MSP Survivalist Podcast

Ransomware Attacks and How to Defend Against Them

Summary: When it comes to Ransomware Attacks, many companies think it will not happen to them until it does. This episode of MSP (Managed Service Providers) Survivalist digs into recent ransomware attacks, how to prevent ransomware attacks, and what to do if you are hit with a ransomware attack.

Transcript:

You are listening to MSP Survivalist, and today we are going to be talking about ransomware. The most recent attacks, defending against it, and responding to infection. And don't forget to hit that subscribe button to catch future episodes.

Let's go ahead and introduce a couple of our security experts. We have Adam Stuflick. Adam, are you there? Yep, you bet. Great. Could you tell us a little bit about yourself?

Sure. I am the cloud business manager here at NovaBACKUP. I handle a lot of the day-to-day training, setup, and implementation for our MSPs (Managed Service Providers) to ensure that things go smoothly and that they understand our product.

While I was a late bloomer in the tech field, starting at about 18 or 19 years old, I jumped into it with both feet and have loved it ever since. I started off in the ISP world, which I think a lot of MSPs do, then I moved into the backup field, working with NovaBACKUP.

And now here I am today, a little over 15 years later, with experience working on both sides of the isle in the tech field and I still love it.

Great. Thanks for that, Adam. And we also have Nathan Fouarge on the line with us. Nate, are you there?

Yes. Like Adam, I have been in the tech field for quite a while as well.

I am the VP of strategic solutions here at NovaBACKUP. I have been here since about 2005, approximately 16 or 17 years. Before that I worked at the same location as Adam, so we were colleagues for many years before we came over to NovaBACKUP. I have been in data security since prior to 2005.

Great. Thank you for sharing your background. Today we will be having a conversation around the topic of ransomware. It is a huge subject, so there is no way we could tackle every aspect of it. We see reports of Ransomware attacks in the news every day, and I would love to hear how it is affecting your guys' lives on a regular basis. Just in the news today, I saw that there was another major ransomware attack.

Yeah, Gigabyte.

It was from Gigabyte the maker of motherboards, graphics cards and laptops. Yeah, it is going to be an interesting one as more gets further disclosed here.

Right. And, Adam, have you heard any news about recent ransomware attacks?

Yeah, I am a frequent surfer of the MSP subreddit, so I see lots of stories about Ransomware attacks. Obviously, there have been some big names affected. Big names are big targets, and that is partly what I wanted to discuss. Big names like Gigabyte, Acer, Kaseya, and Accenture.

Accenture today, is a 44-billion-dollar company, right?

Yep, that was a big one too. While you hear a lot about the big companies affected by a ransomware attack, it is all the smaller companies that are most damaged by a ransomware attack. The MSPs servicing all these small or medium-sized businesses need to be prepared. A ransomware attack targeting a small business can be the most disruptive of all because these businesses live and breathe based on the efforts of their IT department and in many cases, their IT department is their MSP. And if suddenly that MSP is being targeted, which we are seeing more of, there are a couple dozen, to hundreds, or even thousands of small businesses underneath them affected.

They are a great target for getting a lot of easy, cheap money if you can get in at the MSP level. So, I think that's one of the things we're seeing increasingly more, at least from what I'm seeing out there. Yeah. I see a lot of that stuff too. And unfortunately, a lot of these guys end up being collateral damage.

Hitting big boys and trickling down into these smaller SMBs. Whether they are actual direct customers or the smaller MSPs like Nate was saying. Usually, you have a lot less fight because there is a lot more pressure. I do not want to call it a waste, but honestly, they know that they will not have a lot of fights and pushbacks, so they will likely end up paying.

There are all different types of reasons, that could cause ransomware to be targeted to specific niches.

It is a little misleading, right? We see all these big names in the news, but I do not know if people realize that the number of small businesses being hit is on the rise.

Well, and we see it here at NovaBACKUP.

I oversee engineering technical support for our internal IT and support team. My support team sees a lot of new ransomware cases and helps people restore whether it is an MSP that is using our service or just an end user that might have bought our software online or got our software with a Buffalo Tera Station. We are helping these MSPs all the time, trying to recover, making sure we can do our best to recover their clients' files so long as they have proper backups in place.

Part of the problem is that some of these small businesses might have a good local backup, but they do not understand what a ransomware attack can do to that local backup if they do not have either an air-gapped or off-site backup. A lot of the MSPs working with us now understand that and are using our off-site solution for that. But like you said, it is not an if, but a when you are going to get hit by this.

If these MSPs are taking it to heart and making sure that they are locked down, the best thing that I can do, from a technical point of view, is to help them recover from a ransomware attack when it hits.

Right. Do you see a lot of these guys paying ransoms after a ransomware attack?

A lot of people are now getting insurance, which to me is good and bad. While it could be a quick fix, it is also like saying hey, hit me again because I paid up last time and will likely do so again. If you have a good backup strategy in place, you can get your data back. And with NovaBACKUP, a lot of these MSPs we work with are able to get a lot of their client's data back.

Maybe not to the point of failure, but maybe a couple of days. Right in front of that which still allows them to get up and running. And I mean, there are distinct levels of data, right? When it comes to recovery, it could be a BDR solution, right? Where they can spin up a machine while trying to recover and continue business.

It could be a smaller guy that may just have a couple of local backups and doing maybe some offsite, hopefully offsite, but it depends. I mean, a lot of times from my experience I see guys getting their data back.

On their own. You're saying

Yes, they might be getting their data back on their own, but to your point, to your question, you know, are a lot of these people paying the ransom?

Like Adam was saying, a lot of these people are buying insurance, or making sure their insurance has cyber insurance type clauses in it, so it helps them with this ransomware stuff. And one of the issues with Cyber Insurance Ransomware, in my opinion, is that just encourages these cyber thief's to continue, you know, this ransomware attack because the insurance companies are just paying this ransom because it's cheaper for the insurance company to pay the ransom than to even wait for the recovery to happen, even if they have a good backup, because the insurance company is paying for all the downtime that this company is having. I mean, we have had a couple of customers like that, some of them larger customers that use our software. We recovered their data, but they still paid the ransom because it was faster for them to get going with the ransom decryption than to do the recovery.

And that was a suspicion I had. I do not have a whole lot of experience with cybersecurity insurance myself, but the concept of these companies are paying off criminals is a little unbelievable to me. I do not know, you know, I cannot verify that that is the case for all cyber insurance companies, but it seems like a major benefit to having cybersecurity insurance if they are going to help pay that ransom.

That concept blows my mind a bit.

Well, I have talked to a couple of people that deal with cyber insurance quite a bit. And what is happening is these insurance people that are covering for ransomware attacks, they are hiring negotiators to negotiate with the ransomware people to negotiate the ransom down and then just paying it.

So they already have in mind that they are going to pay this ransom.

I was wondering, with some of these organizations that may be involved with healthcare, or dental, or other industries dealing with highly sensitive information, perhaps they just do not feel like they have the choice. Even if they have a good backup, maybe they feel like they must pay the ransom, no matter what, just cover all their bases.

