Skip to main content
Right of Boom
May 5, 2025

2025 Verizon DBIR with Principle Author Philippe Langlois

The 2024 Verizon Data Breach Investigations Report (DBIR) has landed, and it’s delivering a clear and urgent message for Managed Service Providers: your clients are vulnerable, and attackers are evolving fast. On this week’s Cyber Call, Phil—the lead data scientist behind the DBIR—joined us to discuss the findings. The report reveals a surge in breaches caused by exploited vulnerabilities, meaning patching delays are now a major liability. MSPs must prioritize exposure, particularly on edge devices, and adopt a risk-based patching strategy aligned with their clients’ operational needs. SMBs are especially at risk, with 88% of their breaches involving ransomware. Attackers are opportunists, and smaller businesses often lack enterprise-level defenses—making MSPs the frontline of protection.

Third-party risk is also increasing. Supply chain attacks and vendor breaches are spreading quickly, and MSPs need to conduct better due diligence on partners while also securing their own environments. The DBIR reminds us that MSPs themselves are third-party vendors, and must operate with the same rigor they demand of others. While the human element remains a common breach vector, automation is becoming the attacker’s preferred tool. This means user training alone isn’t enough—controls like least-privilege access and smart automation must minimize the impact of human error.

Perhaps most concerning is the state of the edge. Perimeter devices are often where compromises begin, yet are frequently neglected. MSPs must know the vulnerability landscape of their clients’ edge infrastructure and maintain patching discipline. The bottom line: the DBIR underscores the need to return to the basics—vulnerability management, patching, user education—while elevating strategic focus through automation, risk-based prioritization, and proactive security frameworks. To stay relevant and protect client operations, MSPs must evolve into true cybersecurity advisors. The DBIR is more than a report; it’s a roadmap for survival in today’s threat landscape.

Guests

Andrew Morgan
Gary Pica

Video Transcript

All right. Welcome everybody, and Happy Monday. Hard to believe we are in May already. Phyllis May of 2025. I was just thinking that, you know, we just had turned the year. Didn't that seem like just the other week we were in 2022? No, it's crazy. You know what they say as you get older, time passes more quickly. Not that we're old, but it's it's so true. Yeah. I mean, it's crazy.

What are the, what's the saying about, and I think I said this on the cyber call, so if I've said it 62 times, because this is saying my age 'cause I forgot. Um, but something about the years are, the years are short, but the days are long or something. Yeah, the days are long. The weeks are short. Something like that. Um, I forget exactly, exactly the same, but, um, well, welcome and, uh, make sure good to see you all. I hope you can hear and how we're coming through.

I see some chat, so, uh, just gimme a thumbs up if we are good to go and we'll get right on into, into this today. Um, I'm gonna wait to do some announcements once we get some more as, 'cause there's people still coming on in here, but I'm gonna set the stage. Um, hard to believe. Um, we are. Thanks. I appreciate that. Blue Helm. Um, hard to believe we were talking offline. Um, our guest, um, is on with us for four consecutive years.

Um, and as we're going to talk about today, it's, uh, 18 years in the making, uh, for the, um, Verizon Data Breach Investigative Report. Um, if, uh, and, and I'm just gonna read a few things here, uh, and then we're gonna get right on into it before we introduce, um, our esteemed guests. But, um, first of all, if you're an MSP, um, MSSP, uh, and you're got friends that you know should be on this call, I would highly reach out regard. Highly recommend reaching out to them.

I think this is with unequivocally the gold standard and threat research. We're talking to the tune of tens of thousands. Uh, Philip will give us the exact figures, but we're talking tens of thousands, uh, in this dataset. This is not looking at my myopically one vendor specific view of a data set. This is global, uh, in nature. So it's prob, you know, arguably the most holistic data set out there.

Um, so as I said, 18 years in the making, um, and some of the highlights or air quoting highlights Philip, um, some of the things I noticed about the, this year's report, which was the surge in ransomware, 44% of all, um, incidents involving ransomware. The other thing that really, um, that we're gonna talk about was the fact of initial exploitation where vulnerabilities went above fishing. That was like eye-opening for me as I sat this weekend, you know, reading through this report.

And the other thing that, um, you know, you guys highlighted was third party attacks. Um, the, the, the, the, the, the, um, impact the supply chain is beginning to have on us all is becoming like, this is something we didn't talk about on the DBIR for really before and to double year over year. We'll talk about that stat is pretty profound. Good news. Um, ransomware went, payments went down just a smidge. Uh, there's a little bit of a sarcasm for everybody.

Um, no doubt we're gonna look at SMBs, which were, you know, any SMB, any customer, any prospect telling you we're not a target. Oh boy, do we have some data for them? Because it's in, what is it, Philip in the high 80%? Yep. SMBs. Um, as far as being attacked and, uh, like, just not even, um, in the same playing field as the enterprise right now. Um, as far as being able to defend effectively. Um, so good news for, you know, upmarket.

They're, they're seemingly doing a better job relative to their peers. So those are the, some of the things that really stood out for me. So with that, um, you know, huge thank you for coming on, Philip. Uh, if you could tell everybody a little about yourself, uh, what you do there at Verizon, and we'll get right on into it with Phyllis leading. Yeah, sure thing.

So I'm the lead data scientist for the DBIR, um, which basically means I handcraft each one of these incidents, loving, lead and artisanal way. Um, but really I kind of manage all the data pipelines in the backend, all our tooling infrastructure, and then a lot of the non incident data. So anything that's not a breach, so like the vulnerability data and some of the info steeler data. I do a lot of that analysis. So I've been at Verizon six years, I think coming up on six years.

Um, prior I used to work, uh, with Phyllis over to my right or left, or depending on your orientation and in the screen, um, on the ci IS critical security controls. Um, so that might be one of the secret reasons why the ci IS controls, uh, show up in the report, uh, in such a, a high level. And also, you know, I think, uh, it's just a very easy story to tie to, I guess historically we had to come up with each of the controls.

'cause at the end of each section, it feels very, uh, defeating to be like, oh, here's system intrusion. Ransomware is impacting everyone. And then we have to go as researchers, find out what should organizations be doing, and we would fall within same. The pitfalls I think we allowed to do, we all kind of started looking at, well, what's the market talking about? What's the next big thing? Um, so being able to collaborate with CIS just kind of helped us, you know, tie these things together.

So, You know, Philip, I, I love that because I've been doing a breaking down modern breaches by the presumed CIS failures that play out. And it's a wonderful exercise as a thought exercise of like, how could I have been better if this person didn't report the phishing and phishing for four days? Right? Those kind of things. So I didn't know that you did that alignment, but that's, um, I find it quite valuable to use CIS as the index for understanding these Things. Yeah, absolutely. Yeah.

