Crisis Communication that Can’t Be Planned for with a Former FBI Special Cyber Agent
In this video, industry experts discuss the importance of crisis management and incident response planning for MSPs and small businesses. They delve into the challenges of maintaining control during a crisis, emphasizing the need for preparation and community collaboration. With insights from law enforcement and cybersecurity veterans, the conversation highlights real-world scenarios and offers practical advice for mitigating cyber threats and safeguarding data.<ul><li>The importance of planning for the unplanned in the MSP space and building a network of support for worst-case scenarios.</li><li>The significance of having an incident response plan and a point of contact (POC) trained to manage crises effectively.</li><li>The need for MSPs to educate their clients on cybersecurity basics to prevent crises before they occur.</li></ul>
Guests
Video Transcript
I'm just doing a podcast. Welcome everybody. And it is episode one 15. Great to see everyone here hoping we get a lot of chat going on. We've got, uh, a fantastic, uh, guest today, um, who's kind of becoming a household name very quickly in the MSP space. Um, I've seen Scott, um, on a few webinars already and he's doing some speaking, uh, in the channel as well. So it's gonna be really good to see him. Before I introduce him though, just a few things, Gary.
I only got 12 announcements today, so I'll keep it short. Okay. First though, seriously, Gary, I wanna start off with you. How was you? You just had your peer groups in for a week. You had your virtual Yeah. That came in, right? Your did your virtual. Yeah, they're in, they're in person now. We've converted 'em over. So we had, uh, about 200 people Okay. In Philadelphia in two waves, uh, last week.
Um, the recap I would give in looking at their numbers and, and talking to a lot of people is from a general standpoint, a lot of recurring revenue, uh, being sold at the right price. Um, so many of those companies over the last two years, they're up 50% in the recurring revenue in two years. Not uncommon. Yeah. So that's really good. And it matches up with what we're saying about what's happening right in the marketplace about who's buying and why they're buying from us.
But I want to tell one quick story, Andrew, about security related. So this, excuse me, this past quarter, we did a little, um, compliance project, right? And a, a few of the people didn't get it done. And when they came, the question was asked, well, why didn't you do it? Most common answer was, oh, I wanted to, but I was too busy. And I said, how do you think your customer would feel right now if they were in this room?
That if you are too busy to spend time on your own compliance and security, how could you possibly be spending time, you know, on, on theirs? Hmm. And so I wanted to share that with everybody and ask them that same question, like, can you show me what's on your to-do list, please. And email it to me. Yeah. Because that's more, that's more important. The Reality is they're not too busy. They didn't make time for it. We all have 24 hours in our day. So like, what are we gonna make Time for?
That's, that's the truth, Gary. Um, since we have a pretty big Audio, I'm all fired up, Andrew. I'm all, I'm all shot out of a cannon today. Awesome. After hanging out with MSPs all week and a little hungover. Well, Look, I'll order your bloody Mary, just let me give your location. Well, plus the Eagles won on Sunday night, and then, uh, my son and I went to the Phillies game on Friday night and all peer in between, like, that's the best week ever, like Christmas morning. It is, it is for you.
I mean, um, so Gary, we have a pretty big platform. Um, would you mind just putting the people's name in that didn't do the compliance and chats? Yeah. And you can, Yeah, I'll go ahead and, uh, shame them. No. Okay. I just, I made 'em all get a tattoo. Um, okay, Wes, um, go ahead. Talk about empath real quick. You put it out there. What's up with empath? Oh, yeah. Yeah. So super shameless plug.
It's been something I've been working on for a few months now and ready to open the doors and show people where I'm building. So, uh, put a link in there if you guys wanna check it out. We'll be doing an open house so you can see what's going on, and, uh, ask me questions. All that, love to see you pre-register. So definitely join. I think I've got over almost 80 people now signed up. So, uh, it's gonna be a, it's gonna be, let's get it to a thousand. How about that? Alright, good.
Wes, we're excited to see what you're doing. Okay, as always. Um, write a boom, just quick update. This is huge, Wes. Um, and you know her, we have a lady by the name of Mackenzie Brown from Microsoft's Dart, DARC. She runs It. Yeah. What's that? She runs Microsoft Dart. Yeah. Yeah. So detection and response team. She is coming to write a boom to run the incident response panel with a team of awesome MSPs. It was between her and Gary.