Well, you bring up a good point here. They are paying, you know, these people that have protected data, whether it is HIPAA data or even just a protected IP that they do not want to get out. They are paying these ransoms, but not even ransoms, they are extortion fees because even if they get the ransomware key, there is still no guarantee that they will be able to recover from the ransomware.

Guys are threatening to expose the data, you know, to send out the data if they do not get paid.

It is like blackmail on top of extortion, like you said, on top of everything else.

They are using fear, and fear is a very strong motivator. You do not have to twist it around very hard. And that is just the bad guy side of the aisle.

On the other side of the aisle, these other associations are also using the same fear to strong arm themselves into the MSPs field. They are stepping on their toes a bit. I spoke with a customer recently who had one of his customers for like seven, or eight years and all this firm had to do was come in and drop some fear saying, Hey, look, we're big, we got all this, that right, big names, big money, and we use this specific tool. We use these specific MSPs, which is not him, obviously. But we also have insurance and everything like that for ransomware. Their tactic worked because this guy ended up dropping his relationship with this MSP like nothing.

I mean, just straight up dropped him. Out of nowhere, which to me was shocking. Like this is how much this is affecting it. Not just straight encryption of data and extortion and stuff like that. But on the other side of the coin people are now taking advantage of that fear to steal customers. Like I said, big presence and stuff like that.

They come in and overwhelm the customer with all these acronyms and names and scary terms. And boom, just like that dropped an eight-year relationship. Like nothing. I was shocked.

With the theme of this podcast being surviving various technical challenges various types of ransomware, cybercriminal activity, I'd like to ask if you think that there's one specific method that is causing ransomware infection more than anything else you think it's pretty evenly spread across a variety of ways that people are becoming infected.

I would say the most common cause is the user. It is the user that is, I would say, most of the time.

There are cases like with Kaseya's and Solar Winds and other ones where it's more of a distributed attack, but I would say the majority of the people that we interact with, that have been infected are the result of some sort of user error, you know, whether it's a bad download, or email link, or what have you. In most cases, it starts with the end user's actions.

Yeah, I agree. I think another thing I see way too often is just like an MSP or someone that is administering backups to be lazy when implementing things.

You want to make it more difficult for a ransomware attack to happen, and not easily spread. For example, someone has a NAS (Network Attached Storage) device, which is a great way to have a local backup solution because you can lock it down. Well, if on that same machine, I see a mapped network drive to that same share because they are using that share for backup and for normal data file server-type stuff, you are not following standard operating procedures for data security. Do not be lazy when you implement things. Use the NAS or whatever type of data security properly.

Do not cut corners. Otherwise, you are just going to open yourself up to a headache.

Adam and I were talking about a customer today and one issue we see when we get into a machine and are taking a closer look to help them out with a backup or restore problem is we see that no Windows updates have been done for about a year and the machine has not been rebooted for a year. This shows there is something wrong here. I mean, you cannot neglect machines like this anymore.

I know. It is just like with a car. Do you drive your car with the same oil for 30,000 miles or do you pay attention to the check-engine light and change the oil?

Yeah, and this was a server with SQL on it. I mean, it was not like a workstation. This is a server that had not been rebooted for almost a year. That is just not good.

You must be proactive.

Yep. I agree. All of us would love to sit back with things on autopilot and just collect money. That would be awesome, but unfortunately, that's not real life for the 99 percent of us in the field.

It just isn’t doable. So, you must do a bit of due diligence and put standard operating procedures in place, right? It must be documented because you can’t leave everything to just one person without any contingency plan. For example, say Nate and I are in business together, Nate knows everything, let's say, and he gets hit by a bus, then what?

You must be prepared for these things. A lot of these guys are new too, but we also try to help them a lot. We go the extra mile here at NovaBACKUP with that type of stuff.

I'm assuming that most of our listeners are technically savvy, but the most common methods of preventing ransomware to begin with are having antivirus, different types of content filters, having a good backup, is there other core technologies that you would say are absolutely necessary from a preventative side?

Well, like I said, most of this stuff is happening at the end user level. That's how they're getting in. So, education is probably one of the biggest things to do. Educating your users, you know, if you're an MSP or even just the IT person of a company, educating your users on what happens when you get a suspicious email or what does a suspicious email look like or if something does happen, what's your plan?

How do you tell someone you must have a plan for that? That’s where the education part comes into play. You also need to reduce your security footprint. So, what you have exposed and how things can move around within your network or within your customer's network need to be worked out.

Locking it down as much as you can without impeding business is where you need to look at.

Yeah, and don't be afraid to, you know, be the quote-on-quote bad guy as the IT guy, right? Like, there's some of these places we used to walk in years and years ago. You walk into a business, and everybody has their iPods plugged into their machine.

All these things, right, are just holes in the system that can be used for some type of attack, right? Entry points. So yeah, have some good, solid security. Again, everybody might whine a little bit in the beginning. You're the bad guy, but trust me, they'll get over it.

Just implement it and save yourself a headache.

Yes, one of the things that we've seen in the last six to nine months or more is MFA multi-factor authentication. You know, everything is moving to use it. You must be able to do it. You’ve got to be able to handle it.

And, you know, if your software has that ability right now, talk about Office 365 or anything like that, if you have MFA as a choice and don't have it enabled, you're doing things wrong.

Agree, 100%. That is such a great way to reduce issues for sure.

What are other recent technologies out there that you see as being really promising regarding stopping ransomware?

Things like AI (Artificial Intelligence) for example.

AI still must learn, right? So, if you're going to get hit, you might be the test dummy that gets knocked and then everybody else will benefit from you, but I don't think nothing's a hundred percent.

Yeah, a lot of it is smoke and mirrors from what I've seen.

The biggest thing is, you know, preventing it on the end user level as much as you can and locking down as much as you can. Most of the newest tech that I see coming out is all about alerting after the fact or seeing after the fact, after you've been infected, oh, hey, this is what's going on in your environment.

You know alerting you that you need to act. That, that's all that a lot of these are doing, is making sure that you know something's happening. Which is good, don't get me wrong, but you really must look at that edge security before you think that some piece of software is just the golden bullet.

Sure. And especially with people being so much more distributed these days, having your employees not so centralized, it's got to be a little bit more challenging, I would imagine.

Yeah. Susie's Wi-Fi network at home, that's doing the accounting probably isn't the most secure thing in the world.

Yeah, not good. And a lot of people too, they don't want to use a VPN because they don't know how to set it up or use it. It's extra work, but I tell you what, like I said, be the quote-on-quote bad guy for a little bit, enforce it, and it'll be okay. Everybody will get over it. It's something new. A lot of people are opposed to new things, especially technology. You got to learn it, but you got to enforce it. Yes, you just must otherwise, you're likely going to end up just being another victim. You know, and not any one solution is going to protect you. You got to have variety, right? Don't put all your eggs in one basket.

That's probably the oldest phrase ever. It still stands.

True. You can also talk about the security onion, you know, having, having layers of security around you.

