous and a few of them, like I said, the keywords. But you've just got to make people aware. It's such a great risk that they have to their businesses and frankly also personal lives and wellbeing because of that. So again, make sure it truly is, it's preventative medicine. It's, it's not unlike the fact that we go to the doctor, dentist, for checkups and do the things to maintain the right health. And it's no different in your cyber health. So well, Shawn and Jorn really enjoyed having you on today. And I know we'll have you on again soon. Thanks.
We could talk about this, I know, all day, and look forward to getting into some future examples as well.
Shawn:
Absolutely, absolutely.
Jorn:
Thanks.
Shawn:
So thanks again for coming on. And certainly if you want more business tips and insight, or to hear previous episodes of unsuitable, please visit our podcast page at www.reacpa.com/podcast. And, while you're there, sign up for exclusive content and show notes. Thanks for listening to this week's show. Be sure to subscribe to unsuitable on Apple Podcasts, Google Podcasts, or wherever you're listening to us right now, including YouTube I'm Doug Houser. Join us next week for another unsuitable interview with an industry professional.
Disclaimer:
If you use expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation, so they can expertly guide you to the best solution for your specific circumstance.