Skip to content

Are MSPs Ignoring Best Practices for the Sake of Time | EP 44


Connor Swarm
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing. 

Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, the CEO at Phin, and I am joined once again by a friend of mine, Adam Evans. The, did you say, the discount Jason Slagel? 

Adam Evans
Generic discount generic brand Jason Slagel. No, we have Jason at home. 

Connor Swarm
The generic Jason Slagel. Also the security director of Simplex it, Adam Evans. How are you, Adam? 

Adam Evans
I'm well. Can't complain too much. 

Connor Swarm
So we just wrapped up a podcast on compliance frameworks, how to understand it, security awareness training, and how to connect the two. And today you're also in the MSP industry, simplex it. So today I wanted to ask you about are MSPs ignoring best practices for the sake of time? And I believe this is actually a topic that you selected, so I'll let you run with it for now. 

But what does that mean? Are they, are MSPs ignoring best practices? 

Adam Evans
In short? Yeah. And I've been thinking about this topic a lot lately. 

We look at our industry and the threat landscape as a whole. Security incidents continue to occur. 

I don't know how many posts I've seen on LinkedIn of another data breach happening. 

It seems that they're happening every other hour at this point. 

And you look at the pressure coming in from external entities. Right before we jumped on this call. 

I saw that SISA's joint directive collaborative. 

The JCDC, or whatever they're calling it, I've seen too many acronyms they don't remember, released their report on the risk of remote management software and MSPs in the supply chain. I haven't read it yet.   I saw that it exists. Speaking of Jason Slagel, his firm, CNWR, got a nice little call out from Cisa on that one. 

So stoked for them on that. But CisA really realized that there's some risk out here, and MSPs are part of the problem, and they wanted to understand that problem a bit better. So we've got the consistent attacks that are happening. We've got the fact that third parties are starting to look at us as a potential risk.

And it seems that there's a dozen and a half vendors on the market offering their one click easy to pull, easy button solutions to solve all of our problems. 

But the risks still exist, the attacks are still happening, and the costs of those to both the small to medium businesses we serve but the dollar amounts are increasing. So it really begs the question, have we failed at cybersecurity as an industry? And if so, why? And as much as it hate, I hate to say it's starting to look like we might have. 

We might have dropped the ball a little bit. So why and how did we get to where we are right now? And that gets into me the daily culture and the daily grind of working in the MSP industry. Being realistic. SMBs don't have a lot of funds to hire good quality staff all the time, or good quality firms. They've got to worry about their budgets. So looking at the MSP space, we're a competitive bunch.  We like our business opportunities and whatnot. But are we cutting corners on our end to be able to meet those budgetary requirements? 

And if we're doing that, what's getting cut in the process? Not to mention security, is a complex topic. 

If you go and look to see all the different subdomains of the information security industry, there's a billion subdomains out there. And each one of those could be its own dedicated full time job in a Fortune 500 company. And then you start asking the question, who can actually do these in an MSP? There's not a lot of us out there. The talent shortage is definitely out there for us as MSPs. Getting good people that are willing to put in the hard work to make it happen. That's not easy to find either. 

And just where as an industry do we go? And it's rough. 

Connor Swarm
What do you mean by ignoring best practices for the sake of time? You mentioned a few things that it's really hard to find some capable talent. 

Not only as a small business, but as an MSP. 

So your clients are dealing with it. You're dealing with it. What are some of the best practices that you think have a tendency to get ignored for the sake of saving some time? 

Adam Evans
A simple, easy one that I can think of right off the top of my head. Credential sharing. How many MSPs do we run into where they may be using the same credential across all their client base for their domain admins? 

I hate to say it, but we see it. 

How many MSPs are rotating that credential out after doing their own staff changes? Or if there's been a potential compromise? 

That's another challenge. And it's a simple best practice that's easy to do on paper, but operationally it takes time. 

If you don't have a tool to do it, whether it's some kind of a PIM or Pam solution for privileged identity or access management, it's a manual process. Doing it on five companies. Oh no, I've wasted an hour doing that across 50 clients. Okay, that's now a bigger task doing that across 100 or more. 

You need a full time person to do it manually, or you need to write the automation for it. Not every MSP has that luxury. 

Connor Swarm
What do you see as the way out of this issue of not having enough dedicated, competent resources and not having enough time for the people that do exist?

Adam Evans
What's the way for MSPs and small businesses out of this one option? 

We need to invest back into our communities, whether that be through the MSP communities themselves, through groups like the tech degenerates, MSP geek, and a whole bunch of other great ones out there. 