Yes. I mean, those types of things. Is what these people must learn hopefully before they learn the hard way, but I mean Maybe it'll come back stronger if they do get hit.

Okay, we've talked about some great things today in regard to ransomware, prevention, things that you can do to reduce your odds of getting infected today was kind of a general discussion You know, we hope to get feedback from our audience as to things they'd like to see us dive deeper into. I'd like to open it up to you about any closing remarks you'd like to make about ransomware, prevention, recovery, your closing remarks, if you will.

Yeah, I'll start. So, this has been great. The biggest thing is due diligence, guys. In the MSP world, there is no way for just an 8 to 5 schedule. You know, there's no eight hours with a one-hour lunch break. The grind is real. You’ve got to do a lot of things. You’ve got to stay active, and aware.

And maybe in the next podcast, I'd even like to discuss a little bit about that. How to keep your texts up to date. Whose turn is it to stay up until midnight? How is that person aware, right? All these different things I think are important, but to me, it's about just staying diligent. Dot all I's, cross all T's, because you might miss that one thing that could have saved you a huge headache later.

Yeah, one of the things I want to kind of enforce is something I do see a lot of people kind of failing at is they think this whole thing is something they have to do all at once. It's not something that you have to do all at once, and it's not something that is ever quote on quote finished. It constantly needs to evolve.

Your security presence and data protection must evolve as everything else evolves. So, you don't have to take everything at once and try to do everything all at once. You know, do it slowly. Make sure everything's documented. You know what you're doing. And you know that it's evolving as threats are happening and as the world is changing and as your customers are changing. Just because you have it locked down and you have this perfect template for this one customer, doesn't necessarily mean that that's going to fit perfectly for this next step. The next customer might have something else to deal with as part of their business.

So, it really needs to be a fluid thing that, that needs to constantly evolve.

Well, gentlemen, I really appreciate you joining us here today. I'd like to remind our listeners to subscribe so they don't miss any future podcasts.  And please, if you've got suggestions about topics you'd like to see covered in, in greater depth about data security and protection, please let us know.

Triage - Data Breach Preparation and Response

Summary: In this episode we discuss an MSP's response to data breach and other disaster/data-loss scenarios. There are many things that can be done today that help ensure a fast, efficient response if a customer, or the MSP themselves, becomes a victim of cybercrime.

Transcript:

You're listening to MSP survivalist and today we're going to be talking about triage, your preparation and response to data breach.

Yes, let me go ahead and introduce our guest for today. We've got. Adam Stuflick, do we have you?

You bet. I am here.

Great. Thanks for joining us today. And Nate Fouarge. Nate, do we have you on the line?

Yep, I am here bright and early.

Today's topic, we're going to be talking about triage and responding to data loss emergencies. It's a compelling topic, especially for MSPs, if they have a breach and how to respond to that. Or maybe one of their clients has a breach and needs to respond to that. Adam, can you walk me through a scenario where somebody discovers that they've had a data breach?

We're talking about two different scenarios. We're talking MSP breach and customer breach. The MSP breach, they're probably going to see it because people start getting locked out of things. Guys can't do their work. Then panic ensues. On the other side of the pole, customers can't do anything.

They're locked out. Their stuff starts coming back with weird extensions and pop ups on their screens saying, "Give us money". The reaction to both of those scenarios is probably going to be vastly different.

Adam, what's your experience in responding to MSPs and data breaches?

I would say it comes down to the standard operating procedure.

And what I mean by that is whether it's a big team or a small team, it's important to have everything documented and that it is clear who's going to be on call, which to me is probably the most important. I think even Nate can reflect on that today when there's outages or breaches or whatever, that's causing alarms to go off.

Who needs to be notified? And is there a cycle on that, right? Are there backups to that cycle? Like if I don't answer, does Nate answer or vice versa? Emails, texts, calls. First, it's acknowledging that it exists in my opinion. And then what you're going to do after that.

Right.

So, you think there's a, obviously a huge amount of importance on internal communications and kind of building a plan behind that.

Oh yes, a hundred percent. And then the order of who's going to do what and when?

Yeah, I just want to add, this is not really on the MSP side of things, but it goes right along with this type of triage and how to identify problems and how to deal with them. We'll take something that happened yesterday, the quote-on-quote, great Facebook outage of 2021 just happened yesterday, October 4th.

So. I've been reading more about what happened with Facebook, and it was some sort of automation thing on their end that caused the entire Facebook infrastructure to go down. They're going to be in meetings for weeks because of what happened. One thing I'm reading is that when their infrastructure went down, all their security procedures went down too. So all their badges to get into the data centers and all of the things that they've done to lock down their infrastructure via routers, switches, all the things that they needed to get into to, in order to fix the thing that was down or even to get into the data center itself was not assessable because all the infrastructure behind it was down.

So, they couldn't get in there and fix it as quickly as needed. Wow. I've heard reports of them taking angle grinders to doors to try to get in and then all this other stuff. So, this similar to how these MSPs need to plan for disasters like this and triage it once it's hit, you can't assume your single sign on is going to be up and running.

You can't assume that your password recorder or IT infrastructure will be up and running. What happens when that's down and everything else is on fire around you? You must have that backup there, whether it's pen and paper in a safe or what you have. You must be able to consider what happens when the world is on fire around you.

Yeah, that's a great point, Nate. I haven't even investigated all the drama behind the Facebook situation that took place. So, that's interesting to hear. So, you think that a lot of that communication prep, the kind of the chain of command, that's all part of what we consider a data breach response plan.

Well, it certainly could. In this case it wasn't a breach or anything like that. It was a different type of issue, but the response plan and knowing what to deal with and how to deal with it is just the same. If it's data breach, yeah, I need to do X, Y, and Z, you have to contact A, B, and C companies to do this.

Oh, but I need to recover, but I can't recover because my, my DHCP server or whatever to get my backup server up and running to do the restore is down so I can't even get to the internet to get to the cloud to download my stuff. You must plan for worst-case scenarios and have things ready to triage and recover.

Are most MSPs that you work with doing this on a physical paper? Are they doing it using software tools to carry out their preparation or a combination?

Yeah, they're kind of doing a combination. They do have some type of centralized documentation, right? That everybody can get into remotely or onsite or whatever it may be.

But like Nate was saying, that stuff can become unreachable. And I don't know if a lot of these guys have a backup plan to that. I mean, some of these guys are just one-man shop too, right? So, their approach to chaos will be a bit different than the guys that have a team. It could be two people or 10 people, but most of them have a good grasp, but I don't feel it ever gets tested enough. Just like, honestly, testing restores. I don't think that gets done enough, but I also don't think people test their actual disaster plan and not just data recovery.

I mean, I guess to do that, it'd be kind of a simulation, right?

It'd be a simulation of a data breach or a disaster scenario. Sure.

Well, you could do it like a tabletop exercise. Say you have like 10, 15 customers or something like that, and then you write down maybe 20 different types of quote-on-quote disasters, data breaches that you could see possibly happening and then try to go through a random one, maybe once a quarter or something like that with that customer.