Um, at the end we decided to go with Mackenzie just based on, She's a, she's a little, she's a little less technical, so people can relate to her. Yeah, I think that was it. You know, so that's huge, uh, having her come on, uh, to the show. Yeah. And That's a big win. You gotta make sure this is a great event, Andrew, because it's gonna be competing with my new event called Writer of Boom, The rightist of Boom, rightist of boom, The rightist. All right. Um, alright, so let's get on into it.
There's one other thing going on. I'm gonna put it in. It happens to do with a webinar tomorrow that webinar NetworkX is hosting for with around cyber insurance, um, with like, I think they're the fifth or sixth largest in the world. Acrisure is gonna give a state of the industry update on their stats. Um, Eric Tills will be there as well, talking about risk around MSPs. So that'll be a good one. I'll get that in this in the chat. But without further ado, let me set the stage.
Let me introduce our guest. Do We have to wear costumes next week? We can. Absolutely. It's Halloween right next Monday. It's very true. Alright. Scott's gonna strangle me if I don't get going here. He's got another I'm, he's got another thing going on. Yeah, I'm, I'm, I'm gonna listen now. I'm deep. Anyway. Well guys, guys, just Talk amongst yourself. So I'm getting Really into, This is great.
See, the reason I love Scott is he's also a former New Yorker who has this New York sarcastic sense of humor that I just absolutely love. Um, all right, so lemme set the stage. We know, um, what the last two weeks have been, right? Miscommunicate, so miscommunication on a potential, let's call it, um, a security change management. Um, we debriefed it. We used it as a case study last week. We brought in a breach council to talk about what good communication looks like.
And this week, um, in talking to, uh, Ryan Weeks a little bit offline, I said, Ryan, um, talk to me about, you know, crisis communication. And, you know, he's like, look, that that's a tough subject. You really gotta build, you know, a team, a framework. Um, and I said, what do you think if I got, um, Scott Achenbaum, uh, on, and he, and, uh, you know, I told him about Scott's background. He's like, that, that sounds like an awesome show.
So I was excited to bring Scott on because this is about planning for the unplanned. And, and in talking to Scott, I've gotten to know him over the past month. It's like the Mike Tyson analogy, right? We can have these awesome, um, incident response plans and tabletops, and we need to do them. It certainly makes us better. However, they often, you know, there are things that get thrown at us or things that we're not ready for.
And, you know, I see Robert out there, and I'm sure Robert could talk to us about that as well. So, with that, I wanted to bring on somebody that's dealt with a lot of crisis in his life. Um, probably more crisis now that he's talking to me. Um, but with that, uh, Scott, welcome and tell us a little bit about yourself and, uh, what you are doing these days as a retired supervisor. Uh, former FBI. Welcome. Well, thank you. Thank you everyone.
It was so nice to get to know you and develop my own psychological profiles of each one of you. And I'm a little, yikes. I'm a I'm, I'm a little concerned over here for all of you. Well, hey, everyone, if you need a, a big smile on my face, it's because I am retired from the FBI been retired, uh, for the past five years. And Phyllis, that means I have a really nice pension. I don't worry. I can say what I want. I can do what I want. And the first of the month, my pension check rolls in.
Uh, today I'm over in Hunt in Huntington Beach, California. I'm about to speak at a large conference going on. And if you ask pe, if you ask me what I do and what I can tell you in one sentence, I teach individuals and organizations how to reduce my chance of becoming the next cybercrime victim. If you put that in Google, you're gonna find 30 million other people who do the same thing.
But I teach people how to do it without having to go out and purchase additional products or services, or having a PhD in computer science. Because during my career, I dealt with a thousand cybercrime victimizations and I discovered patterns. Now, discovering patterns is one thing, but reacting to patterns and putting them into different places, places is a different thing to help people prevent that.
And uh, when Andrew came over to me and said, Hey, can you be on a podcast and everything or your call? I said, this is great. I would love to be part of the conversation until I read his questions. And I am the conversation over here. So let's go. Let, let's go for it over here. Because you know, when you talk about right of, boom, that's me. I'm the guy who brought the bad news to organizations. They dusted off their intrusion response plans.
