Listen to "All Things MSP" on Your IT Podcasts!
Justin:
So I went to Vegas. I came home with a cold, which is the, the best of the viruses you can get in Las Vegas. <Laugh>, while we were in Vegas, we found this, I found two stories. I found one of the Grand Canal shops in the Venetian and called Shinobi. And I walked in and they were like, oh, have you ever been here before? And I was like, no. They're like, our theme is James Bond on his day off. And I was like, you fucking had me. No. So what's up everybody? Welcome to the All Things MSP podcast with your host Justin Esgar and OG host Eric Anthony. This is episode four and we're talking about something really important. Security and compliance. I feel like we need some like w e music playing while we're doing
Eric:
Well, that's, that's what, right?
Justin:
Yeah. What's up buddy? How are you?
Eric:
Good. just got back from CompTIA CCF, so that was exciting. And actually that falls right into the discussion today cuz there was a lot of discussion about cybersecurity and compliance at CCF this year.
Justin:
I do a l surprisingly as a Mac person, we don't do a, you know, a lot of security compliance, but I do have a lot of clients that we are doing some compliance stuff for. And I'll talk a lot about this. We use Egnyte secure and governance for a lot of that work. I've met a couple of security people before. I have a great it an IT security in compliance lawyer, Ms. Catherine Lewis from Ms. F Law, she's gonna be speaking at ACEs conference. She, I was talking to her the other day about stuff and she was just scaring the pants off of me. Like, what's happening when it comes to compliance coming down, you know, the end of 2023 into 2024. Right now states are doing it themselves, right? We got C C P A California consumer, we got consumer we got NY Shield. I'm sure there's something in, you know, Idaho potato, whatever, but like, there, there, there's something that'd be hilarious. Their cybersecurity laws are called the Potato Skins. Sorry, <laugh>.
Eric:
<Laugh>.
Justin:
But there's gonna be a, we think there's gonna be a federal law similar to gdpr, right? Coming soon. Yes.
Eric:
Probably, probably very closely based on actually California just redid theirs. And so now it's C P R A. Okay. And there are four additional states that added privacy compliance this year. I don't remember all of them. It's Connecticut, Utah, Virginia, and somebody else. If anybody knows, comment down below,
Justin:
Keep mind. I'm from New York. Everything between New York and LA is no man's land. So <laugh>, any you
Eric:
Just fly over it from time to time.
Justin:
Just fly o Yeah, we just fly over. What does it mean though? Let's, let's break this down a little further because there's a lot of MSPs who love to talk about compliance, but like, what does that actually mean from the client side of things?
Eric:
So it depends, right? And a lot of this is based on gdpr cause it's kind of the OG and the privacy compliance space, right? And it's, it's some kind of guarantee that you're holding their personal information in such a way that nobody else has access to it. And the only people within the organization that have access to it are the people who should have access to it. Same thing follows with phi, you know, HIPAA for example, right? Mm-Hmm. <affirmative> need to make sure that health related information is kept private. This is hard though because it's in a lot of different formats and that's where something like Ignites Secure and govern, you know, comes in because you can classify that data. Yeah. Now there's a lot of other types of security as well because there's, there's the compliance in, in terms of privacy and the controls that you have to have in place, but there's also the security mindset of it, of the firewall, the multifactor authentication, all of the controls that you need to have in place to protect that privacy.
And so there's, there's lots of different aspects to this. I mean, it even goes all the way to physical controls, right? Is there a lock on the building? Are the file cabinets lockable? You know, those types of things. And where this really comes into play is highly regulated industries like life sciences who have to comply with F D A part 11. C M M C is huge. There's a, there's a whole like conference going on in Dallas this week around or next week around cmmc. So, and like, and here in the States, if if you have a contract with the Department of Defense, you have to their, that client has to comply with C M M C compliancy or they will not have a contract renewed and they will not get any new contracts. And in, in a lot of cases, that's millions of dollars to those businesses that they're gonna lose because of not being compliant.
The other kind of non-regulated side that we're seeing a lot is from the insurance companies. So the insurance companies have these checklists, I'm sure you've seen them. I talk to to partners about it all the time where there's these checklists that they get from the insurance company that they have to have all of these things in place, or they won't get a cybersecurity policy. Even worse, if one of those things drops off and it's, it doesn't stay compliant, they could actually be refused to claim if something were to happen. Yeah. So, so this is pretty critical stuff when it comes to the, the business life of, of a client.