Phyllis, before you get into your questions, um, I wanted to say two things. I'm gonna, everybody, I'm gonna put two URLs in. Um, actually three. I'll put the, the Verizon D-B-I-R-U-R-L first and foremost, so you can go get it and read it. There's also an infographic this year, which is phenomenal. I would highly incorporate it. I could see someone like, oh, and I will introduce before we're done, our Esteem Co-host for the first time on here, MEUs, Marissa. Um, we'll make sure we do that.

Um, I wanna put in the URL for, like I said, the Verizon DBIR, um, because, uh, it's, it's critical that you guys read this. At least skim it. The other thing I'd like to put in is, believe it or not, and I probably said this, we are coming up, we are in the fifth year of the cyber call. Over 10,000 MSPs have watched the cyber call. Um, and we are gonna bring back the original cast on May 19th. Uh, that'll be Kyle SLO coming back from Huntress. That'll be Wes Spencer from Empath, Gary Pika.

Um, and Phyllis, if you'd like to join us, that'd be great. Uh, if not, there's no pressure. But we're gonna bring back the original cast on here to talk about the past five years, the present and future. So that URL with the ADD event is how to get to that. Please share it far and wide. And the last thing I'll just like to share is in terms of right of boom, we've added an advisory council and we now have a content survey out there. These are the top, um, sessions that have been voted on.

We're making some really critical changes to this year. So we'd love to hear from you what you'd like to see and hear. You can rate them or write in at the bottom the sessions. So last but, but not least, but certainly not the least important. Marissa, welcome for the first time as a co-host here on the cyber call. Everybody loves and knows you in the channel, but I was thrilled to have you on. Please tell us a little about yourself. Thank you. Thank you.

It is so awesome to be on here with some of my favorite people. Um, I am the CEO and co-founder of an MSP in Atlanta. Um, it's always been cybersecurity first from, from the get go. And about three years ago, I finally came out from underneath and started learning more about the industry as a whole. And, um, just jumping on it and just everything that you guys do, I so greatly, greatly, deeply appreciate it.

And really, the mission of everything is cybersecurity first is a strategic advantage for SMBs. And, um, yeah, it, this is, this is such an important conversation. Thanks for joining us, Marissa. Okay, cool. Setting the stage.

Can you, just, before you hit the first question of Philip, can you maybe just share a little bit about the intersection of Verizon and CIS So people that are out there are using the controls, maybe can, when they go back into the appendix and things like that, can understand the intersection real quick. Maybe just a quick reader's digest, 30, 60 seconds of it, what they're, what they're looking at. Is that for Phil or Phyllis? We, I was gonna say Phyllis, but, but, but Phyllis, please.

Yeah, I was like, I was like, I don't know. Both our names are, you know. No, I said Phil. Sorry, Phil. Phil. Phil. People call me Phil as well. Um, so, um, yeah, sure. First I just wanna say hi to Phil. It's always great to see you. I missed him at RSA since I didn't go. And, um, thank you for the partnership. I do wanna say that, um, my number one criticism has always been of these threat intel reports or these threat reports is, okay, that's great.

We're looking at this problem and breaking it apart. But then at the end of the day, organizations wanna know, what do I need to do and what do I need to fix first? And like Phil was on the cutting edge of that, of, you know, really providing that in, in, um, you know, a kind of major threat report. Not selling his tool to say, Hey, if you had my tool, you would've detected this. Or we can detect it. But preventative and some, you know, detected controls you can put into place.

So that kind of like, you know, dovetails into, um, you know, what, what Phil really brought to the V-D-B-I-R is that mitigation. And so what they do is like, here are the top controls and safeguards that you can implement to mitigate against this attack type. So I think that's great because again, it's great to read a report on what are the major threats that everyone is facing, depending on perhaps, you know, what, you know, small, large, medium, vertical, whatever.

But at the end of the day, what you really wanna know are, what are the steps I need to take to defend my enterprise? Phil? Was, was any of that inspired by like the community with your work at CIS with the community defense model, where you looked at kind of backward looking and said, well, we, why aren't we doing this? Oh, oh, yeah, a hundred percent. So the, uh, in, uh, God, eight, 10 years ago, uh, le less white hair, I think it was a shorter two haircut.

The, uh, when I was kind of starting out, that was one of the first things I did, right, is I went through every vendor report, every threat report out there, and tried to come up with some understanding as to what is the landscape. Because we all have these different views. We all have different telemetry, we all have different perspectives on the problem, right? Some organizations specialize in Fortune 500 companies, right? For their IR case. Some are just looking at the malware part.

So I created this giant spreadsheet, which probably still somewhere hidden in CIS that had all the, the findings, right? That would talk about, okay, you know, such and such vendor saw an increase in blah, blah, blah. And from there, I tried to make some tie into, you know, well, what are the controls? I, this even predates the ci IS critical security controls. They weren't even at CIS at that point, but what are the things that we can do to help mitigate against all these?

And it was a, a manual process. Um, not everyone has, uh, some nerdy kid like me on staff that's willing to sit through all these, these jargony reports to do that. Um, and it just quickly became overwhelming, right? There's, there's no way. And especially, you know, I'm a a big risk guy. I love risk assessments. I, I come from a critical infrastructure protection background, which is really like all hazards based. And cybersecurity risk is just one of these things you have to calculate.

And I just never found those numbers. I never found this connection between, you know, if I put a server on the internet, what are the things I absolutely need to have? What are the things I should have? You know, you come up, you ask anyone that question, you're gonna get 30 different answers easily. If I build a bridge across a, uh, river, I can tell you what the risk of flooding is. I can tell you what the specs the bridge needs to be built to, right?

There's an understanding as to what the risk is associated from different geological impacts and so on. That just didn't exist in cybersecurity. So I really wanna make those translations easy. Um, so we have it in the report. We also have mappings that say, you know, these are the actions, or these are the patterns, and these are the controls. Uh, I think the, it resides largely in CDM now. Um, and then we also have, you know, part of our dataset is public, right?

So we have VCDB, which is the various community database. So if you are very, um, risk focused and you wanna do kind of, you know, more tailored risk assessments, we have part of the data that's also available for you to draw these, these connections. But, you know, I know realistically, we're all doing operations, we're all firefighting. Um, conducting risk assessments is not always the most glamorous part of cybersecurity.

So we try to kinda handle these things and say like, look, at the end of the day, there's a lot of similarities, right? There's a lot of commonalities that exist in terms of our exposures. The critical controls really kind of provide that baseline, I think, of, of things that every organization should be doing, especially IG one. Phil, Phil, I'm glad you said that, by the way. I'm, when Phil said CDM, it has to do with the community defense model. Yes. Yeah.

I, I did, I put that URL in chat for everybody. It's phenomenal. You should look at it. I'm glad you said, you know, well, kind of like, well, risk assessments, you know, kind of downplay play to everybody's favorite thing.