There's an opportunity to share the knowledge and the love and whatnot and help lift people up. There's the opportunity for internally with their own staff, to find those people who are security curious, to empower them through their programs. And there's also the overall bigger picture out there, and funding certifications and training along those lines to take people up and build them up into those professions and give them some agency and ownership to make it happen. But there's still challenges that come with that. 

I wish there was an easy button for this issue, but there's not. We've got to invest the time and resources to make it happen. But when we look at that cost benefit of spending the time to skill someone up now versus the cost of a ransomware incident, it could be a lot cheaper to invest in your employees than to deal with the remediation, especially if the client's firm or their insurance deems that the MSP is at fault. It's a risk that needs to be addressed appropriately. 

And while we might save time up front, are we really spending a lot more time down the road? 

Connor Swarm
Yeah, I think that's such a hard decision for a lot of businesses to make, because speaking from experience, I've never met a small business owner who thought, yes, I'm going to be the breach. 

My company is going to get targeted, or my company is going to get swept up in it. So it's like when you approach them as a security director, as somebody who's there to help them understand their actual security posture and the risks that they're exposed to. They come to that conversation with, this. 

Isn't going to be me anyway. So, yeah, say whatever you'd like. And then when you're like, hey, this is how much money it's actually going to cost to keep you secure, then they're like, doubly they double down on. That's absolutely not us. 

Adam Evans
Yeah, it'll never happen to me. But you're not too small to be hacked. You're just too small to make the news. 

Connor Swarm
Yeah, that's one of my favorite quotes.  Do you know who said that? I've stolen that quote, and I have no idea who to stealing it, too. 

Adam Evans
But I look at our industry, and. I look at what happened a couple of July fourths ago, and great guy. I'm sure that Robert Coffey, when he was impacted by his incident, was thinking it'll never happen to me. And then he woke up that day and said, oh, crap, it's happening to me right now. 

Connor Swarm
Yeah. I've watched him give his presentation several times on what happened today, what happened to the next week, what happened to the next 30 days. And I watched him on the year anniversary of that, watched him give a talk. 

That was scary. Eye opening. 

Adam Evans
Scary. Absolutely. And you never want to see it happen to anyone. 

But I'm so thrilled that Robert's taken the time to share his story and his experience with the industry, because it's that sobering reminder to us at the MSP level that it can happen to you. And when it does happen at that scale, you need to be ready for it, and you need people to be there to help lift you up. Not point fingers, but help you through. 

Connor Swarm
Whatever you need to get through at that time? Yeah, absolutely. Where would you personally draw the line between efficient security and effective security? 

What's the thought process you'd go through when trying to decide that? 

Adam Evans
So if I'm looking at things from the get go, my first thing that I look at, if I'm onboarding a new client or just deploying something new CISA has a published catalog of their bad practices. 

It's three things. MFA, end of life systems, and default credentials. They've straight up said, stop doing this. 

Connor Swarm
Stop doing MFA. 

Adam Evans
Sorry, it's not. Stop doing. Stop allowing things to exist without MFA. 

Connor Swarm
Got it? Got it. Okay. Yeah, I was really confused there. That makes way more sense. 

Adam Evans
No, it's MFA. All the things. Patch all the things. And make sure you're not using admin. Admin for your credentials. 

Connor Swarm
Yeah, role based access is pretty important. 

Adam Evans
Yep. So then building off of that, though, I'm a big fan of my frameworks. I would initially say, pick a framework. And go with it. Easiest two ones to look at, CIS Controls and the NIST CSF. They've got their maturity levels. Start at the basics. You might look at the basics and say, of course I have an asset inventory, and of course I have my software assets, and of course I patch. 

Are you really doing it? Can you definitively say right now, do you have a Cisco small business switch in your environment and what firmware versions it on? We know that you've got them, but. 

Are you maintaining that because when those vulnerabilities pop off, the security incidents happening we can't secure, we don't know we know exists. So even those simple little things make a difference, then continue that cycle moving forward.

Do we have the resources of a Fortune 500 that can do the big fancy frameworks? I'd love to say that we do, but we don't. But you've got to start somewhere. And realistically, if you're being chased by a bear with a friend, you don't have to outrun the bear, you just have to outrun the friend. 

Connor Swarm
As much as I hate to say. That's a good analogy, that is a great analogy for security. You made the statement earlier. You're not small enough to get hacked, you're just too small to make the news. And that basically applies to a lot of the reasons small businesses get caught up in security instances is because of larger scale breaches that occur either at a third party solution that they use. 