I do think the customer should be involved in that too, right? I think it shows your worth, because they want everything, they possibly can for the money that they're giving you, right? I think most people want value for stuff and to me that shows an immense amount of value. If I was investing in an MSP and they had something like that, because then I have real world numbers, right?

I know expectations roughly how long I am going to be out or what do I expect the damage to be or how far behind I will be with the data recovery or whatever. So, I think that it's huge to do what Nate was just saying, like tabletop it out, get real world numbers, get them in front of your team and the customer.

I think that'd be, that's perfect.

Yeah. Another thing that kind of helps out is to put the onus on the customer too, because you might have every tool in the world, you know, looking for data breaches and stuff, but you don't know Susie in accounting picking up a phone and giving someone their password to get in because, it's the Microsoft team that needs to get into a machine and do something... That education on the customer side, if something weird happens like that, or someone gets in, or something looks weird, what do I need to do as a customer to contact you to take care of it?

Right, going through the plan execution together.

And I think we could take it back to what we all probably experienced in school. Look at the fire drills they had. Or if you're in the Midwest like I was hey, there's tornado drills.

So during these drills, they're not just seeing how we as young, probably crazy kids were acting, but how are the staff controlling us? How are they leading us? Who went first? Who went last? How are we going to ensure that every student's there, right? Like they could break it down as simple as that to have a drill and just do like Nate said, internal tabletop it, this is what happens next guys.

And it doesn't have to be elaborate and crazy. I mean, yes, there is software out there that does all that stuff with you. But I think if you just take it back to the basics, like the fire drill days, I think you could shore up, you know, any ends that were loose and things like that really easily.

Sure. Well, I imagine these smaller MSPs may not have the resources to put tens of thousands of dollars into something that they could recreate internally as well.

Oh yeah, exactly. Like again, the one, two, three man shops they're not going to do stuff like that.

Honestly, I can't see it happening.

As an MSP, that sounds a little tenuous to me about what your responsibilities would be if you're a small shop. I imagine being careful about making recommendations to the customer... Am I way off on that.

That's valid because all that stuff needs to be put out front as you approach the customer and continue the life cycle.

The customer is agreements, expectations. All these things are important. I don't think it happens enough, right? I think a lot of people kind of fly by the seat of their pants just because they really don't maybe have the time in their mind because maybe they are a one man or two-man shop and stuff like that.

And they don't feel like they're big enough. Because you are worth something. And if you just get these base agreements and get them in front of customers and expectations and things that go so far, and it does cover your butt, right? In case you do have an instance, you know what to expect or your customer knows what to expect.

I do think you should have all this stuff lined out all on an agreement, something they sign both digitally and physically have records of this type of stuff for sure. Sure.

And it's going to kind of outline a general scenario. If a breach were to take place, this is what the MSP's responsibility would be.

And these are that type of actions we would do. We would help you to identify and contain it. Correct?

Yeah. Yeah. I mean, I think it's like a 5,000-foot view of it, right? The stuff that is entailed to this is probably notebooks full of stuff. Again, showing worth is so big in MSP land right now because there's so many MSPs. Like what's going to separate you apart from the others?

And it's stuff like that. Documentation, testing, proving that you can meet that emergency if it ever happens.

Another thing that I think more MSPs are interested in and kind of seeing and investigating a little bit is what type of insurance they need to take into consideration with this.

Because you brought up kind of a good point of how liable is that MSP? And are there specific things that your insurance provider as an MSP requires of you in order to not be liable or to be covered, or anything like that? That needs to be looked at and probably taken care of. Same type of quarterly type of review is, hey has anything changed since I got this policy? Anything else that needs to be covered customer wise also.

So, I think that there's a little bit of thinking that needs to be done there too, because that could impact how you triage some of these data breaches and other things for your liability purposes.

Sure. Nobody wants to act later to find out they've somehow invalidated their cyber insurance, right? Right.

Yeah. I mean, even carrying insurance itself is just another huge tool in the toolbox when trying to acquire customers. Like, that'll get your foot in the door probably faster than some guy that doesn't, right? That could be an immediate rebuttal. If someone's like, well, I already have a guy, right, that's covering all my stuff, well, does he have insurance?

That's just like, is it an insured and bonded contractor, or is it Joe blowing off the street that I can fix that? It'll be 20 grand. Yeah. Yeah.

And can you fix it? Sure. But then three months down the road, when it breaks, there's no warranty, there's nothing to fall back on.

So, right. Yeah.

Yeah. Especially in these cases of more highly regulated industries, healthcare, legal.

Oh yeah, I think with HIPAA and stuff like that, right? Cause that's an ever-growing contract or document pretty soon. I could totally see insurance mandate of a sort on companies without a doubt.

Well, if I remember right it's going to be a little fuzzy here, but there was one state, maybe it was Louisiana that was specifically putting rules in place for MSPs and how they are liable in some cases for breaches and that type of thing. There was a lot of talk about that. It was probably about a year ago or something like that.

Yeah, that was Louisiana. You're right.

Interesting. Definitely growing regulations in that regard.

I'm kind of in my mind trying to think of a list of the top five things you need to be creating internally.

Clearly one would be your emergency response group, right? And then number two, would be the chain of command, like you said, who's on call, who's being contacted first.

And documentation. Documentation above all cause you're going to probably hire new guys, right? Sometimes it's a high turnaround, sometimes it's stressful.

Maybe if you're growing and bringing on more people. All these people need to be able to come on board, look at your documentation, and have a clear understanding of what's expected to be done. So, documentation, virtually, right? Some type of sharing software, password, obviously, locked like crazy, and then a physical document, like Nate was saying, throw it in a safety deposit box, right?

If all hell breaks loose and no one has access to stuff, then you can get in the bank and get the physical copy.

Well, and I think when you are on-boarding new employees as an MSP, that's the perfect test. Hey, here's our documentation. That new employee should be able to go through that and they should be able to give you an idea of what they need to do.

If something happens and if it's not clear to them, it might not be clear to anyone.

Yeah. It could be like you're three guys, right? You know each other, you know that this procedure's in your head, and you've been working with each other enough, and that stuff just kind of makes sense to you, you think?

But yeah, getting that outside viewpoint would be, well, I guess he's inside because he got hired, but he or she, has no clue. And to look at that documentation have a clear understanding if it's clear to them then you probably did it pretty good job. But yeah, that's an excellent point.

We've covered a lot of ground today on things that MSPs should be thinking about data breach preparation including internal communications with clients, documentation, building your emergency response plan. Any final thoughts for our MSPs that might be listening today?

I would say just don't fall behind. Stay diligent on new procedures, new processes, hardware, things like insurance, right?

We just talked about that. That's relatively new to a lot of MSPs. Some of these big guys that are out there probably already have a grasp on it.

I would say one of the biggest things is when new hardware is added, or something significant changes, it’s a problem if that plan is not updated. It's one of those things where you get X, Y, Z piece of hardware in, or we opened X, Y, Z thing, it's another intrusion point. Yet we don't immediately think to update our plans for that. After we get everything configured and documented, it needs to be an automatic part of the deployment of new piece of hardware, software, or employee.