But, you know, folks like, uh, I'm gonna just, you know, Marissa, I think MSPs that truly understand how to look at a risk assessment through the lens of their client, like risk to revenue, not just, let's look at technical controls of risk, but what does it mean, you know, through the lens, almost like a BIA, right? What are the most critical systems processes? You're, you're very focused on medical, right?

Like, you know, if the emr, you know, let, let's talk about, you know, the, the, the criticality of your EMR system, right? To your business and your revenue, and, right. Yeah. I, I think there is guidelines for it, for good, for MSPs that understand how to have the business led conversation. It's the difference maker. Yeah. Right? That's how you start that conversation. I mean, that's how we started.

And for our MSP of being that consultant of really coming in and looking at it from a consultative lens and starting with the SRA, um, and then next thing you know, poof, uh, we had a, we had a big MSP, it just kind of happened because of just leading with the SRA and leading with that conversation. Um, so yeah. All about it is, I spread the word. Like, uh, my MSP peer group, I like went to them. I was like, we must all be doing this.

I accept no other answer than everyone is doing it in 90 days. Okay, go. Yeah, Yeah, yeah. And you, you're gonna see a ma a monumental difference, I think in the, in the MSPs that are becoming much more business focused first, because that's the language your client speaks. That's the language your prospect speaks. They do not speak cyber. Yep. They do not speak technology. They speak revenue. They, they speak contractual obligation. Right. That those things they speak.

So, Phyllis with that, let's get on into it. Yeah, sure. You know, I just wanna give a shout out to Phil again. I mean, that's really how we started implementation groups. And Phil was one of the ones who spearheaded like, Hey, this is what should be an IG one, two, and three, which is kind of like what we would say is like that mass kind of risk assessment mm-hmm. Threats that everyone is facing, and this is how you should defend against those.

Anyway, so Phil, now we're gonna finally get to like the meat and meat and potatoes of V-D-B-I-R. So what was the single most surprising trend that you saw? Um, looking at the data in 2024? So really the, um, the increase in vulnerabilities, uh, leading to breaches, right? Uh, it's always been in our dataset, but it's kind of exploded. Yeah. As, uh, Matt's head indicates the, uh, and you know, it's one of these things where you're like, okay.

'cause when you hear about it, you hear in the news, right? And it kind of exists in this, this moment where you're like, oh, okay. CIC has released this, you know, this new vulnerability. Uh, hypothetically some VPN provider has another zero day, they're being exposed, perhaps the third in the year. Um, and it's being targeted. And then it kind of goes like, okay, you know, people are either patching or they're not. And it, the story kind of dies down.

Versus, you know, like some of the, the ran big ransomware events, we hear about this forever, right? We hear about these breaches, you know, 'cause it slowly tricks in, you know, trickles in like the breach notification. So, you know, I was hearing about clap, you know, impacting, I don't know what percentage of Americans it was. It was intense for six months. 'cause we were just collecting all these. So it ends up seeming like it has, you know, it has a big impact.

But these vulnerabilities all also have a big impact. And we're not always super privy as to the entire scope of it, because some of it is people don't wanna disclose it happened, right? Some of it happened in the classified world, right? Where we don't wanna disclose that certain contractors or certain agencies were impacted. Mm-hmm. We don't always get the full scope of it. Um, but, you know, I think we have to draw attention to it that this is impactful, right?

That these vulnerabilities, um, especially being some repeat offenders Mm mm-hmm. You know, makes it that we have to draw attention to it. We have to talk about it, I think very publicly. No, I, I think that's huge. And, you know, hopefully, um, helps make the argument, you know, we also need a place to house CVE somewhere eventually. Right. Um, because it is so important.

So, um, you know, as, um, Andrew mentioned earlier, um, ransomware was involved in 88% of reaches at small businesses, which is just, you know, amazing. That's huge. So, um, you know, from your analysis, is this primarily due to, um, you know, attacker picking on SMBs? Because they don't have strong defenses in place. So a lot of attackers are opportunistic, right? It's a numbers game. They, they want to go and they want to make money.

And sometimes the easiest way to make money is you just go and attack everything that you can. You have a hammer. Everything starts looking like a right. And they, and some of them, you know, it's, it's simple as, you know, they find credentials or there's a exploit for, you know, what name, whatever platform you want, like GitLab or something like that. And they're just spraying it across, right? They're just trying to find opportunities.

They're very opportunistic and they're gonna go for the organizations that, um, you know, are gonna provide the least amount of resistance. So something we have to keep in mind is that, uh, there's a, as a target rich field, there's a lot of possible victims. So, you know, you have to be the one that's gonna give up enough resistance that they're gonna be like, okay, you know, is it even worth my time? 'cause they have limited amount of time too. They have deadlines.

They rather be out at the barbecue having a beer. Um, right. No one wants to work more than they have to. Some people do. But, you know, we're just being realistic. There's these, there's always these trade offs that have to be done. So, you know, we just have to be aware what are the, the easy means of access that attackers are leveraging, right. It's credentials, unpatched systems. Yeah. And as much as we can, you know, close those up and make the attackers work more.

Can, can I ask, ask a maybe dumb question here, potentially. Sure. So is it possible that the 88% of ransomware in SMB by delineation from enterprise probably having a presumably lower percentage of ransomware, is that 88% of SMB because they don't detect it faster and they get to full ransomware and aggression. And that's why like the enterprise, at least you would hope there's some degree of detective controls that work out earlier in the kill chain. In my mind, I, I wish I had that answer.

Um, right. So that, that's basically the, was the pre was the breach prevented beforehand, right? That's right. Yeah. Um, we don't have that visibility. Okay. And it's certainly possible, right? Um, it's kind of like the, uh, survivor bias, right? Or data set is we're, we're looking at that came back with bullet holes exactly where it was going. That's where we need to fix the bullet holes. While, you know, obviously the planes that didn't come back was 'cause they were shocked.

Those Are two slides in my Wild West hack talk, uh, hacking Fest talk, where I did talk about these dead planes and survivorship bias. That's hilarious. It's, I mean, we talk about it all the time. 'cause we, we always have to be a little cognizant. It's like, okay, are we, is what we're reporting on intrinsically biased? Like I Love it Some biases and we just try to be explicit about it. But I think it's a, it's a awesome hypothesis, Matt.

Like, it really, you know, you, you, you would think that, you know, an you could put, you could put out there, you know, what percent if, if you looked at the two, right? Enterprise versus SMB. Well, what's the, what is the difference? Well, it, it's certainly you're gonna look at security maturity as a leading indicator. And, and you certainly would see governance, again, this is all hypothetical, right? Yep.