They had no idea what to do, because most traditional intrusion response plans do not tell you what to do when the government shows up and tells you that you have a problem. And if you do have one, I'd love to know about it. Phil, I'm excited to get to know everyone here, and let's kind of dive into this subject. Awesome. Phyllis, I think you are up. Welcome back. Yep. And, uh, it's good to see you. Yeah, it's great to be here and see everyone. Um, and Scott, it's great to virtually meet you.
Um, you know, when people talk about crisis management, um, you have to, you have to manage many things. It's not just one, you know, one scenario. Um, so you have to think about how you're going to address or solve a big class of problems without, um, being too specific. So when you were at the FBI, um, did you use any kind of frameworks, um, while you were there to help organizations with, um, their crisis management plans?
Well, you know, our crisis, and believe me, we were constantly in crisis because I just remember the day that I got a telephone call at two o'clock in the morning that a synagogue that was located about two miles from my house blew up. So all of a sudden, I get thrown into this crisis. It's two o'clock in the morning, where's the FBI's Crisis Management Handbook? This is in 1999. And so, besides going over you, you know, you gotta be able to deal with being unprepared, because think about this.
And I'm a brand new young agent. I'm walking in over here, we got the fire department and, and everything we're talking about in real physical, uh, you know, uh, resp crisis management applies to the same thing in breaches. You know, all of a sudden the A TF shows up, alcohol, tobacco, and firearms. Hey, what are you doing here? We got everything under control. Local law enforcement is there. Hey, this is happening in this city.
We got the local district attorney there who's p****d off that the United States attorney's there, and everybody wants to be in control. Hmm. And, and you know, we have things with unified crisis management, but it almost always seems to go wrong. Even now, if you look at what are the things that are going on, even in the hostage, even in the active shooter situations, we, we still, even if you have the right frameworks, Phyllis, unless you're practicing them, it doesn't matter what you have.
That's where we really have to discuss what I've learned during these types of crises that we could apply to really dealing with the cyber ones, which I had plenty of experience. Wow. Yeah, that's great. So, you know, planning for the unplanned is a bit counterintuitive, and it's not something we often see in the SMB space. I'm here as you know, we're here with a bunch of MSPs.
How do you recommend MSPs think about building a network of people and organizations to best support them in the worst case scenario? So, for example, um, perhaps PR firms, external breach council and IR firms that have been, um, through worst case scenarios to help coach MSPs and SMBs. Well, the first thing that I'm gonna really jump into here is what I'm dealing with my friends who do intrusion response for a living, and they make tons of money doing this.
85% of their work's coming from an account compromise, 85% of their work is coming from an account compromise. So it's not like someone's hacking the cloud, someone's hacking the end user here and disrupting their platform. So when, when we start talking about that, and I'm gonna circle back, we gotta start thinking about the prevention of the crisis or else we're just going through a, by the time your crisis management plan comes into action, it's like, you already failed.
You know, we think we're gonna respond quick enough, but when we're responding and we're, you know, now we're gonna go out, we're gonna get your, uh, PR firm, right? We need a PR firm, right? We need a good attorney, right? We need a good intrusion, respon. It's all becoming commoditized work. And as I sit there and I talk to intrusion response companies and I go, you wanna sell your stuff? Why don't we talk about reducing our chances of this happening?
So as we're gonna go out here today, and we're gonna go, okay, I need my, I need all these firms. Let's talk about the basic elements where we can prevent these things. Because after being and having my life disrupted and disrupting other people's lives, it goes back to one of the principles that I talk about all the time. A majority of the bad things that I worked on easily could have been prevented if the end users were only armed with a couple of key pieces of information.
And Andrew, that's what me and you've been talking about for what weeks, that's every conversation. Yeah. And it's something we talk about here, Scott. Sounds like he sounds like Chris and every other person who's dealt with a ton of this, they all have say the exact same thing, right? Yeah. Well, that message is, is is clear.
And it's not, it, it, it's, listen, it's not a, this message that I developed, it's just when you see it time and time again, and you're gonna go over and, and, you know, one of the things I talk about is what I call the four Truths to cybersecurity. And the first one is, nobody ever expects to be a victim. I'm a small MSD, I'm a small business. Why would anyone want to target us? So when you go back and you start thinking, why are people not preparing for this?