Understood. Those documents can't be static. They've got to continue to evolve. Well, guys, I think we're going to go ahead and close it out today. Sounds good. Thanks, Sean. I'm glad we were all able to get together and talk about some things that MSP should consider as they prepare for the possibility of data breach and other disaster scenarios.

Please make sure to subscribe so you don't miss future episodes. And let us know if there's a topic that you'd like to see us cover in the future. Thanks for listening. See you next time.

Dental MSPs: Challenges, customer vetting, and more (Part 1 of 2)

Summary: Managed Service Providers that serve the dental field face a unique set of challenges, dealing with highly sensitive data and regulatory compliance.

Transcript:

You're listening to MSP Survivalist, real talk from the data security experts. Today, we're going to be discussing an MSP niche, specifically dental MSPs.

We have a special guest with us today, Bill Dungy from CTS. An MSP based out of Ontario, Canada. Bill is the owner and operations manager at CTS. Bill, are you there?

Yes, sir. Thank you for inviting me and thank you for taking time out of your day to talk about this. I really appreciate it.

Absolutely. And we have with us today the usual suspects, Adam. Adam, are you there?

Yes, sir. Yep, you bet. Loud and clear.

Great. Adam Stuflick is the Cloud Business Manager over at NovaBACKUP. And Nate Fouarge. Nate, do we have you online as well?

Yep. I am here.

Great. Nate, as is the VP of Strategic Solutions over at NovaBACKUP.

So Bill, maybe you could tell us a little bit about CTS, the customers you work with, and a little background about you. Is that possible?

Yeah, sure.

We started over a decade ago out of my dad's basement. He was an electrician way back in the day, and a very early adopter of all things higher tech, if you will. I remember When he made a big deal out of a 10 megabyte hard drive and having very early access to the internet and a consequence of my own exposure to the internet and technology that early was that I became very proficient with tech.

He went on to start programming things like PLC machines in factories and stuff to visual basic. And after that, he started to look more toward the hardware and networking side of tech. And because he was doing that as a result, I was doing that. And all the way through my school, I was the kid who fixed the classroom computers.

And, if somebody had a problem, I would go fix the computer. I'm still that guy. If I go to a conference or anything where there's multiple people watching something off a laptop, I'm automatically looking at it, what kind of projector do we have here? What's on the table that I'm inevitably going to have to fix?

When we started, it was Cliff, my dad, who started with just a couple little companies and his first foray into backups when I say that he was an early adopter, he was also wise enough to recognize that backups were like capital C crucial. And so, for the first couple of clients he had, even though he was going in and maybe fixing minor technical problems, providing systems here and there, it was backups that he focused on so much so that our company started under the name backup server. So, we were called backup server.

And he had a little server running in his garage where people would back up all their stuff to him remotely. And that was basically like his key point that he was trying to drive home. Later, we would go to the Ontario dental associations yearly conference or trade show and had a booth set up under this name backup server.

And people kept on walking past and basically saying "Oh, I'm good. I have backups" and we're like, no, that's 10 percent of what we do.

Was there a reason that market drew you guys into attending those shows initially back in the day?

Initially it was happenstance.

We had a nonprofit organization that Cliff was working for doing some IT. And this is pretty much on the side of like his regular nine to five. And one of the people that works there, his wife worked at a dental office. And I guess they got to talking and they asked if Cliff would come in and that was basically his introduction into dental.

This is right around the time when I came on too because I remember that office and the world of dental, very generally speaking, is really tight knit. So as soon as we had built a name for ourselves as somebody that could be trusted business grew. Cliff was adamant to build a business that was paying very strict attention to detail and craftsmanship, if you can call it that, like that IT was a craft that you could work on. So that spread like wildfire throughout the local dental scene, and we got picked up by a whole bunch of different people very rapidly.

It seems like dentists being a tight knit group that the word of mouth on a good IT service provider seems to travel pretty well.

Yeah, so much so that many of our clients graduated from a dental school together in the same class. So, especially when you're talking about the same age cohort in the same location, they all know each other.

Does dental make up most of the clients you are working with today? Or do you have a few different industries that you are working with?

We have two main verticals that we work with. We work with dental, but that also spans to things like, Ortho and Perio.

Don't ask me what they mean. I'm an IT guy. I don't fix teeth. And I guess the other side of the split would be nonprofit organizations. We've grabbed on and linked into those just as much as dental these days. But dental certainly is what built us to be what we are today.

Understood. And our other attendees on the podcast today, Nate and Adam through working with a NovaBACKUP and their backup services as well.

No would be an understatement. Those two gentlemen have saved our rear ends on two occasions. Yeah, it's been a long and happy business relationship with those two.

Good to hear. And so, what, in your opinion, do you think makes dental practices, small dental practices different than the average small to medium sized business?

I have many different variations of the way I want to say this. So this is what I've got together. I think there's a very specific personality type that lends well to dentistry that I don't really see or maybe that I'm not exposed to as often in other facets of business. That's where dentists have a lot of concerns that I don't think many other providers or Business people really get faced with, for example, if you're a dentist and you have let's say one practice or even a handful of practices, everything top to bottom becomes their responsibility.

And beside that, they also have a staff that for the most part are required, let's say to back up those decisions, because a dentist would have let's say, an old x ray system is no longer compatible, let's say with Windows 11, it's coming, right? This is the conversation that's going to be filling my inbox in the next couple months.

You've got a dentist that wants to upgrade their systems, but they don't have access to old operating systems. And to update to the new operating system, they must spend $40,000 on this new x-ray system that's unproven, and none of their friends can talk about. And all of that comes back to the dentist. Whereas other markets might have people that they can, bounce off of internally to help make those decisions, a lot of that stuff comes back to me and then, we'd have to go call the vendor and say one challenge we've encountered over and over again is, vendors will sometimes send out software packages for practice management or imaging that are not in a full candidate release but they'll just send it out as an update and next thing you know we're installing some beta test.

And so, then we must try to translate all of this to the dentist so that they can make the decision because I can't make the decision for you. It's your systems, dentists, they have a hard crack about it. And so, it's not exactly like leniency to make more decisions.

It's a responsibility. I suppose it's a gift and a curse at the end of the day.

And I imagine the changes we've seen, industry wide in the last two to three years, I think it's thrown a little bit of turmoil, certainly for some, but I'm not sure how that's affected, the dental market have you seen due to the pandemic or other reasons, any changes in the way that these customers are operating or your business has been affected?

The two big things that I can think of, is that dental vendors, again, people who are producing hardware and software for dental offices in my humble opinion are not keeping up with recent changes. Or those changes are out of reach. I guess it's all just money, right? It depends on how much you want to invest in your business to get that new tech.