But you could certainly have a conversation if you had an intellectual prospect or customer, right? Marissa, you could certainly have a, a be a, hopefully an intelligent conversation to go, what's the difference? What's, what's so drastically different if ev if threat actors are clearly opportunistic, well enterprises, you know, do look at risk differently. Do put in governance, do put in controls, spend a consider bit more, as Matt was saying, in detection. Um, on and on and on.

Third party risk. On and on and on and on. And, and, and I think you also see this, um, you know, I know Eric Sun is on, I, I think you do see this also And screaming as you see in the chat. And, But I think you do see this, Marissa, you might even see this right, as a difference in spend, right? With your more mature, larger co-managed customers that have, you know, look at a significant amount more of budget versus the others.

Is that, Well, it's an interesting strategy like on my side, because part of the conversations when I'm, like, for instance, I'm here at a conference talking to SMBs right now, and a lot of the conversation when people are like, how do you go and get on stage and talk to these people? And I'm like, I'm not even talking about the IT stuff and the cybersecurity stuff yet.

I'm talking about driving their operational maturity level so that they can really start reframing their own mindset and perspective of really thinking about, I, I love how you said like, you need to look at risk the same way that the enterprise organizations do. It doesn't have to be that expensive. There are really good tools. There are really good MSPs that can support you in and getting you to look at risk strategically. Um, but it starts with their operational maturity level as a whole.

So a lot of the time I'm talking about how are you running your business? Yes. Like, how do you, how do you move that forward so that this becomes part of that conversation to get you to the next phase? That's, that's phenomenal. I love the way you said that, Marissa. All right. And Phyllis, back to you as we keep stealing your Question. No, it's good conversation. Excuse me.

So, um, Phil, your team found that, um, almost half of compromised systems with corporate logins were non-managed BYOD, or of course, our favorite shadow it. So, you know, for MSPs, um, you know, trying to manage or fight for their clients, you know, the edge of their client's environments, how can they practically reduce this massive blind spot before access brokers, um, you know, turn any kind of forgotten device into a ransomware, um, detonation point. Yeah, that, that's a great question.

So maybe it's helpful to provide a little context. The, uh, we did last year touch up on kind of, you know, where are some of these credentialed type of abuse attacks coming in from, right? Talked about brute force credential stuffing, right? We're using known good credentials against the environment. And then we touched a little bit on info dealers, right?

Where there's a specialized type of malware that focuses on just stealing the credentials and other system level information from compromised devices. We did touch, like I said, we touched up a little bit on it and said, yeah, maybe it's about 30% of these systems might be corporate devices. Um, but this year I kind of went full in, um, I got a lot of, uh, really good partners and, you know, leadership buy-in to do a deep dive.

Because I really wanna figure out how much are these info Steelers, um, affecting corporate organizations, or at least organizations of any type. And it's, it's very, it's a very complex data set. Um, I originally came in with the bias that like, oh no, this is teenagers downloading some ROBLOX hack, right? That this isn't really impacting organizations. But then when I started looking on, you know, I kind of adapted that Matt's view there, it, it's totally not the case, right?

It's impacting organizations, um, at large. Um, and one of the reasons why is it's a easy way of monetizing an infection, right? 'cause back in the day, when you look in terms of, you know, you have a system, you, you know, you have malware on a computer, what are you doing with it? You're doing some click jacking, maybe you're mining some crypto if it's early two thousands, right? You're finding some way of leveraging the compute power of the system, um, to create some money.

Uh, but right now it's less about the compute power and it's more about the accounts that might reside in that system. So they're stealing those credentials, they're shipping 'em off to a bunch of different marketplaces and telegrams and whatnot. So I really wanna get a feel for, you know, the, the exposure. So quick, look across the dataset.

We had about 30% of these devices are non-enterprise licensed oss, which I think right here, this is maybe the audience to help me understand, you know, in terms of small businesses, um, are they largely using these enterprise or they're using a lot of home versions of OS Not home, but they are definitely using Windows 11 Pro Pro, yeah. As opposed to enterprise predominant. So pro not home, but pro wouldn't be included in potentially in your enterprise data set.

In which case you'd be encompassing the other 43% of the GDP that probably uses pro Yeah. For the most part. So, Yeah. Yeah. So, so we did look at, I think it was pro and then some of the, the more traditional enterprise license. Good. It was like around 30%. Yeah. Um, which I thought was really cool. I was super happy and I brought it to my boss and he's like, this is great and all, but what about BYOD? Yeah. Yeah.

And I'm like, well, you know, that's, that's not like a marker on an infected device that says this was A-B-Y-O-D device. Um, so the cut that we did is we went and eliminated, you know, we had some data sets that were, these are possibly corporate logins. We went in and tried to remove everything that was a, you know, free email, Do back slash login, right? Yeah, yeah, yeah. Email address, The emails, blah, blah, blah. Picked all those to the side.

And then that was kind of our, our quote unquote corporate login. And 46% of those were like the home version of the, uh, the windows. So you, you're seeing this co-mingling of, you know, personal use credentials, right? A lot of these systems, like, I think on average, like 60% of these systems had streaming or social media or, you know, 10% were having also, Go ahead, Andrew. Yes. But, but Bill, can you also fill in, it's a very important piece here. Yes.

That's my shadow LLM entry too, isn't it? So can you kind of touch on that? Because that's what I, I, I forget that there was a threat report for like this, just real quickly, lemme get this out. Yeah. And I wanna hear it from you. There was this threat report from this company that does, um, you know, detection.

You, you know, it's a, a system that sees what's happening with LLMs on it, on enterprise, and it, it highlighted this, you know, very thing that, okay, even though there's governance in place, I'll get around that. And the staggering thing about using Gmails and everything in, in these LLMs was the vast increase in two areas that I was like, this can't be true. But the biggest rise in data sets came from legal and hr. I mean, so can you, can you get your head on this?

I'd love your brain power on this. What you think you're, you're, yeah. Give, give. Yeah. So we, we, we looked in terms of, um, we had a, a, a specific data set. And this is a, a obviously corporate data set. Very, um, I don't wanna say regulated, but they were doing monitoring at a, at a, a very high level, right? They were very mature organization and just looking in terms of the gen AI use within, you know, these, these customer base, what have you, right?

72% of the folks that were using these gen AI platforms were using their personal email account. So basically they're shipping off whatever corporate data they may or may not have, and sending it off to, you know, some third party platform, which you may or may not have a relationship or oversight, or you probably don't if they're using personal email account. Um, and then who knows what's really happening to that data once it's gone.

And if you add the other 18% to that 72% of cov of corporate credentials that weren't SSO Yeah. That weren't tied into it, you get into even more potential shadow IT realm as well in this conjecture. Right? So that's like, that's almost 90% right. I'm not, I'm not, I'm not a math guy, but Pulling this all full circle to a CIS Verizon db, one of the, um, app appro, I told Marissa this.