Why would anyone wanna target me? Right. You know, I had a $3 million company tell me they were not concerned because they are a small business, but compared to a $55 billion industry, they are That's a great point you bring up. Yeah. And what what's interesting, Scott, is like, well, I I love what you're saying. We do talk about this, you know, it's always about the essentials. When we talk to the IR firms, as Gary said, it's always things that can be prevented.
But I do think, and we do have some MSPs out there right now that have been, you know, supply chain targets and what I, and, and who have had really good breach counsel because saying the wrong thing could get you in trouble. But it, assuming we can't, we know we can't prevent everything.
Assuming human behavior is gonna continue where there are certain thing, you know, people, for example, whether it is, you know, maybe, um, breach counsel or co you know, some type of coaching that, that has dealt with crisis that you've seen Be helpful At times Coaching, why do they call it coaching? Coaching makes me better. I love that term. We're throwing out, I want to be, I want to be your breach coach. I take credit cards. Okay.
You see, Phyllis, I, I couldn't get away with saying this when I was with the FB. I could. I I Know You see, that's why, What do they say? Those who, those who can't teach, those who can't do teach and, uh, and those who can't teach, teach Jim Council can't do any of it. Become entertainers and they go talk to large companies about what I think isn't rocket science. It's common sense, but common sense is not the same thing as common practice.
So when we're dealing with that, I would get with a, and this is what I tell the IR firms, Hey, look, why don't you teach people? You wanna sell this stuff? I know everybody wants to sell. I wanna sell. You wanna sell. But why don't we tell people what are the basic elements in the ID in getting prepared? I was sitting with one organization today, one third of their budget is going to cybersecurity. No, no, no, cyber insurance. I'm like, what's that gonna stop?
How is that gonna prevent anything from going on? So I would start with somebody who's going to be able to be like your, and, and, and it really doesn't exist out there to have that trusted contact because the IR firms are gonna wanna just get in and everyone wants to do a penetration test or a risk assessment. The attorneys wanna play general contractor, the crisis management firms.
They're there, there are people I would start out with a good reputable intrusion response company and have them walk you through it by the time you're insur, by the time you have a breach, and you go off of that standard list, and I know this isn't popular with the insurance people, and you get to know your IR firm the day of the intrusion. It's a bad day. Yeah. It's too late. Right? Right. It's about getting these relationships ahead of time. Yeah. Rick wanted, hold on one second.
Rick wanted to know what are the other four the truths? So let me just explain to you the four truths of cybersecurity, because when you decide that you don't wanna do any of this, I want you to refer back to the truth. The first truth is, none of my victims ever expected to be a victim. They were all caught off guard. They didn't think anybody would wanna target them.
The second truth is, once the bad guys get in, steal your data, steal your company's data, use you as part of a supply chain attack, or hit you with ransomware, the chances of law enforcement coming in with a magic wand and fixing your problem slim to none and putting the bad guys in jail is even harder. Those three truths are really horrible.
But a maj, the fourth truth is what my big epiphany was with the FBI, a majority of the victimizations that I dealt with could have been prevented if the end users were only armed with certain pieces of information. And this whole planning methodology, which is not part of my truths, is so important to have these discussions and hosting discussions like this guy. So there'll be a fifth truth, Scott, coming out of this cyber call. Yeah, don't take your phone call.
The fifth truth is, We'd like to do all that, but we're very busy. That's the fifth truth. And, and, you know, I thought I was gonna be join Cyber Nation. Well, I don't know. I'm, I'm trying to be sarcastic enough for Andrew. I'm feeding off of Andrew's. Uh, So, you know, Scott, you bring up a good point. Like, you know, and I saw this as well, you all, all the people swarm in, people are fighting for, um, you know, jurisdiction. Who's doing what? I'm here. I'm here.
Everyone's like jacking for a position, right? But you do have to have someone in your organization who's like your main POC. That person should be the one who everyone's talking to. That person should be hopefully managing the situation and understanding how to manage that situation. So, um, as organizations after this call, if you don't have one, create their incident response plans and they have their POCs one or many, you know, what kind of skills do you think that that person needs?
