By Chris Johnson
Our goal is Secure Outcomes and together we can make a difference.
MSP 1337Dec 05, 2023
My Cell Phone's Been Cloned
We all know the dangers of connecting to Airport Wifi... Join Sarah Goffman and I as we discuss the dangers of connecting even your cellphone to public wifi.
Ideals vs Reality
What does future growth and sustainability look like in the MSP space? Acquisitions abound, SMBs and micro-SMBs bounce from one MSP to another... What is the future yield especially when we start discussing cybersecurity challenges and adopting even good cyber hygiene? I sit down with Eric Hanson of Inland Productivity to get his take on the future of client growth and where those net new clients might be. Whether with existing or new clients, they must recognize the need to improve their cybersecurity posture!
Fireside Chat - Control 07 Continuous Vulnerability Mgmt.
Deep dive into control 7 with some influences of other controls. We know that OS patch management, change management, Third Party App management and third party app patching aren't always prioritized the way it should be considering today's threat landscape. Matt Lee is on a pedestal on this control so stay tuned through the end as we run a bit long on this one.
ITN Connect Recap 2023
I sat down with Matt Fisch of Fortmesa to discuss observations and highlights from ITN Connect. From new vendors in the pavilion tackling niche cybersecurity challenges to conversations with Solution providers that show our industry is maturing.
Business Email Compromise
Maybe we have talked about this before? At any rate Business email compromise is a constant threat. We do Phishing simulations and other security awareness training to help our staff and clients make good choices, but we aren't always perfect. I sit down with Dan Gilligan with Integra MSP to hear his journey in dealing with this issue and the tools and training that have changed over the years to keep up with this evolving threat.
What are insider threats? Tim Schnurr and I discuss the importance of cybersecurity in protecting digital assets and preventing insider threats in organizations. There is a overwhelming need for employee education, the use of data classification tools, and the implementation of monitoring tools to track data flow. This is a great way to have open conversations with your employees and your clients as to why it is so important to think before you click on a link, hit send in an email, or download/upload files to file sharing sites etc.
Industry Conference Overload
Thinking back ten-plus years on the industry conferences we have attended in person and online. With vendor mergers and acquisitions it is hard to determine which shows you should still attend and every day it seems there is a new road show, quarterly show or another membership conference. How do you make decisions to attend what is relevant?
Fireside Chat - CIS Control 10 - Malware Defense
As we go through the CIS controls we try to stay in sequence but as a result of some discussions at recent events, we decided to jump to Malware Defenses. Hopefully, Matt Lee's insights and my humor will be enough for you to endure 30 minutes on what you should do in your journey to address Malware Defenses.
Getting an Assessment...
We talk about frameworks, compliance, cybersecurity, and many things in between but we haven't discussed getting assessed against a framework or even the new CompTIA Cybersecurity Trustmark. I sat down with Omer Kasim Aslim of Lake Ridge to discuss assessments. How the different frameworks, whether prescriptive or not, are often looking for compliance to protect a specific type of data and not an organization's overall security. We go through several scenarios and Omer offers many tips and best practices. Enjoy!
Should I Sell Compliance Services?
In recent years we have seen Solution Providers begin offering services that are showing a shift in our industry around our client and client prospect needs. Five years ago very few solution providers would be comfortable talking about risk registers, GRC tools, PoAMs, and take a leadership role with our clients. Joine me as I sit down with Chad Holstead of BKS Group to talk about challenges, risks, and opportunities for positioning compliance as a service.
CompTIA Cybersecurity Trustmark Progress
From the trenches... I sit down with Jim Harryman of Kinetic Technology Group to discuss their progress through the new CompTIA Cybersecurity Trustmark. What are the significant challenges and what are the easy wins. A glipse into the journey that got Kinetic Technology Group to where they are today and preparing for their asessment at the end of the year.
Fireside Chat - CIS Control 6 Access Management
Fireside chat with Matt Lee brings us control 6. Access Management goes hand in hand with Account Management but if you have been following along we coverd control 5 last month. Join Matt Lee and I as we deep dive into each safeguard and discuss what you should be doing and then mapping it to the safeguards we cover.
Do I know my assets (IoT, IIoT, and OT)?
Each day we are bombarded by cybersecurity threats and this episode adds another vector you should be looking at as you address your asset inventory. Are you looking at the asset that controls your thermostat? How about the IP cameras you use to secure your office? These are just some of the many questions as I sit down with Huxley Barbee of Run Zero. It isn't all doom and gloom but the outlook is definitely scary if we don't start taking action to secure the devices that often are ignored or the responsibility and burden is assumed to be already handled.