One thing I'm really excited about in write a boom 2026 as a session that was approved is Sunil, who now, you know, Sunil, you Phil, yes. So his business gnostic, um, which won $5 million, by the way I say this Year. Mm-hmm. They do data governance around LLMs.

And, you know, we said to the, to the advisory board, if we can get Sunil to bring this down a bit to our level, how he, he's written this paper with Sands on, it's gonna be good on, on access control and least privilege, uh, around LLMs. Like, so, so that I'm thrilled that he's gonna come and talk about that this in February, uh, at write a boom.

I think it's gonna be like an just such a most needed, especially, you know, put another, you know, eight months under our belts about how, you know, people are getting around. But, but use, you know, the, the corporate governance even in, you know, a company like yours, Marissa, that you might be supporting that's got PHI and PII, how they're getting around it and uploading that data, I think is gonna be really, really critical.

You know, Andrew, I don't wanna target something that just happened Friday, but I don't know if anybody saw the JP Morgan CISO's open letter, um, about this conversation on Friday about SaaS and third party vendors and things. And that's gonna lead to this question I have for Phillip.

But it's this understanding of, if we talk about even this figure on page 13, about gen AI and account credentials, practitioners in the enterprise space all the way down to the small business, haven't done the fundamentals in CIS. They haven't done 1.1. Well, and they haven't done 2.1 Well, and they haven't done 3.2. Well, and as those things play out, that's why, oh, SaaS, we have to track SaaS. That could be a problem. Oh my, like, oh my goodness. Shadow it using their Gmail account.

I mean, I've seen breach after breach after breach, including even the Cisco breach of 2022 that had some personal account storing things on their, on, in, in a browser, on their machine. And, and so, you know, that brings me to this point of, you know, Philip, you found that third party involvement, right? So third party involvement went from 15 to 30% of breaches in doubling year over year.

So when, when you think of an MSP, especially an S-M-B-M-S-P, and I did this talk at RSA, I had two talks this year at RSA about this problem. They are both a consumer, a consuming entity of vendors and a vendor themselves that has more than privilege, like literally god mode to those customers underneath them. Mm-hmm. And so, you know, one of the questions I have is with this doubling of this third party, what do you think the biggest blind spot is for third party risk?

And, and I'm quite biased on it, so I'll let you answer this one. So the, the blind spot as I think we're still somewhat stuck in the, for the folks that can do it, I think a lot of it still ends up being a little bit of a paper exercise. You know, tell me about what you're doing. Tell me about, you know, your security posture and maybe there's some third party that's auditing it, or maybe there's some way in which, um, you know, we can kind of tie it, it, you know, tie it into.

So I think there's still that issue. And also the other part of this, um, the lack of teeth, right? A lack, lack of, of ability to, to force compliance. You can, if you are the Googles and the Microsofts and the of the world, right? You can say, these are our requirements. You have to follow X, Y, and Z, otherwise we're not gonna do business with you. Um, I don't see that as being as much feasible in the consumer space in smaller SB space.

Um, so yeah, that's, that's at least my, you know, sitting back as, as an academic that looks at data, um, part of the issue. Um, but, you know, I'm, I'm, I'm of course interested in, uh, you know, you, you guys' folks view too. Yeah. I, I, you know, in my talk I posited to the enterprise world. I had two talks. One was called If it's somebody's responsibility, it's nobody's responsibility. I did with Lawrence Christiana about shared responsibility matrices.

But in the other talk, I had a talk with Tara Wheeler that says, SMB cannot survive on your Corp SEC enterprise rules. And I was just explaining the nature of this MSP that has arisen, that's literally doing everything for an end customer without any of the capabilities well below the cybersecurity poverty line, as Wendy Nather coined it. Um, and really just said, as the enterprise try to find the minimum viable crappiness in your supply chain.

Just literally go ask Marissa, Hey Marissa, how does your practice manage asset inventories for yourself and for your client? Rather than, do you have an asset inventory? Yeah. Right. And that open-ended answer will tell you either a very mature answer that I know would come from Marissa or a very immature answer would come from a trunk slammer.

And the argument of that is to try to use the enterprise to kind of drive these constraints upon those SMB and help them choose the right Marissa's of the world. Um, and so that was my take on it, is that it's an economics challenge. SMB spends six to 7% of top line revenue on all tech. Uh, anyways, yeah. One of the most interesting publications that I've seen was I'm very much in the healthcare world of kind of dumbing it down for different size organizations.

'cause there's a lot of philosophy even with sm with MSPs of, well, that's not my, that's not my, that's not my customer profile. They're we're, they're, they're too small for that. They're not gonna have the appetite, the distraction for it. And really kind of looking at like, here are the major milestones that have to happen, and this is how it applies to enterprise, and this is how it applies to medium size, and this is how it applies to small, and this is how it applies to startups.

And really kind of, if you start from that perspective of the beginning, I call it the stepping stones. I, I am like, it's all about those fundamentals and the stepping stones. And we can't skip a stone. And if we do, you can try, but you might fall in the water and then you're gonna have to go back to the beginning and start all over again. And that's far more expensive than just incremental stepping stones. So A hundred percent.

Phillip, before you go, you, You brought up, I, I love the question you just brought up and I'd love for you to say it one more time because, you know, Brent Adamson talks about client confidence, and he talks about this very thing. Your customers don't know what questions to ask. Sure. And if your customers don't know what questions to ask, they're not confident. And if they're not confident, guess what?

The decision in a B2B, the number one decision, Marissa knows the what, what is it Marissa Price, Right? Well, no price. No, no, no. The number one outcome. Oh, The outcome, right? Mm-hmm. Right. Is no decision. Right? Because they're paralyzed because they don't know what to ask or not ask. So I love the question how you framed it. Hey, there's, we work with hundreds of customers just like yours. There's five questions that you really want to ask. Yeah. Yep.

Before even considering moving forward with an IT or security new IT or security provider. Yep. Not as Eric said, Eric Sun said, not the yes or no question, but how did you frame it, Matt? I I love that. Yeah. All I did was take CIS safeguards and then turn them into a question of an open-ended question, right? And saying something like, okay, if 5.4 says to take away local admin rights, uh, from your user daily driver, explain to me how you do that.

And what you would look for isn't really that, you know the answers, right? Because the SMB isn't going to know what you wanna know is do they have a thoughtful answer? Is it articulate? Can they speak towards the, the piece of it? And so for me, it'd be things like, uh, tell me about how you manage vulnerabilities in your own environment as well as vulnerabilities in your clients. And that speaks towards a, are you gonna talk about your own world?

I would love for them to say something like, we have a risk-based methodology that starts with the highest risk and biggest impact to our environment. And we're able to track those with an SLA that we set basic, like something like that versus, I don't know, man, the thing just patches like those two would be different to me. Or we get it to service provider management, right? Yeah.