You know, 'cause they're gonna be talking to customers, perhaps, um, you know, council regulators, law enforcement, et cetera. Not everyone can be like, target and be like, oh, you have a credit card, you get now 10% off, or, you know, whatever these big companies do. And then it's like, you know, it's a blip, right? They got compromised. You know, I give you a discount, you know, call it Phyllis. Was was Target a a Fred and SL good Scott, I'm just, I'm responding to something on Skillset.
Yeah, yeah. Please give skillset. I think it's a big one. Well, well, here, well, here's the deal. And, and this is hard, especially for a small to medium sized business. You're throw because you have to have, one of the things, when people, when I go out and I talk to people about my career with the FBI, I'm going to have to say that communication skills were probably the most important skillset that a good FBI agent should have. Now, people might disagree with me.
That's because I wasn't a good shot. You know, I was more of a language arts guy, uh, and I was also a crisis negotiator, uh, for the FBI and handled cybersecurity. And I thought when I went to hostage negotiation school, I go, this is gonna be great. I'm a great talker. But it's all about listening. It's all about really listening to the stakeholders that are involved and being able to have that communication set within your organization. So I'm gonna throw this out to all of you.
Would you, having the most technical person in your organization, that guy who wears his 37 certifications on his sleeves, are you gonna have him talk to the media? Are you gonna have him talk to law enforcement? What do you guys think? Let me ask the MSPs here. What do they think? Who, who is this ideal person? Does this ideal person even exist? Because in the FBI, sometimes we'd go like this, oh my God, we can't put that guy on.
You know, because he's gonna do like, you remember, and Bruce in, in, uh, Bruce Willis movie. Hey, we're the FBI, we're in control. I know you might find this hard to believe that doesn't work. Well, Yeah. I mean, I'm former NSA, like I live for Steel. I dunno who It's, go talk to anybody. So that's easy for you. I don't know who it is, but I know who it's not. It's, it's not the person you just mentioned. Right.
And, you know, I'm curious if you would put in the chat, who here actually has POC is identified just in case that event were to occur. Have you thought about it? Have you thought about what skills? Just like, you know, um, just like Scott said, there's like the go-to guy for when, you know, there's a, you know, a high priority.
You know, when it comes to a technical issue, who's your go-to person when it comes to, um, you know, maybe a set of softer skills And, and a second follow up question, who's been trained? You know, and there's, there's not a lot of like, great training resources that are out there. That's another problem. Sometimes it's battle skills. I mean, I've gone through all the PR training, um, at the last company I was at. Um, it's difficult. Um, that's another piece that's missing.
But, but starting tomorrow you can get it at Empath Cyber, just That's, I also take credit cards. I've learned from Scott, Hey, I'm gonna You coaching course right now for anyone who's interested. You can take me on a cruise and we'll do a cruise on commun effective crisis communication skills. Just one sec, Gary, I'm putting this in there. Talk, talk to why you want people to check that out. I, I put it in the chat. Yeah. So, um, I have that recording in my, uh, peer portal.
All the videos are from my peer members. And just last week, uh, several people, um, when it came up said that they and their team have used this on an ongoing basis. It's been really helpful. Yeah. So that was building your incident response plan. Um, it had, I think, lair Beard and Wes, and, and of course Gary leading the whole thing from a technical aspect. But, but, um, in the cyber nation, we do have Mike Beard. Uh, the CSO of Marco was really kind. He sanitized his entire ir Yep. Plan.
And you can get it there, or you can get it on Empath Cyber for the low cost $99. Scott, back to you. Well, let me just tell you, these things are all really good and everything, but they take into one thing. You know, when we go back down and we're all talking about the preparation, we right. We need to prepare for an incident. But most intrusion response plans don't really work.
And I'm gonna tell you why, because during my career with the FBI, I had to break the bad news to a lot of very large organizations. I had to tell them that there was a problem. And on each occasion, they were all completely blown away and nobody knew what to do. What do you do when law enforcement shows up, tells you that you have a problem? And then, you know, what do you do first? You bring in your, uh, your attorney who goes, well, we need a subpoena.
And I'm like, well, it's a national security case. Well, we need some kind of legal documentation. I'm like, well, yeah, but you're the victim in the case. This is nothing more than cooperation. And as you're sitting here and as you're assembling your team, I just wanna let you know that there is information leaking out of your network, going to a command and control center controlled by a hostile foreign government. And, uh, we're just here to notify you. We'd like to work with you on this.