Committing Fraud Through CMMC.
There is no question that CMMC is here to stay. It is a much-needed maturity model for measuring companies that cater to the Defense space and are doing what is needed to protect Confidential Unclassified Information (CUI). I sit down with Adam Duman of Vanta to discuss frameworks, contracts, cybersecurity challenges, and how all of these things impact a company looking to keep or add contracts within the defense space.
Preparing For A Storm.
In Cyber we often focus only on the events that come from the ether, the dark web, and we forget that disasters can come from all sorts of events. With a hurricane less than 24 hours from making landfall, I sit down with Charles Love of ShowTech Solutions to discuss their prep.
Was I a victim?
I am a big fan of Scott Augenbaum's book, "The Secret to Cybersecurity." Specifically, the 4 truths that we talk about with Tye Male, Senior Pastor of Wellspring church. Suspicious email, inconvenient timing, stress-inducing, and when it is all said and done... it has the potential to damage your reputation. Listen in to hear what Tye learned as it pertains to being vigilant and communicating the cyber dangers with friends and loved ones.
Fireside Chat - CIS Control 5 Hurdles
We are 1/3 of the way through the CIS Top 18 and I think Control 5 might be my favorite. Matt Lee joins me as we dive into all six safeguards and how important they are in the journey toward cyber resilience.
Cybersecurity for Big and Small MSPs
I remember the days when Joshua Smith and I decided we should build our own MSP. It was simpler times and Cybersecurity was defined largely by firewalls and antivirus. Today starting an MSP or even being a small MSP trying to get arms around cybersecurity is a daunting task. I discuss with Dor Eisner to talk about why he decided to build Guardz. Why the desire to focus on a solution for the smaller MSP and his overall look at the threat landscape. Together we can we can make it more difficult for the threat actors.
MSPs Need Compliance
There are lots of frameworks to choose from and some are more complicated than others. What is important is that you use some set of controls/safeguards or standards that are measurable and can be aligned with. I sit down with Alex Spigel to talk bout her approach to compliance and how things like responsibility matrixes can help. We are at channelcon23 and I hope to see many of you in person.
Over the past few months we have spent time on policies, how to tackle controls and safeguards in CIS Top 18, and we have even pointed out cybersecurity areas that might be overlooked. In this episode, as we all look at maturing our cybersecurity practice we look at how one might show evidence to support all of the efforts in creating policies, processes, and procedures. Thanks to Chase Griffin for highlighting that sometimes you do need some tools.
Fireside Chat - CIS Control 4 Hurdles
It is the 3rd Tuesday of the month and it is time for Control 4 With Mat Lee. This is a shorter episode but we get it done and got great insights on how to go about addressing CIS Control 4.
Policy Creation Involves Everyone!
Policies are the one thing no company wants to create but everyone has to have. We see them show up in employee handbooks, Written Information Security Plans (WISP), and System Security Plans (SSP), and there is no shortage coming from HR. In this episode, Charles Love of ShowTech Solutions, and I explore why policies should involve all staff. Either everyone gets it and acknowledges the need to follow them or they tend to not get followed at all.
Do You Know Who Your Users Are?
I don't often have vendors as guests on the show and so when there is an exception made it is because they are bringing something to the table that is exceptional. Discussing Single Sign-on with Nick Wolf Of Evo Security is a topic that we have touched on before but never in the context of how it might help you address CIS controls or other challenges within your internal management of users or users client-facing.
Fireside Chat - CIS Control 3 Hurdles
A little Chutes and Ladders, a little Yellow Brick Road. In this episode, I think you will find that Data Protection is a rather complex beast but through the guidance of Matt Lee of Pax8 you will have the tools you need to better protect what is important to you and your clients.
Counterintelligence and TikTok
This week we put a thought towards adding counterintelligence as something that should be part of your Business Continuity, Disaster Recover, and Incident Response. It makes sense when you hear what Darren Mott has to say. As a former FBI agent, his insights both from his time in the field and even now in his new role, are not to be missed. Why is TikTok bad? What are the personal risks that I am taking on by the decisions I make to use technologies like TikTok? What are the potential ramifications for me and my friends...? Not just today... what about 10 years from now?
Check Vendor's Security Posture
After we did, "A Doozy of a Story." I was presented with this Gem. It almost feels like a perfect storm but in fact it is a legitimate business and as I discuss the details with Eric Hanson, I want you to think about CIS Control Service Provider Management and Software Management. It is easy to forget that our vendors don't always take a security-first approach.