If you definitely, you know, hey, look, when before you start working with an Ms P, here's a how to, how do you Eric's got it. Exactly. Work with third parties, right? And Eric, yeah, Eric just did it because that, it, it we're doubling like, Phil, we could take an assumption. We could see a, a 45 in front of third party rest next year possible. It's Gonna be huge. I bet it's under reported ultimately. Oh, oh, yeah. Yeah.

And, and there's, you know, the issue is also it ties into, you know, the, the new platforms, the new SaaS providers, the new right. These, these startups that, once again, they're Oh my gosh, Dealing, just getting the business going, right? We vibe coding. Yeah. Vibe brand new, No money. Put it together. No plan. Here's my SaaS software, please buy it and then I die. Yeah. Right? I mean that is, and then it's fuel it away, right? And user license agreement limits any, any risk.

And anyways, don't get me started on this one. Alright, well you got, you got another one Coming. Alright, I got another question for you. Um, you know, one of the things that I, we talked about before, um, this is this like interruption to operations, right? One of the concepts that you spoke towards, it's not even the ransom that's so bad. It's not even the aggression of the data, it's this interruption to operations. Can you elaborate on that a little bit, Philip, for the, for the audience?

Yeah, sure thing. So, um, there's some analysis that we didn't do in the report that we kind of did. 'cause someone raised the question. Um, if the data's just stolen right, our individuals organizations more likely to pay, or less likely. Sure. We did really quick napkin math and there's a reason why we haven't published it. We'll publish it next year. Um, but what we see is there's, they're less likely if the data's just stolen right?

And part of it, and we kind of hypothesize is that the business impact ends up being the biggest reason why people are paying Yep. Is to get the money, is to get the business operational again. Um, 'cause keep in mind, you know, when you think about ransomware actors, the way I've kind of conceptualized it is previously a lot of these really capable hands-on keyboard type of attackers were going after organizations that they knew had valuable data for the criminal. Sure. Right?

They were going after target 'cause target's got payment cards, right? It's got boatloads of it so they can go and collect it. Now, it's not so much in terms of the data value to the underground and other criminals. It's how much is that data value to you? How much is it getting your operations back? How much money is that costing you a day for being, you know, for being down? So that's, that's all part of the, their calculations.

And look, you know, they know how much it costs to get a forensic firm or get in some, you know, someone to help with disaster recovery. Yep. And they're gonna try to pi price it, it's gonna be cheaper. So that, you know, you're kind of tickling your mind and saying, well, maybe it's gonna be better if I pay them than that. You know, pay 10 k, whatever is for someone to come in in and remediate. I would posit it is less the company and more the insurer.

Um, and at the end of the day, I've been involved in many of these where the insurer literally just says, it's cheaper for me to pay the ransom than for you to not. Um, and, and you really do, I think you've made the exact mechanism of that modality is that it's more expensive many days they're down first party payments and loss under the primary, on the primary contract of the insurance. And therefore the answer is pay the threat actor. Right? Yeah. Uh, and get back to operations.

'cause the business impact loss has so much value more than the data loss it would itself. Um, pivoting gears just a little bit. One of the things that, that we talked about before as well is like, identity is not the only thing anymore. It's just not creds anymore. Yeah. It's, it's the identities. It's non-human identities. It's the tokenization of my ident in a platform. It's the machine identities that have my rights and, and capabilities.

Like speak towards some of the things you're seeing in trends around this non-human identity definition space coming in. Sure. So, you know, when we, the way I always kind of vision the, um, the non-human identity, for me it's always kinda like API keys as being like the, the easiest way for me to wrap my mind around it. Um, and you know, really the idea is that, you know, this is just gonna be used in an application. Your application and your source code are safe, right?

You don't have to worry about those. You don't have to re-authenticate them. Um, but what we really find is that that's not necessarily the case. There's a lot of, um, you know, oopsies in terms of I accidentally committed, you know, my end file to GitHub where I thought all the secrets were hidden. Um, right. And that only, so that's obviously kind of an exposure point, but even our ability to respond to that is, um, concerning.

I apologize if you guys hear my son, he is very upset that, uh, bring him on. Time is over. Bring him on, bring on. But he, uh, Family, this is a family show, Phil. He is, he is better off after his nap. But the, um, but yeah, so, uh, when we see these, um, secrets being even identified, right? So you have organizations, even, I think a lot of the platforms like GitLab and GitHub now have these capabilities where they'll flag and be like, yo guys, like this kind of looks like a secret to me.

You might not wanna push this. Um, but even when these things are detected, it takes about 94 days for the organization to clean it up. So, and that's the organizations that know that there was an exposure in their code base, right. Of a potential secret. So, you know, when it comes down, you know, what can an attacker do in 94 days?

I can tell you there's a lot of folks that are running, um, scripts, looking through all these public repos, just trying to find, um, yeah, I mean I think there was one on, on, On, I do it regularly. Yeah. Looking for keys. Yeah. You Oh, it just because it's a, it's a low hanging fruit, right? Phil? Phil, there's these other, there's this other fraction.

I'm gonna just gonna go take this from a completely other, um, I I, there was this one, uh, phishing scheme that was, or I dunno if it was phishing is the right, really the right term for it. I'm trying to remember the exact article. But yeah, it was, so what they were doing with the, uh, the GitHub is like, they, they were targeting gamers and they were saying, Hey, have you heard about this? Where like, Hey, if you want the best cheat codes come to our repository. Yeah.

And they were embedding malware in the cheat codes of the get so pe so the gamers were like, oh, cool, I'm gonna go get the best slam Dunk red line play. Right? Like that one's right up the red line malware. Yeah. So it's being used in both like as, as both a a a means of scanning, as Matt was saying, you're just saying, but it's also being used as clickbait as as yeah. As it were as well. No. To host malware. Right.

A Trusted site that you certainly have allowed through your web filters in your, in your Cis. Exactly. Right. And then that goes, how much control on the endpoint do you have in terms of trusting content from different sources and executing? Right. So I mean, you, I'm, I'm pretty sure I'd be shocked if there's not a C two out there that leverages GitHub. 'cause there's, there's this C two for, for pretty much any like service.

So, you know, even that you look at it, you know, this is the place where code resides. Yeah. And you can run it in GitHub functions, GitHub cages. Right. So you can do all kinds of stuff there and make it, yeah. Anyway, cycle GitHub. Yep. Yep. GitHub actions too. Yeah. Right. You're getting free compute for an hour or whatever the, the timeframe is. So yes, there's a lot. These, these third party platforms are robust. I mean, they're, they're critical for development.