What do you do now? Has anyone here ever been through an incident like that? Because even to this day, when you go over and you look at all the boiler plate stuff, it's not telling you what to do. That's the real incidents. That's what's happening every single day to organizations. And the FBI and the Secret Service are doing victim notifications. And I hate to say it, everyone's caught off guard. Yeah, yeah, that's True. Really good stuff, Scott.
Um, I, and you know, and I would say, just to back that up, that's why that incident response training is so valuable. It's about walking through that and making sure that you have the steps and the people and the processes in place, um, uh, you know, in case an incident happens. So I'm gonna, um, in the interest of time, um, hand it over to Wes, you're on mute. Wes, you're on mute. Thank you much. I got way too many kids in the background at the moment, so, uh, yeah. Oh yeah.
They'll probably just barge in. Yeah, we'll see what happens. Uh, some neighbor kids are in. Uh, so Scott, here's, here's a question that's been itching in my mind a little bit. Um, MSPs are, most of them are small, right? They themselves are small business, you know, 5, 10, 20 employees. That's typical for them. So what do you do in a situation where you feel like you do have a, um, really well-built, um, incident response plan.
You've actually tested it, but then comes the boom and that boom, maybe for whatever reason, some of those key people are not available, right? Like, you can't get ahold of them. They're not there, or they panic or they're on vacation or whatever. What do you do in a situation like that? Do you, do you think they all need to be like deeply cross-trained? How do you, how do you handle that as an s and b, they're on their honeymoon Happen, happens every single day.
Because let me tell you, if you have this organization with 20 people and you're voluntold that you are the intrusion response person, the other 19 people in your organization just go like this, I'm glad it's not me. I don't wanna have to deal with this stuff. And these are things that we have to start looking at on what are gonna be the potential incidents that will occur that if they happen, we could just be in a better position. So what are the different incidents? What are we gonna have?
We're gonna find out for a second that, okay, we were suffered by a business email compromise. Okay, you can get out on top of that. We're hit with ransomware. Well, are we doing everything we need to, uh, prevent it? How, you know, and, and, and it just really kind of depends. That's a great, that's just a great question. I mean, we've had situations where all of a sudden the supervisor was gone. He was the one who held, who held all the information.
So each one of these things, just like every moment in time, you're just gonna have to be prepared. If you were involved in keeping your information safe, if you were part of this team, if you were part of the collective, then you have to have some kind of responsibility in it. Uh, to, and all I want people to do here is after alcohol, is to sit down and go, oh crap. What should we do? Who should we call? How do we think about these things? Hey, Wes, can I just mention something? Mm-Hmm.
Since we're doing lots of shameless plugs, um, one of the things we're gonna do it write a boom Wednesday evening, um, John Strand, John Hammond is, you know, they're doing their pre-date, but they're going to run back doors and breaches. So, um, if you guys are trying to understand how to better do, uh, you know, literally incident response and dealing with crisis, um, those guys are gonna have a probably a 150 or so people where they're gonna walk through. And it's an amazing card game.
It's free. You can get it online, you can play it now. Um, it's, it's, it's just, you know, you've you've been involved with it before to us, so Oh, they're super fun. Yep. I run into people all the time at conferences. I've got a deck of it in my, in my, in my, uh, backpack and I pull it. I'm like, this deck right here was given to me by none other than John Strand himself. And people are like, what? Are you crazy? I'm like, yeah, yeah, yeah. It's super fun. It's a great game, Wes. Is it true?
I heard a rumor you turned it into a drinking game. It was not me. Uh, that'd probably be, gotta be Jason Slagel gel. Yeah. It's got Bas he's out there. But, but Gary, you know, as we as Scott said, what he just said, like, which is so, so I, I think critical, um, would you be, if you're an MSP, you know, you got, you, you, you started another MSP, Gary, would you be kind of doing these kind of projects with your customers, maybe with your, you know, starting with your larger customers?
And I could see it as a literally something that they would engage and pay for, uh, walking them Through. Oh, I mean, we're watching MSPs do it. Yeah. Um, I mean, we know the tabletop stuff, but I'm just wondering, do we get into, you know, this deeper crisis piece? I think it would be really fascinating. Yeah. If you're really mature and you have it down like for yourself, then I think it's like anything, most of what MSPs do, they figure it out for themselves first Mm-Hmm.