Justin:
And it's a, I mean, it's a rabbit hole, right? Because there's, first off, as IT providers, as MSPs, there's gonna be a wealth of knowledge here that you are just not gonna get, right? There are people who specialize in this stuff. There's a reason for that, right? And they specialize so niche, the people who do n assessments and, and what's the other one? CC C CCC M, right? Yeah. Like they, they do that. And then you have other people who do things like, so two compliance, right? Which is a whole nother thing. And you have another group of people who specialize in HIPAA compliance and there's another group who specialize in PCI compliance. There's a lot here to unpack more so that we're gonna get through in a 20 minute podcast. What you, as the MSP need to understand though, is recognizing when your clients need to be in compliance, having those conversations about compliance and then finding the right vendors to work with you to help them become compliant.
Because your role as the fractional cto, as the person, as the go-to it technical person is to know just enough, more than they do. Right? I always joke around that my job is because I can Google a hair better than all than everyone else. If you have in your pack pocket of a, a, a suite of vendors that you can call, whether that's one of these technology brokers that we all know or things like that, and say, look, I'm looking for someone who knows nist, I'm looking for someone who knows SOC two, I'm looking for someone who knows hipaa and then talk to those niche providers, then you're in a good position. Don't try to take this on yourself, especially if you're off trying to like sell, you know, office 365 and Windows Defender and, and and, and jam and whatever, right? So that's number, that's my number one thing.
My number two thing is, I mentioned it earlier, which is just know how, whether or not they need to be compliant. Here's what I do. As an owner of an msp, I literally asked every client, now do you need to be compliant for anything? It doesn't sound like it b based on the fact of what I'm talking to you and what your job is, but do you need to be compliant? Right? I'm talking to a lot of marketing firms, but the marketing firms are marketing firms for companies and big fi more fortune for 100 s or whatever it is. They need to be compliant for something they just don't know what. So we have to go down that path. Always just ask that question. I think that's really important. We need to remember to ask the right questions and figure out what kind of compliance you need, then worry about all the details, right?
Yep. Because if you're in California, you're gonna do the, the, the new California one. If you're in New York, you're gonna follow the New Yorker one. If you're in Idaho, you're gonna, you're gonna have potato skins. We're not gonna let go of that joke. But find the right provider to do it for you. We work with like three or four different cybersecurity firms depending on what our clients need. I got clients that have HIPAA compliance, I have clients that are doctors, right? We, one of the big things was getting them encrypted email. Like we were like, okay, let's get them encrypted email. We waited, the security company told us they need encrypted email. So you, as am s p, can figure this out and work through this with them. Don't try to, I I, I honestly believe don't try to do it on your own. Don't try to become a compliance officer because that's not what you went to school for.
Eric:
<Laugh>, right? And, and it kind of goes to something that, that an old boss of mine said, don't lose alone. Like also don't be afraid to walk into a situation where compliance is required because there are those people who can handle it for you. And you're absolutely right. You need to identify the need, but you don't need to fulfill the need.
Justin:
Yeah. Yeah. If you could, if you can broken with the right people, I think you're in a, in a good spot. Compliance is gonna be a tricky thing. And, and it's something that should be on the, on the edge of your brain, the tip of your tongue. But it doesn't always have to be everything you talk about. Like a lot of the times for me, you know, my graphic design firms wanna just drop pictures. Cool. So like, we're not talking about, you know, they don't, they're not drawing pictures of things that are HIPAA compliant. I don't have to worry about it, right? But it, that conversation and when you do your QBR or your annual reports or whatever it is, always bring that up. Hey, you know, who are your clients and what do they require of you? And how can I help you get that requirement?
I get from my clients all the time, Hey, a client sent us this thing, we need to fill in this thing. And it's usually like some sort of like it form that was written years ago. It doesn't make sense for them, especially cuz a lot of my clients are Mac and they're like, what's your active directory change policy? And I'm always like, we don't have active directory and they always freak out. But you know, on there, even the most basic things that are on there for security combines, does everyone have multifactor authentication? If the answer is no, ever fix that for them, right? What is, I get one, oh this is a good one. There's an insurance company for one of our clients who does vulnerability scans and to keep their insurance premiums down, we need to answer to all the voter, all of the, the, the risks that pop up. One of them that pops up all the time is auto discover for Microsoft and we have to just send back on like, we can't control this. And so we mitigate it that way. We keep our policy for, for them. But like, these are the things you have to do. You are smarter than the client. You're probably smart, smarter than the auditor when it comes to technology. Bridge all of that together. Help your clients become compliant because when this federal law comes down, it's gonna be a game changer.
Eric:
Yeah. And it is something you have to address, right? Because you are their technology service provider in whatever form that takes on, right? Manage or not managed. They are depending on you for their technology mm-hmm. <Affirmative>. And so who are they gonna call first when they have a problem or when the insurance company says they're not gonna pay the claim, you are going to be on the other end of that phone. Yes. And they are going to try and get it out of you one way or the other, right or wrong, whether you offered that service or not, because you handled that realm, that scope, they're going to come talk to you about it. And by the way, this is virtually this, it falls right in line with the topic we were talking about on the last podcast, right? You have to set expectations with that scope and, and you need to make sure they understand what your responsibilities are when it comes to those types of compliances.