But I think the bigger thing at hand is, and you'll probably hear me reiterate this several times during this conversation, it's security and security is my wheelhouse. Where I got my stripes as an IT guy was I got the opportunity to speak at DEF CON about an actual breach that we lived through. One of our clients was exposed to a in house malicious agent and we managed to track them down and the whole works, but it seems like no matter which way I put it, this probably has more to do with me than it does the actual industry, but I do read about this on. The MSP subreddit and like the sysadmin subreddit - it seems like no matter which way I try to even just describe security as something that can make or break a business, we still have clients who just, I was going to say that they don't care, but if they did care, they would do something about it. Unfortunately, I think most of the time it requires a catastrophic incident for changes to take place.

But even then, take this for example, we just had a dental office that opted not to use a server. Okay, like a server in the proper form of the word like with raid and redundancy and backups and these kinds of things. Oh boy, they just they had the whole office running off a desktop and the desktop had a Western digital blue hard drive in it.

And what do you know it failed? And it failed to the tune of I couldn't even mount it in Linux. It was dead, like dead. So, I said you have backups, certainly. Yep, I have backups. I set them up myself. You'll find this described on the MSP subreddit with people who work with dental.

Either there's clients who trust you the same way you trust your mechanic, right? I don't fix cars. Or there's clients that opt to do 75 percent of the work themselves and then they defer the unknown unknowns to you. So, he set up his own backups using Backblaze and set up means he went next, I agree on the installer and it did not back up anything that his business depended on.

So, we had to send that hard drive to a lab and then the great frustration was I can't believe it was taking this long. It was like eight weeks. The guy got back probably 80 percent of what he had. And even then, the response was put together a stack for me the way that you would put together a stack for yourself.

And so, I'm starting to build all of these comprehensive tools, one on top of the other to take care of things front to back. And then the quote comes out and it goes whoa. But you'll be happy to know he's backing up with us now, so he's at least backing up.

Oh good, I was hoping so. I was like, man, I really hoped at the end of this story he definitely jumped fully on board with you.

Yeah, he's backing up now.

I don't know all the laws and that type of thing about, in Canada, but even what he was doing if he was backing up the data correctly to Backblaze, which I believe, I could be wrong here, don't they just have a U. S. data center in North America? I don't know if they have a Canadian one yet.

Isn't that against your laws up there anyway?

Here's the answer to that question. If you take credit card payments, you're supposed to have PCI compliance. And every four months I get a ticket in our ticket system, because PCI audited the business and said, hey, you guys are wide open.

You have to make all these changes. And then I go, cool, this is hourly because this is a massively gigantic job. And everybody goes, okay, cool. Don't worry about it. We'll just say we did. I feel like that approach is taken for everything from data security to offsite backups. For the most part, people are just in this don't ask, don't tell loop.

And as long as there's no massive data emergency, everybody just keeps going with what they've got.

Yeah. Which is scary.

It's petrifying. I have to make the call.

Yeah, it's a fine line of law versus morals too. Do I tell on my customer?

The only thing I can say is that it points to a lack of security. Wow. We're seeing more targeted attacks in the news towards MSPs, and dental MSPs, trying to get to the end users to spread ransomware and so forth.

Seeing a little bit more of that kind of stuff in the news lately.

Oh, sure, and I won't name the RMM that was responsible, but there was a massive breach. I want to say six or seven months ago. And we're a customer of Huntress as well. And man, like security side, I can't say enough about Huntress.

They were the spearhead in the forensic analysis of that breach and helping that RMM's customer base get back on their feet, you think about it from if I was the bad guy, why would I care about Dr. Dungy's office? When I can go hit an MSP and get 60 offices.

And speaking of your offices too, I know everybody has a different budget. But when it comes to physical versus virtual what's your opinion on, how a dental office should be set up in that realm?

What would you prefer and stuff like that.

I will say that if you ask five guys, you've got five different answers. So, I'm card-carrying EFF, right? So, I believe in owning my own data. And for that reason, I like the idea of an on prem server. You could throw this out on any forum or any group or whatever, and I just get chewed to pieces.

But I also believe in on prem server. Goes well toward data availability as well, because we don't care if the internet cuts out, we've got everything we need in house. That said, I have no problem farming out services to cloud providers because, it gets to the point where some of that data would be too cumbersome to have, let's say this, make-believe Dental Office has five computers in it.

Now we're going to run Exchange in the backroom. So, some of it can be farmed out to the internet, but certainly for the meat and potatoes of the operations of the business, patient charts and patient images, I like to have that on prem. Further than that, no dentist ever pays for good internet, so they're all going to go to the cloud and then be like, oh, this sucks, but they didn't pay for the bandwidth.

Sure. So, I heard you mention these guys going through college together, right?

Marketing strategies and how to get new customers, retain customers, all this stuff is always asked on these subreddits and even the one that we spun up as well. Do you guys ever have a strategy like besides just emailers or landing pages or anything like that? Do you guys go out to these colleges and try to snag them when they're young or anything like that?

I'm just curious.

I'm sure other MSPs have done that, and I've worked with other tech companies that are exceptionally hungry. And often the companies I've worked with that have rapid or exponential growth, the support suffers. It always suffers. And so, the vast majority of the business we've had has been handed to us from word of mouth. Take, for example, we had a new installation this week, it was like a server and two desktops, this tiny little office. And I went into the inventory, did the quote. I basically had a little bit of hands on with the systems, but enough to basically get an idea or a picture of what we're looking at here.

And it turned out that way under the surface, there's years of stuff going on here with different email providers. And we use this program for that. That wasn't ever explained to me during the quoting process and the way I look at it is as long as all the problems get solved, and everybody eats, like what I mean by that is, all our guys get paid.

I'm happy with that. And I realized that's maybe counter to the Gary V mentality of growing, and like action. But so far, it's served us well. I think we must be around 15 years anyway. Got to be around that. That's my metric or my measure of how things are going is the long game.

That's a long time. Honestly, I think many strive to get to that point, which is, I think a lot of people would take a lot of stuff from this podcast. So, yeah, no, I think we're in the backup realm, but there's so many other aspects that obviously you guys are doing right.

Hey Bill, how do you feel about managed service agreements or contracts when you start up with a new customer?

Generally, our contracts come from continued hourly support. So, generally, when we go into places now, there's certain things I need to see that we can agree on before we go any further. A big red flag or trigger for me is inside the first five or 10 minutes, if I'm hearing from somebody in a leadership or ownership position that I used to work in IT, it's probably not going to work out because the shop talk side of it is you called me.

There's a reason I'm here, right? The reason I'm here is because your stuff is broken and If I walk in and your network room looks like a spaghetti factory and I hear different stories from different people about what's working and when it's working and sometimes this does this and sometimes that does that.

And then I come to you and say, here, this is what we're going to do. These are the devices that we trust. I know you've never heard of Ubiquiti, but it's a better router than you can buy at Best Buy. I know that you're used to having an all-in-one networking appliance that does everything top to bottom.

And it costs more to put an access point at the front of the office and an access point at the back of the office and to manage it on the server. And you can't change the password whenever you want to change it. But we're really good at what we do.

You make a good point there about, having to have, I don't know if like minds is the word, but it's a partnership and partnership, a screening process for both of you, I would imagine.