Like a well known password manager, or. 

In the case of Rob, MSP focused tool. 

And so it's like, yeah, at that victim, the person who ends up being the victim is the victim because of opportunity, not because they were, probably not because they were targeted. 

Targeting still occurs, but it's usually opportunity. 

You mentioned a few things. For those of you that are listening. We talked a lot more in the previous episode with Adam about security frameworks, not only if they're prescriptive or if they're just recommendations, but there's a ton of acronyms. 

So we go through some of the acronyms in the previous podcast if you'd like to learn more as well. When MSPs are looking for new solutions, either that's a service they're subscribing to. 

Like a company that they're going to work with or a tool they want to purchase, how should they focus on making that decision? 

Adam Evans
To me, all around risk based, what data is that vendor having access or getting access to, and what are the risks around that? And then lastly, is the vendor taking their own security seriously? I think at Channelcon recently there were some conversations from their staff team regarding just how to help manage that vendor risk a little bit better. 

We look at all the different compliance frameworks as well. We see a lot of those different frameworks talk about that risk management process and third party risk management process as well. 

So it's something that we need to start doing and we need to start doing better, but we need to be holding as MSPs our vendors more accountable as well. If a vendor pops out and says, hey, we've got the most secure solution out there, that works great in marketing material, but that doesn't help me mitigate my risk very well, I need to validate and verify that.

So MSPs, we've got a lot of opportunity to push back on our vendors and say, what exactly are you doing to keep my data safe, to keep my client data safe, to secure my credentials and access? 

And are you doing it in a way that makes sense? So doing things like allowing us to do SSO and allowing MFA without an additional license skew behind it. Are the vendors themselves pushing through their own compliance, whether it's stock two, type two, or whatever they need to for their own needs.

As MSPs, we need to be asking those questions, reading the results, and deciding if those results add extra risk to us or to our clients, or whether we are accepting of that risk. So that way, if something like that happens and any vendor, Microsoft, whomever gets compromised, we can look at that and go, cool. We didn't think it would happen. We hoped it wouldn't happen, but it did happen. 

So what are we doing about it? 

Connor Swarm
We actually had Jason Seigel on a podcast earlier in the year where we talked about vendor transparency and third party risk, kind of like the focus of Channelcon. And if you want to go figure out, folks, if you're listening, you want to figure out his answer on what you should do. If a vendor is not transparent with their own security posture, go listen to that episode you mentioned. 

Saying we make you 100% secure is great marketing. And speaking of a ton of BS. 

Marketing that I've seen, would you want to come back on the podcast and do an episode on AI on not only tools but in the MSP space? 

If it's all marketing buzzwords, or if it's actually useful, do you want to come back on and talk about that too? 

Adam Evans
Oh yeah, we can absolutely have some fun with that one. I spoke at it nation secure around the risks around AI, and our AI is trying to hack us all. 

Just a bit of fun conversation to explore and go through. 

So I'd love to. Awesome. 

Connor Swarm
Well, we'll have you back on the podcast again to talk about AI in the MSP space and tools and if it's useful. Do you have one last piece of advice to anyone who's currently toeing the line between best practice or saving time? 

Adam Evans
I say if it all becomes down to if you don't have the time to do it right the first time, you don't have the time to do it, do it a second time, invest that extra time, do things properly, follow those best practices, and build that idea of reasonable defensibility. The end of the day, our time and resources are still limited. 

It's still tight, but the risk and liabilities of not doing it are too great. And at the end of the day, our clients expected of us, we expected of our vendors. 

Let's just get the job done. 

We've got a lot of work ahead and we can change things for the better. 

So let's start. 

Connor Swarm

That reminds me of a quote that I used to say all the time and it's if you don't make time to maintain your equipment, it'll make time for you. 

Kind of like this. If you don't have time to do it right, you don't have time to do it a second time either. 

Adam Evans
Yes, and the second best thing that goes along with that is the best time to plant a tree was 20 years ago. 

The second best time is today. 

Connor Swarm
Yes, second best time is today. Well, awesome. 

We'll definitely have you back on to talk about AI and how it's going to impact the MSP space or if it's here to begin with at this point. But this has been a wonderful episode. Thank you so much for joining me. 

Adam Evans
Thank you so much for having me. 

Connor Swarm
Sweet. Once again, everyone, I'm Connor, CEO at Finn. We were joined by Adam Evans, security director of Simplex it, and thank you for listening to another episode of Gone Fishing. We'll catch you next time. 

Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phin Security at That's p h i n s e c i o or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.