Um, but within them, right there also comes a certain level of risk as they're, they can be used, you know, from accidental disclosures to, you know, malware and um, or phishing schemes or what have you. So they're, you know, there's something that organizations have to, to contend with. Yeah. Very good. All right, Mr. Matt, we got one more with you I think, or so, or I think I've pretty well exhausted my questions, but um, let's go to Marissa. Go to Marissa. Sure.

Well first off, bill, so cool to meet you in person. I cite the DBIR often in presentations. 'cause there's a huge passion around educating the SMBs, right? And giving them a fighting chance to make, to make good. So, and this year's DBIR re it reinforces a longstanding truth. Humans, we are still the problem, ah, what is around 60% is our fault pretty much. Um, but what really stood out to me was how much more automation we're seeing with zero day exploitation and edge device attacks.

So much fun for MSPs. Does this mark a fundamental pivot in how we're prioritizing controls, maybe moving from end user training and phishing defenses towards patching velocity, asset exposure management? I mean, just spitballing a couple of ideas. Like what does this mean for our industry? So I would not shift over from giving up on our, our users quite yet. Right. I think they still have a very pivotal role in terms of our, um, security defense. So I would keep the security training right.

And when it comes down to looking in terms of the exposures, and this is kinda, we're kind of like at an interesting time in history 'cause we haven't quite fully moved off on-prem, right? We're still, you know, in between this, you know, are we full SaaS cloud enabled? Are we somewhat, you know, is there still some office with A VPN that we log into? Um, right. And the shared, you know, as Matt mentioned, the shared security model is, you know, is a stumbling point too, right?

So it's not like I can say, well you don't really, maybe you shouldn't be managing VPNs unless you really have to. Right? Maybe there's, there's alternative options, you know, that can provide similar types of, uh, of benefits where you having to manage the actual system itself. 'cause when we were looking in terms of the, the patch cadence, right? So we looked at specifically CIC kevs on perimeter devices. So we had this hypothesis coming in.

It's like these are the critical of the criticals, right? These are being actively exploited. These are by their nature exposed to the internet. So we would anticipate them being patched quicker, right? That wasn't the case. We still found it was about 30 days for the meeting amount. What we found was that there was this split, this population kind of has a very long tail.

So you have certain organizations, so 50% of the organizations were within that 30 day and you had a bunch that were within one day. They're able to fix all those. Some was within six, but really kind of, you know, that 50% was within the 30. You look at the other side of that, it goes out further. It goes out to 155 days. It goes 200, you know, days plus. So these vulnerabilities have a long shelf life, right? They're gonna be valuable.

So of course when you're targeting a zero day, you get the pick of the litter, right? What you want to target, the most valuable targets that you've been looking at, you've been eyeing from an intelligence agency function. You can go after those. 'cause there's really nothing you, the defenders, there's not nothing. There's limited things you can do. So we have to kind of look in terms of, you know, what the second half of this population are.

These, the small businesses, are these the organizations that do not have the maturity or the capability or they're not aware, they're not within the pipeline of receiving cis kev notifications that they know that they need to go and remediate this. And so just, oh, just ask a quick question Mar Yeah. Is, is, is, and again, is it because the breadth and depth of the ecosystem with creds that they can, you know, go do a showdown scan, correlate what creds are available very quickly.

Is that, you know, what automation is that helping the, to the speed and the velocity of this? Oh, for sure. Yeah, absolutely. You know, attackers are, um, I don't wanna say lazy, they're efficient, right? Right. Like you never trust a, uh, you know, a non lazy developer. You want a lazy developer, you want a lazy system admin. 'cause they're gonna automate. 'cause that's, you know, that's the only way you can, you can really scale these.

Um, you know, so there's, and there's so many free resources even, or low cost resources to get an idea as to what are the exposures out there. Um, so it's not like a surprise to know, you know, which Avanti devices or which VPNs are exposed to the internet. Um, but it seems like the message isn't getting to the people that can fix the problem. Well, this goes right back. You literally have answered my next two questions, which is great 'cause we're coming up to the hour.

But just like really getting, continuing to focus on the basics, right? Making sure we're doing timely vulnerability patching and all of that. And what's our fighting chance for all the, uh, for all the MSPs that are all constantly behind the curve. So I'm hearing from you really driving automation and kind of really diving into that. Are, are there any other insights that you would say for the, the proverbial MSP that's wearing 50 hats and just trying to keep up with everything.

The, the comment you actually made at the beginning with understanding the business is really key. Um, especially as you look at in terms of the different types of exposures. And, you know, maybe you realize that that one server happens to be holding, you know, whatever PHI or information you didn't know. Um, so as much as you can, tying it back to understanding what are the operational needs, um, I've always viewed security as kind of a subset of like operations, right?

It's, it's how do we maintain confidence in our systems that they're going to, to work. Security is, is one element of that. Um, so I, I think that the comments you made at the beginning were, were very insightful and that's why I'm stealing them to respond to your question. You're Fine. Well, that's why I always tell people when I'm talking to potential clients, I'm like, I'm a business advisor. Yeah.

And I provide you it and risk solutions from the cybersecurity perspective, but I'm here to advise you on your business and always trying to keep that lens and then hiring really great engineers to do the other stuff behind the scenes to make it happen. Well, I could talk to you all day, but I definitely wanna hand it off. Back off to, uh, Andrew over here. No, no, no. I, I want you to hit a few more. We got a few more minutes, if you don't mind. Okay. Okay. So, okay. I've got one more.

Take It to the end. It's fine. I Awesome. You're the star today. Thank you. Um, the report, so the report, it highlights that only 54% of edge vulnerabilities were fully remediated. This report makes my palm sweaty, Phil. Yeah. Uh, even though they're the most exposed. So for MSPs managing dozens and dozens of clients where prioritization is everything, if you prioritize everything, nothing is prioritized. What lessons can they take from this data?

Like, is partial re remediation just an optimistic term for Yeah, it still at risk, like risk is a risk. It's either zero one and yes or no. Yeah. Yeah. So we had a lot of debate about that, that partial remediated we went through. I mean, so much in terms of like, is that really the best way to describe it?

You know, we work with, you know, 'cause at the end of the day we're, we're collecting data from our partners and they're the ones that, you know, have some of these classifications and they're like, well, you knows they're, it's probably remedi in the sense that it's not showing the signs or the flags that it's may be, you know, vulnerable. Um, so, or they may have put compensated, compensated Control, you know? Yes. I don't know if this term lands, but monkey patching right.

Is a term that I've used before where I'm just literally pushing truck bumpers together to solve the problem. Yeah. Yeah. Yeah. I just turned off the flag that discloses what version this software is. Um, which is something that's, that, that kind of showed up a little bit in our data is that a lot of these platforms aren't forthcoming with telling you what version is from like externally.