Cyber Insurance Industry Maturation
When cybersecurity insurance first came on the scene it was a new frontier. Everyone seemed to be selling it and everyone seemed to qualify for it. That was then... Sitting down with Reid Wellock of FifthWall was an enlightening discussion of where the industry is at and hope for the future. There are several pointers in this episode and even a book recommendation.
Do I need a PenTest?
What is a PenTest? What if I can't afford a PenTest? How is a pentest different from a vulnerability assessment? These questions and many more Matt Lang and I attempt to give some direction. Perhaps redefining what a pentest is will be our next endeavor.
Fireside Chat - CIS Control 2 Hurdles
Our first fireside chat was about Physical Assets and the hurdles or obstacles faced when trying to get a complete inventory. In this month's special edition, a fireside chat with Matt Lee, we are addressing control 2. This is a focus on really understanding and going about having a good handle on the software and operating systems. As always Matt has great insights and our conversation does drift a bit to other controls. Our hope is that this episode will help you build your foundation as you continue on your journey of Cybersecurity Maturity!
One Man Shop to CISSP...
I love a good origin story. Sitting down with Matt Lang of SVAM International showed me just how alike many of our stories are. How we got started in IT, why we started an MSP, and in some cases why we became super passionate about educating our friends, peers and colleagues about Cybersecurity risks. Stick around to the end as Matt shares some great tips on getting more out of the CompTIA ISAO.
FTC Safeguard Rule and Opportunity
We are all too familiar with regulatory requirements and penalties for failing to comply. The FTC has put into effect June 9, 2023 requirements that will directly impact financial institutions. In this episode, we talk specifically about the impact this will have on the automotive industry, very specifically, car dealerships. I am joined this week by Jay Lamb of Core Plus discussing the impact of not properly protecting PII and the areas of focus are not limited to the following: Designate a qualified individual to oversee their information security program, Implement 2FA, Develop an IR plan and several other specifics that sound all too familiar.
A Doozie of a Story
Domain Registrations and an extra invoice that has a bit of sticker shock... This and more with Charles Love of ShowTech Solutions. We have talked about doom and gloom in the past but this story is one that I am already losing sleep over. I'd love to hear your thoughts on this one.
Fireside Chat - CIS Control 1 Hurdles
If you haven't met me, you know that my passion is to help others with improving their cybersecurity posture. In an effort to make a bigger impact, I have brought Matt Lee of Pax8 on to the show as a special guest to talk about the noise our MSP audience is dealing with. In this episode we talk about some of the challenges we have heard MSPs struggle with and we think this will help our friends and colleagues get past asset inventory in a meaningful way.
We are all to familiar with our own mortality. In this episode we talk about the scenarios that can arise when a key person in a company holds all of the keys and is suddenly taken from us. While there is some morbidity to this episode and it helps us tell the story, it should make you pause and consider what if a key person in the organization is just un reachable? Have you done a tabletop exercise? You don't want to miss out as Sarah Goffman paints a pretty painful picture that I am sure all of us would like to avoid.
Security Without Cybersecurity?
As a podcast we pride ourselves in the focus of cybersecurity topics. This is an episode focused on Cybersecurity without talking about cybersecurity. Crazy, I think Ian Richardson of Richardson and Richardson make it almost twenty minutes in before we really do talk about anything tech related. Risk anyone?
State of Cybersecurity
CompTIA's research team Seth Robinson and Carolyn April join me in discussing some interesting research trends that cover 4 pillars or steps that I like to refer to as the 4 Ps. Policy, Process, People, and Product. Be forewarned that much of the research is coming from the end-user perspective, but I think you will find the insights are very much important and relevant to the changes happening in our industry and the new opportunities presented as we go into the second quarter of 2023.
Protecting Friends and Family
Cybersecurity challenges exist in every aspect of our daily lives. Join me as I discuss with Dom Kirby of Pax8 an approach to cybersecurity with friends and family. Technology helps but it doesn't solve it all.
Explaining Cybersecurity to a 5th Grader
Ever wonder why your prospect or client gets a confused look on their face? You try to describe the new service offering or features that have been added to improve the security or efficiencies of their task force but they just don't seem to understand what you are trying to tell them. Join Charles Love, of ShowTech Solutions, and myself as we talk about some ways to change the approach to solutions that will be met with much less resistance and are much easier to understand.
Cybersecurity Maturity Without Technology?