Certainly with every other aspect of security. And then when once they see what's involved with it and they understand it, then they can figure out how to package and price it. And would it be valuable to their customer? Well, what about the small businesses for a second? Because when I go back to the first truth of cybersecurity, let me tell you what a lot of my victims said who were still victimized. I thought my MSP had it handled. They're covering all that stuff for me.
And did you say, well, why would you think that? Well, because, you know, I I, I mean our MSPs in the business, is their core competency to provide security for an organization? Or is there core competency to make things work? Because I want to ask a question here. You know, if you are an MSP and you have clients that are logging in directly and have access to Microsoft 365, and they are not using two factor authentication, they're gonna have an issue.
And so let me ask you, did you, are you still providing them services? Because that is the greatest pre indicator, and they would go like this. Well, I talked to my MSP and they said, well listen, we can't tell you what to do. Because I was like, that's not a data breach. It's the fact that you didn't have two factor authentication turned on. And you know what they do? They roll it onto you guys as the MSPs. And I hate to say this, you guys will take 'em on as clients.
If you have a big client, then they don't want to factor authentication. And they say No. Are you gonna cut 'em off? Anyone? Buer? I Think a lot of 'em are. Now, finally, finally, I, Yeah, yeah. At least the ones on this call outside of this call. That's awesome. That's why I love this community over here, because, you know, people are, people are pushing back and people are going, no, that's much risk. I love this conversation.
I love this 'cause I was just on a prep call for a webinar I'm gonna be on tomorrow. You know, the ransomware task force that we, um, talked about a few weeks ago, and I wanted to cover exactly this. I said, can someone cover what you should expect or not expect out of your MSP or MSSP? Like, what does that shared service model look like? And how is it that an organization can say, Hey, are you really doing my backups? Can you really help me recover from backups and all those things?
Because you're right, organizations go into this expecting one thing, but you know, when you look at the service agreement, it's not in there. And they just, you know, people go, Hey, make these assumptions. So last week I heard a story from an MSP came up to me and told me that they closed a $9,000 a month agreement. And the way they closed it is exactly what Scott just said. They were talking through it, they were like $2,000 a month more than what they were already paying.
And they, and the subject of multifactor came up and they explained that they, you know, what the issue was with their executives or whatever it was. And this MSP just said, absolute non-starter. And, and if it means we don't do business, we don't do business. But I can tell you anyone who doesn't give you the same answer, they care more about your money than your security. And the guy's like, sign me up. Boom. It closed the deal.
Well, I had once a large, I had a discussion with, uh, someone, I mean, I don't wanna name names Microsoft and, uh, with one of the state entities here. And I said, Hey man, I just wanna thank you because if you did a good job with security, I'd be outta business. And they looked at me like, how dare you? And I go, lots of clients that are out there, you are a new salesperson. You wanna sign someone up for, for, you know, 20 200,000 seats. They don't want to pay for two factor authentication.
Your salesperson says, that's not cool. You will be a victim if you don't do it. What do you do? 200,000 seats, baby, come on. You know, we can practice this all day. But unfortunately, that is why today the cybercrime problem continues to go up year after year, and we continue to spend more money when people aren't doing the basics. And if you're gonna do it at home, you are gonna take that and you're gonna know why you need to do it at work. It doesn't work the other way around, guys.
Well, it's also, Scott, what you're saying too, just in a different way, is why write a boom is so much more expensive too. It's like the way that that MSP pushed back Gary, right? 'cause on the other side of boom, it's like, oh Yeah, no, wait, listen, we can sit here all day and talk about intrusion response planning and all of those other things, but why don't we sit here and if I'm telling you that a majority of things could have been prevented.
I have a friend dealing with an issue right now, not gonna name names on this one, but all of a sudden, cyber criminal logged in to the remote storage of the organization, got access to the control panel, and just took the storage that was supposed to go up to the provider and just moved it to another provider in a foreign country. And it's like they, it was an account compromise on the security product. And everyone's going Sophisticated hack Uhuh. Okay? Yep. Yep. Best back to you guys.