So they're like, well yeah, you know, it's harder to know if it is a vulnerable version 'cause it's just not disclosing it from like an external. Like, I can go and, and touch it and ping it and it's gonna gimme back some version or somewhere I can go and get that information. So, which makes it harder to attest whether or not it is remediated if you have purely kinda like an outside look or, you know, the system doesn't support agents to scan it, which there are some systems that don't.

Um, so there's, yeah. So it's a combination of that monkey patching and um, and what have you. But, you know, for an attacker perspective, they don't care if it presents as vulnerable. That's right. It's is it vulnerable? Right. They're gonna send the exploit. That's right. But as a good guy you can't do that. Right. Um, people frown when you start throwing exploits around to really verify if a system is, is vulnerable. Yes.

I wanna go back to Marissa's point real quick about this kind of maturity being the factor. I think Philip, you just stole that as an answer too, but I tracked when the slash and grab vulnerability for ConnectWise happened last year. Yep. I found a cohort of 1000 machines on showan of that cohort. 440 ish, give or take 400 of them or so were online at any given moment. Yep. I patched, I've tracked those to see how many patched over time ConnectWise gave away a free license.

How many patched ConnectWise took away the ability for it to function? How many patched, what do you think the standing percentage is right now? Andrew Morgan, the last time I ran that scan of how many unpatched systems still were running screen connect and responding to the world. I, I, you know, if, if I had to guess, Matt, it's, it's north of 20% and if I had to guess, it's unfortunately the companies that are perpetual licensed that keep using it and Yep.

Uh, We're, well they're not using it 'cause it's not working. I don't know if y'all know that, but Connect, go did some really cool stuff. Yeah. They're just literally screen connect instances someone has paid for and is running in a closet somewhere and hasn't been patched. Right. Yeah. That's not being used. 'cause the systems won't even work if you try to launch a session. It doesn't work. So it's just that, and I'm bringing this up and I'm gonna go off on a small rant and then I'll shut up.

Y'all can gimme the hook. Everybody likes to say patch with priority because it's hard, but sometimes it's not hard. Screen connect takes seconds to patch and once you do it, it's pretty much ubiquitous. There are no failures, I've not had problems with it. I believe that we have a problem culturally. Hmm. A lot of times we just say we can't get to that stage.

'cause there's process in between or in the large organizations, there's a lot of de dependencies that they like to test and they set up these processes to keep operations up. Back to your point, Philippe of the most expensive point being the, the operations, and therefore it's easier to say it's hard to do, but 7.1, 7.1 for a reason. It's early in the controls and it's a.one and it's an IG one. And my point is, is like we talk about, oh, I need to know the kev so I can know what to patch.

Are you kidding me? Like, you should be patching when the patch comes out, not when the Kev comes out, man, there's a lot of dead bodies. Maybe we ought put on this body armor. No body armor before dead bodies. Right. Anyways, I digress. I mean, I would like to know, sorry, go ahead. I would like to know why is it so hard to patch? I would like a whole hour on the cyber call of is patching hard? Oh, That'd be a great debate Because back in the olden days, yes. Yeah, sure.

Old, old and olden days stuff would Break, exchange Would be that would the time For exchange upgrades. Yeah. I mean my ran from the MSP perspective something that they are better than, um, there are other shiny objects that they're chasing and it would be really, really lovely to have firm non-negotiables in our industry of the things that we do and we don't do and the things that we prioritize. Um, it's a, it's a, it's a lack of prioritization.

I think if I push the button, the patching works, but that system, there's a module on there that I know patching's gonna break it, so I'm not gonna touch it. And then no one's responsible for it and it is then forgotten. And they're not doing any reporting analysts to find those missing gaps when they don't run automation for patching.

And, and I'll close with this Marissa, before we thank Phil and you, but I, I think there's also still a massive gap, at least in the conversations I've had in, um, companies that are MSPs even still, that are doing a good job with external devices, ex edge devices. It's like they're, they'll say in their MSA we patch all systems, yet they're focused really more internally on the Microsoft stack and things of that nature.

Um, and the edge is, um, I mean we see it, I mean through right through the eyes of Chris Lair at Solace who, you know, whether it's a SonicWall, a Fortinet, you know, it could be four months after there's a valid patch out. He's like, yep, they got popped, blah, blah, blah. Is there an MSP involved? Yep.

MSP's involved and, and I just think there's this still this, well if we can't sell vulnerability management than, you know, they, they put that before that it's, this is part of delivering good security. I think that's part of the problem still. Um, I don't know. What are your thoughts on that, Marissa, while we close out here? I mean, It's everything. I mean, you, I talk about operating businesses and I, my Trump is culture is everything when I'm talking about it.

And actually being a guardian of indivi SMBs in ecosystems, vulnerability management is everything. It's everything. Every single decision, every single. It, it just, it has to be the forefront, forefront of our lens of how we're doing things. What are we prioritizing? How are we empowering our teams to run with these things, to get these things done? Um, uh, don't go chasing after the shiny objects. Stay focused on the fundamentals. I mean the, the DBIR says as much on there. Yeah.

And I think, and the, the just one exclamation point on this also in ev in conversations I've had with countless MSPs is there's no real SLA on vulnerability management. In other words, what are the critical devices? When can we shut, when can we stop business? What is a P one? What, you know what I mean?

There isn't that conversation of what's mission critical to stop business, to patch, you know, and, and this comes back to where we started the operational fic, you know, maturity conversation. So Well, and that doesn't stop, Andrew, I'll shut up after this. That doesn't stop with SMB.

I mean, I, and when MoveIt was happening, I called I think 30 or so companies that I found very sensitive data on very vulnerable MoveIt servers, including Louisiana, Indianapolis, I mean, tons of major players all have the same problem. So I don't wanna paint this as just an MSP problem. This is a global problem. Yeah, that's that As shown by the B-D-B-I-R. Right? Exactly. Yeah. Very fair. Very fair.

It, it just, again, we highlight though, with e with SMBs dis such a disproportionate Now, I mean in Phil we went, we went for a period of time there, remember last year where there was no difference. Remember that being state? Yeah. Well there is a big difference now, back again between the two Poverty line. Yeah. I Line. Um, so Phil, uh, first off man, awesome. Senior. I wish we could do a round two because there's so much more to unpack if you're open to it, if You're ever interested.

Yeah, absolutely. I'd be happy to. There's, there's a bunch of questions you guys sent me, so I'm Happy to Hop on again. Talk some more. Alright, let's do it. Um, Marissa, thanks so much for jumping in while you are actually at a conference. Uh, Matt as well. Thanks for, for coming in as always. And Phyllis, uh, wonderful to see you everybody. Have a fantastic week and we'll look forward to seeing y'all soon.

Related Videos

2025 Verizon DBIR with Principle Author Philippe Langlois | Right of Boom