If my organization has no technology can I still be secure? Matt Topper of Connectwise and I explore Cybersecurity with an approach that says you can prove a mature cybersecurity posture without technology. Technology is shiny and often can be a distraction from a focus on business functions and what we should be trying to protect. Stick around until the end as we may in fact find that technology is still a very important component of a mature cybersecurity-focused business.
MSPs, Controls & Safeguard Capabilities
With Communities, Councils, and Forums just a few weeks away, I thought we should tee up the Unfiltered Fireside chat between Matt Lee of Pax8 and myself. In this precursor, you will hear our two different approaches to achieving the same outcome. There might be some references to, "The Yellow Brick Road," and maybe a reference to the children's game, "Chutes and Ladders." This is a fun banter between two friends that you don't want to miss. Enjoy!
Social Media and Threat Landscape
We talk a lot about social engineering and its potential impact on our employees, our businesses, and even our family and friends. What we often fail to talk about is our responsibility to ensure that our employees, clients, family, and friends are educated about the dangers. What can we do to reduce risk without strict and aggressive tools that block or prevent staff from using social media? We all know they will likely still need to use email and despite our efforts, bad emails still get through to our end users. Join me with Jim Harryman as we discuss ideas and an approach that gets everyone on board with staying safe when it comes to social media.
Frameworks and Privacy Updates
We are beginning to see a pattern in frameworks updating or adding additional privacy controls. Whether they are long overdue or not is neither here nor there as they are now being stood up. From CCPA becoming CPRA, ISO 27001 adding new safeguards, and others all looking to improve privacy. I sit down with Sarah O'Kelley of Choice Cyber to discuss how data protection and en emphasis on privacy. Great discussion... Thank you Choice Cyber for the wonderful insights.
Emergency Response Team (eRT) is What?
Have you ever dealt with a client, prospect, or perhaps an internal event that caused harm to your business or others? If so I am sure you can relate to feelings of shame, and embarrassment and I am sure many sleepless nights as you work to recover as quickly as possible. I sit down with Miles Jobgen of CompTIA and Robert Cioffi of Progressive Computing to talk through a real-world experience and how the CompTIA Emergency Response Team came to be. The Genesis of ensuring that a business doesn't have to navigate an emergency alone. To have a team come alongside you at no cost to your business. Volunteers who want to help you!
There is some buzz circulating about the upcoming CompTIA Cybersecurity Trustmark, Compliance with frameworks, and how to get started as a solution provider. I sit down with Matt Lee of Pax8 to discuss the opportunities presented to Solution Providers who submit their organization to comply with a framework. Similarly, the new Trustmark from CompTIA while not a framework on it's own has taken on safeguards from multiple frameworks to give direction and a path toward cybersecurity maturity.
I'm Too Small For a Firewall
There is still a mindset in our industry that says, " You are too small to need X." With the experiences shared by Sarah Goffman of TCE Communications, we cover the necessity of firewalls, Endpoint protection, and other security components that are necessary for today's threat landscape. Great conversation and I think a big opportunity to educate prospective and existing clients on the threat landscape.
Pig Butchering & Other Scams
I sit down with Kevin McDonald of Alvaka to talk about the three main scam types out there and what they look like. While we might not be able to prevent all threat actors from prevailing, we can make it more difficult and in many cases, our quick actions can reduce the likelihood of someone else falling victim to the same attack. If it is too good to be true then it probably is!
Password Manager or nothing?
So this episode is not about Lastpass specifically but about Password Hygiene and best practices around securing your credentials. We talk about the better-than-nothing model and even some unconventional ideas around password management. Hopefully this conversation with Eric Hanson of Inland Productivity Solutions will give you some ideas on how to talk about better passwords and the necessity of password management with your clients.
2023 What can we expect?
Not to follow in everyone's footsteps on predictions... I waited to publish until January 3rd 2023. I had an opportunity to sit with Steve Alexander, Facilitator and founder of MSP-Ignite, to talk about his hope and predictions for MSP-Ignite members. I threw in a few of my own just to push some buttons but I think you will find some surprises in this episode. Please contact me if we missed something or if you have an idea for the next show topic!.
Looking Back on 2022
Looking back on 2022 with Joshua Smith of Reliaquest and Charles Love of ShowTech Solutions on looking back on the highs and lows of 2022 and what we hope for in 2023.
Policies and Controls, Compliance vs Security?
I brought Jim Harryman back to finish the conversation on policies and controls. We left out a few key pieces.