It has to be.

Make sure to catch part two of this episode next week, where we talk more about the client screening process, red flags, cyber insurance, and more. See you then.

Dental MSPs: Challenges, customer vetting, and more (Part 2 of 2)

Summary: PART 2 of our special Dental MSPs episode! We continue to examine the types of customers and environments that Dental MSPs face daily.

Transcript:

Welcome back to MSP Survivalist episode three, part two. We continue speaking to Bill Dungy, a Dental MSP, about his client screening process, red Flags, cyber-Insurance, and more.

You make a good point there about having to have, I don't know if like-minds is the word?

It's a partnership.

A partnership, a screening process for both of you, I would imagine.

This is how it works with the dental industry. Other industries, it's not like this, right?

Let's say we have one client, one that's a mechanic, right? And they have computers in their mechanic shop because they must. But if they didn't have to, they wouldn't. Now in a dental office, if your server's down, if your reception computers get stolen, and you don't have other computers, if your network is offline, you are not making money.

Period. The network infrastructure and the systems that dental offices employ is the backbone of the whole operation. Sure, if you don't have clients in need of dental work, you can't charge for anything. But second to that is your computer systems.

I had a turnkey operation set up with a local computer shop. We used to build our systems. I used to buy all the components myself, build them all in-house, image them and ship them out. And then once we got on board with a bigger distributor and started using Dell systems, it got so much easier.

Now, when I am pricing out a system, I can now say with complete confidence that this 10th Gen i5 with an SSD will destroy your 2018 i3. That conversation with a potential client can turn into a ping pong match where I quote a whole bunch of stuff, the quote comes back, and we go back and forth a couple of times, often that’s what happens.

However, when a would-be client then goes to eBay to see if they could find some systems that were either off lease or the same system I was quoting, but cheaper, that's pretty much where I cut the cord and I'm like, all right, it's just not going to work. Because there must be mutual respect. So that's one of the red flags for me anyway. I mean, it's a give and take as always.

I think most MSPs would say that they're going to run into some walls if they accept any customer off the street that happens to ask for their services without having any kind of a screening process, without being able to check off some of those boxes, as you say.

That's where I'm not so quick to throw Gary V out with the Gary V bathwater, right?

Because when we first started, if you had computers, we wanted to work with you. So, we were taking contracts for offices that were a six-hour drive away. And so, when we first started, it was me and Cliff in a busted up old Rav four. And when we were driving between service calls, I had a laptop with one of those like ISP fire sticks in it, solving problems remotely.

So right now, we have the luxury and the opportunity to dismiss clients that don't pay. We've had a couple instances where we've had clients that, brand new to us, we've never worked with them before, and they've called us, and they got hit with crypto or something and everything's locked down. They need to do a full restore, and we've got to work through a long weekend or something, and then they just don't pay.

Wow.

And so, you get those two. But then we've had a couple of dentists- I just got a call from this guy the very beginning of last week, every single year, he buys us cookies for Christmas. And so last week, he was like, wow it's that time again, Bill, I'll have to meet you out here. So, it's not like it's a one-way street when it comes to dental. You just got to, I guess there's a, an intuition that needs to be developed about it.

Do you have a stance on insurance? Do you recommend to your dental clients that they have any kind of cyber security insurance?

I have a stance on insurance.

Everybody has a stance on insurance. Cybersecurity insurance. You know what? During the initial end of the world lockdown in March, 2020, I used that time to go do the security plus course because I've always just been like a basement hacker guy.

I don't have any certs. So, I was like, well, I might as well start with this one. And they were all about cybersecurity insurance. You must get insured. We have a couple of clients that are adamant about cyber security insurance and a couple of them that just laugh in the face of who on earth would pay for that.

I don't personally know anybody that's ever made a claim for cyber security insurance.

Oh, we do. Oh, we do. So many people.

So, how does that work?

Yeah, Nate, you want to jump in on that?

Yeah, I know of at least a couple of very large companies that had multi-million dollar claims against insurance that paid out nothing to do with, our backup software or anything like that, but it was how they were doing and storing their backups and crypto and the hackers that got in just went in and wiped it all out and they didn't have any offsite.

I've seen some big messes. But I've also seen cyber insurance companies, as soon as something hits, they're willing to get quote-on-quote, their guy to talk to the ransomware people to negotiate down a ransom, pay it and get the company up and running as quickly as possible because it costs them less money to pay the ransom than even to even have the downtime of recovering from backups in some cases. Which kind of bothers me, the fact that they're going to get paid. And it almost feels like the people that are on the negotiating side of the cyber insurance people are conspiring with the ransomware people.

It's just a little off.

That's what I was thinking.

Yeah.

Even if it's not that way, it must feel that way.

You get the vibe like it is. Why doesn't that insurance company flake some money off to these MSPs, enhance their quote-on-quote capabilities and whatnot.

And the insurance company might save money by boosting up the MSPs.

You said a couple of big companies, Nate. You think there's like a barrier, whether like a cost barrier or education barrier that kind of puts small offices off, or it's just a gut reaction?

The only reason I know some of these larger companies is because I was dealing directly with them, but I know a lot of smaller companies that have had cyber insurance of some sort that have paid out too. I've read a couple posts on the MSP subreddit that some cyber insurance premiums are like quadrupling or even more and in some cases not even allowing them to renew because it's getting so bad.

So, I think we're going to go through a couple of years of growing pains here as this progresses.

Yes. It's almost too good to be true just to have insurance. And then suddenly, they pay you, no problem at all. I can't imagine the monthly premiums are even going to be remotely affordable for everybody.

I've always wondered that too. If there's hack jobs out there that are insurance companies, that's just making a quick buck too. I'm sure that's happening, but that'd be interesting in the next five years.

Especially when you're talking about something like cybersecurity.

Because even if you work in tech, and security isn't your thing, it's just wizardry. So, some of those like hack insurance providers that you're saying must exist, I agree with you. They must, because they could just throw together some word salad about security and you'd sign the piece of paper thinking you're protected.

I would have to assume that would be the case.

Fear is a powerful tool. That's all they're using. One of our customers in MSP was losing a couple of his customers because another MSP or service provider rather came into the area and had the backing of an actual insurance provider.

So, they're throwing around a lot of money, throwing around a lot of fear tactics and things like that, and that guy lost a customer that was, I don't know what it was, like eight years. And then of course, a couple of weeks later, they totally screwed up everything and they couldn't get in their systems.

And then of course, who they fall back on. Yeah, good old reliable.

Bill, I imagine you've probably gone through different technologies and solutions over the years. Are there any tools in your kit that you find indispensable or important throughout the day?