Now, another thing that you brought up, which I think is important to kind of double click on, is these things are changing constantly. Constantly. And so you have to be bringing these things up during their qbr and, and yes, you have to be having QBR with your clients. It is not an option because you have to know how their environment, how their clients, how their industry is changing in order to be able to stay ahead of the problems that they may face. They may not have a D o D customer at this point next month. They might. And that may change because there's a lot of waterfall effect to C M M C. So they may have to be compliant if they are fulfilling a subcontract for that D o D contractor, for example. Another thing that you need to be aware of is, a lot of times just because there's a privacy law say in Connecticut doesn't mean that it's limited to the boundaries of Connecticut. Because just like gdpr, GDPR applies to the citizens of the eu. So even an American company who has clients in the EU are customers in the eu. That data is subject to GDPR regulation. And so
Justin:
I I wanna touch on that for a second. This is a true story. So back, back in the day, I used to run an app. I had an app called Email Phoenix, right? It was a Caro mail server backup tool because Caro never had its own backup. Mm-Hmm. <affirmative>. And what we did, we built an app so you can clone your Caro and we had it hosted and we were getting a lot of, apparently Caro is massively popular in Europe, more so than it was here. Yes. Yes. And all of these European companies were finding out about us cuz Caro wrote about us and they were like, do you have your GDPR rules in place? And you know, I'm a sole, I'm, you know, when did I come up with like, I was like 30. I was like in my apartment being like, well, I don't know what that is.
Whatever. And so we came up with this concept of making, instead of hosting their email for them, we provided them the tools so they can just use their own server. We called it B Y O S, bring their own server. And, and so I, one, one of our clients, I kind of just harped back and I was like, what's this about? Like, I don't understand. Why am I being held to this? And they explained just that like, if you are an American company and you are holding any sort of European data, you are now subjected to GDPR no matter what. Right? Even even for like something tiny as you host a conference, we host a conference, we have 50, 60, 70 people come, but the second we have anyone from Europe come, we are now gdpr under GDPR regulations, which means we can't sell their email address or do certain things without like, I think it's like double opt-in or whatever it is.
Mm-Hmm. <affirmative>. You're gonna have the same problem now, which is keep in mind these rules and compliances are, are from the government, are there to help people like your mom who gets those scammy phone calls or gets those phish emails or whatever. It's to help prevent a lot of that stuff. I mean, it won't do a lot of it, but it's supposed to help a lot of that. So like the, the rules and regulations are coming with good intentions. The bad side is we have to deal with it. We have to pick up, we're, we're shoveling the shit to get it done with, to make sure that the good intentions are being held up. And so knowledge is power here, right? Understand what these things will do and affect your, you, your clients and your clients' clients,
Eric:
Right. Because all they need is one lawsuit to put 'em out of business.
Justin:
Yeah.
Eric:
You know? Yeah. Yeah. And, and that's, that's worst case scenario for you and for them, right? And, and you do have to become educated enough and, and you know, Justin and I are not the people to educate you on this because we are certainly not experts in privacy or compliance. But we think it's important enough to, to make sure that you guys have conversations with the people who do know these things. And actually had a conversation with with SEL at C C F. And I think that he, he's probably gonna be one of those people we wanna bring on sometime soon so that we can talk with somebody who's educated about these things and, and talk about some of the very specific things that you guys need to know to talk about when you're having these conversations with clients so that you can A, identify and then b, take some kind of action, not necessarily yourself, because it's so much work to become an expert in these things. You just don't have time as a business owner. Maybe it's a smaller msp can't afford to send people to all this training, but you can learn to recognize and then find a subcontractor, a consultant, whatever. It takes a vendor to satisfy that requirement.
Justin:
Yeah. Work with the right people as the, I think what we're getting to, and that's true for anything, you know, not just compliance, but specifically and more indepthly the, the tougher things like dealing with this. We'll bring Mike on in a future episode for sure. Hey, you, are you guys having problems with compliance and security? Let us know in the comments below post on Facebook. We want to hear your stories, we wanna help you. That's the whole point of this podcast. We're only on episode four. We're still figuring it out, but we'll get there. Let us know what you are working on. Let us two experts except for in compliance help out with those problems for you, right? Like it is like a little dig. So even to to ourselves. Everyone likes a self-deprecating IT consultant <laugh>. So leave those comments below. Tell us what you're working on. Let us help you. Hey, maybe you'll be a guest on our show. You never know. We have a lot incoming coming up in the next couple of episodes. We have some great plans. Plans are are amazing. We just need to act on them and we'll get there. But leave your comments below, like, and subscribe on the YouTube channel. We want those numbers and we will see you all next time on the All Things MSP podcast.