Huntress is the big one. They have this technology called a ransomware canary. As soon as I instituted it across all our servers, I was like, man, I wish I thought of this. Basically it monitors these files that it creates basically hidden documents on the systems that it's installed on, and if those documents are changed in any way by ransomware, like encrypted by ransomware, it'll flag them and then send you this message and say, hey, by the way, it looks like ransomware is here. Looks like an early warning type thing. We go in and out of tool sets. One thing that changed a lot for us was learning about virtualization, adopting VMware, and we have a couple of clients that have been able to make great use of virtualization. Even if the people on site don't really understand that there's three servers running in the server it has saved some of our dental clients from needing a practice management server and an imaging server, and simply different servers for different applications. The one tool we're just starting to use now, which I'm hoping is recognized much more widely than it is currently, we're just starting to do email phishing campaigns, leveraging a piece of software called GoFish. It's basically like a self-hosted little email server that can send out emails to targets and track everything about them.

So, they can track the click rate, the open rate they can track attachments, and you can cordon off different messages into different campaigns. So, for example, I can send out one email to everybody in the organization that's you logged out of Facebook, click here to log back into Facebook. And then I can send a more directed and targeted email to, let's say, managers within that organization, pretending to be somebody else from the organization.

As a marketing guy myself, who's not interacting with these kinds of customers, I always imagine that kind of stuff as touchy or sensitive. Obviously, they're going to know at some point, or at least the management is going to know that you might be conducting these test campaigns. How does that work?

I guess there's multiple ways you can go about it, right?

If everybody's aware, it defeats the purpose, because then we're not testing the actual posture. We're not testing to see how defensively ready or capable your organization is. It's ideal to test against real world considerations, right? I'm staging this offensive email plus, I'd like to get into some onsite social engineering, some phone and text social engineering to see specifically how much information I can get from some of these targets and using some techniques and tactics and procedures that are found in the real world. Say, for example, I have several sock puppet accounts on the internet. So, these are for all intents and purposes, if you look these people up on the internet, they look like real people. Two of them specifically, I'm quite active with on social media and they have friends and these people that I'm interacting with are convinced that I was in their class at Seneca, right? A local college. But the thing is, it creates this identity online that I can use instead of sending the, hey, click here for your reward type phishing email, I can send an email from somebody who is completely believable.

And I can say, hey, my name is Bob and I'm from an agency just like yours and we're not open yet. We're going to be opening in three weeks at this address. And we're having a heck of a time finding a reliable cleaner. Is there any way you can tell me who's doing your cleaning services on site?

The idea being, if I can find out who does the cleaning, I could maybe get a shirt screen printed with that company, show up as the cleaner and say, you know what? This new temp that we just hired left the mop bucket downstairs. Do you mind if I just run down there and grab it? And let's be honest, I'm in Canada, right? Everybody's going to be like, oh, sure. Good to have you here, boys, as they hold the door for me.

The thing is, if I start discussing cyber security, most of our clients envision the guy with the black hoodie in a dark basement, like the mechanical keyboard, capital H hacking, right?

But most of the loss comes from poorly worded emails from people who look like they have authority asking people to do things they wouldn't normally do. So, what that looks like in real time is, we just finished a phishing campaign with a local dental office, but when I say dental office, It's a production, right?

They have a whole whack of stuff going on in there. During that engagement, like I was posing as management from within that building, asking them to send me employee schedules, or for example, we're just about to start one in January, right after the holidays, that has a much longer timeframe, which is ideal because it lets me build and build and build.

I can build trust and real relationships with the people that I'm communicating with. And during that conversation where we're trying to set out the rules of engagement, what am I allowed to touch? What am I not allowed to touch? This is where I can get maybe a little bit more toward the extreme end of things where it doesn't really fit the scope and scale of a dental office.

But if we're talking about a major, multimillion dollar corporation, I'd be interested to see what the employees do if some of these things happen. So not only if I get a weird email and, oh, this looks like it's from Trevor, but it doesn't look like it's from Trevor. So, I'm going to report it, and that's the safest thing to do. Well, what happens if the CEO gets kidnapped? What happens? You can go all the way from somebody's trying to get this little dental office to buy Apple gift cards, posing as the owner, all the way up to when the big boss man comes back from his lunch break, the red team's sitting there waiting at his car saying, actually you're not going back to the office.

We want to see what happens if we pose a kidnapping here. I don't know. Social engineering, I think that's where things are right now for spreading awareness about Cybersecurity, because a lot of people think that, well, I'll just install AVG and that'll be good enough. And then they're responding to every email they get, you know.

If people stop clicking on things, I'll be out of a job for real.

True, true.

Yeah, no doubt about it. This whole like fishing thing with the emails, I'm going to go down probably the darkest rabbit hole ever and learn more about this because that is intrigued the heck out of me. There's always intrusion detection and testing, weaknesses and firewalls and things like that.

But this is a whole other level of making sure your clients are educated. Without being able to study for the test first.

IDS and IPS are useless. If I show up with an orange vest, a clipboard and command presence, they'll open the door for me.

I'll send you a bunch of links in any case. Cause if you like that, you should start looking up open-source intelligence so you can realize exactly how terrifying the internet is. I'll send you a whole bunch of stuff you can get lost in tonight.

Good. I can change my nightmares a little bit.

Well, great Bill. Coming to the close of our conversation today. I had a couple of closing questions, maybe the greatest lesson you've learned in the last few years, any lesson that you could impart upon us from working with dental clients for those that are looking to enter the dental field.

Sure, that's easy.

There's a significant difference between preparedness and paranoia. And especially when it comes to things like planning for emergencies and failover and redundancy, you must walk that line carefully. But you should think about what would be the absolute worst thing that could happen and plan for that.

Because I can just tell you from experience, it's not fun getting caught with your pants down. And especially from an ownership perspective, especially if you have a team working with you and like they look over at you and go, okay, now what? You should at least be active about if this happens, I'll do that.

If that happens, I'll do that. Now there's always the unknown, but as somewhere to start, too many times I read about guys that are either working for crews or have experience from crews that just flatly assume nothing's going to happen. Second to that, I would say, everybody from every single position in every single organization should be reading extreme ownership by Jocko Willink.

The technical fields are plagued with finger pointing. t's an absolute disease that runs through. So, I can't go on site to a client's office without the x-ray provider saying, well, no, this is a practice management question. And the practice management people say, well, it looks like a printer problem to me.

And even when we're on the same team, helping the same client, nobody wants to take ownership of the problem. So that's one place where I try to get our guys all on the same path where we go. It doesn't matter what the problem is, I'm here and I'm going to fix it. Another one to check out is start with why from Simon Sinek. You can't fundamentally put forward excellent work without a correct aim and you can aim incorrectly.

I think organizations generally are underserved by people who aren't willing to invest in what's required to be in that position. Even if you're like a base level one help desk, you're not even like a sys admin yet. It will be known and appreciated if you take those problems, put them on the bar and squat them and be like, I have this, you can trust me with this, you know?

So that'd be my two big things is plan for the worst and educate yourself on Jocko Willink.

I think those are great recommendations. Can't thank you enough for joining us today. I think you've just given us a wealth of things to think about.

Thank you very much for the opportunity.

Adam, Nate, thanks for joining us today.

Yep. No problem at all. This is awesome. Lots of knowledge.

Yeah. Thanks for putting this all together. It was very helpful.