I'm, I'm gonna, I'm gonna keep myself from going into a sales role play right now. I won't like to, but keep talking. I'm gonna, I'm, I'm gonna save it for another call. We don't have time today. All right, Ross. So, okay, here's, here's another big question I have. Uh, and I'd love if Robert Affy, I see him on Eric Woodard. I'd love to hear from both of them in Chad as well on this is intensity simulation. So we can do like tabletops, right?
And we, and we've done these and they're extremely eye-opening. They're helping, they're helpful. But one of the things that is difficult to simulate if maybe even impossible, I don't know, is having 60 inbound clients calling in, or 60 inbound calls every minute, coming in from really angry clients that are cussing mad at you because nothing works and they've been hit by something. How do you plan for and simulate and replicate intensity?
Because that's one of those things, things where you get the nerves and it's just difficult. Like, I don't know how you do that. Is, is there a, can you think of any way, Scott, that that could be done? No. That I haven't even thought about that. That's just a great, uh, that, that, that's just such a, such a gr such a great point. Because who is it? What if the, your tech, you know, what if you're the best communicator in the world, but you gotta fix the problem?
What if you don't know where the problem is? So it's just collectively between you guys, what are these, what are these things? What are the, what are the, what are the situations if we can kind of build out as a community, what are the most common situations impacting MSPs? And then sharing that with the community and getting best practices and being able to handle this because it's all part of that preparation. So we're not on the right side of boat. Yeah.
That's, and maybe we need Chris Laer around. He just volunteered to be his, uh, he can be angry as a service for you if you want someone to call you up and yell. And Wes, it, it, when, what, what I came away with when we spoke to, uh, Eric and Robert was it's a resource, a scale and, and, and a math problem at every, at the client level. 'cause they had a backup plan where they know they can get any one user or any one server, uh, in time, but not all of them. That was a math problem, right?
And then as the MSP, I may have some, let's just say I'm a good MSP and I have an IR plan for every, uh, one of my customers, but not at the same time. And then, you know, if something larger happens, then all of this someday when it happens, then there's gonna not be enough chrises there. Like there's resource problems up and down the supply chain. Yeah. Well, and this is one of the things I was talking to Ryan about, Gary.
He was saying, like, you planning ahead, again, as Scott said, you can't plan for everything. But in the sense where Eric's putting in some incredible information here on what he went through, a thousand calls an hour, having an overflow call center, right? Those types of things that you would think through ahead of time, um, are, are, are important, you know, so really, really good stuff, Wes. And by the way, we can do cyber call as a service.
We have thousands here that we could have, you know, do inbound calls. So yeah, Let's make it happen. I, I will tell you though, Andrew, one of the coolest things that happened to me, um, last month I was at a security conference in Boise. And, um, one of the speakers was an, was an attorney, um, very similar to a lot of our friends. And he did the coolest thing. He put, he was like, Hey, any volunteers, I'm gonna put you on, on the stand. And so some guy stood up, he's like, I'll do it.
So he goes up there, he sits down, he is like, okay, here's the scenario. And it was actually, Scott, what you mentioned earlier, you didn't roll out MFA, now you have a lawsuit on your hands. Now we're actually, we're we're working. So, so he would say some things, the guy would reply back, he's like, yeah, but here's why we didn't do whatever. And he would just do what a lawyer does. So you're saying that this and this and this.
The guy said, no, I didn't say, I mean, I didn't mean, oh, so you're saying this and this and this and this, and it was just the coolest conversation because you got to feel like what it would be like to be on stand is like the CISO for an organization who maybe made some questionable decisions or maybe you made the right decisions. They were very poorly communicated and that lawyer eat you alive. It's the closest I've ever seen to simulating a lot of that.
Oh crap, I hope this never happens to me, because it, it puts us in a situation we've never been in before. Um, so I don't know, one day we could replicate that somehow and get one of our, uh, our friendly lawyers on that wants to take the, the stand against us would be great. And we've had to do that all the time in law enforcement.
Because remember, when, when you're in law enforcement, you have the ability, you know, you have a gun, you have to be able to articulate why you did something, why you didn't do something. And it was like, I guess that's why they got paid the big bucks. But it was like anything where you went like this, well, I thought, mm-Hmm.
So you have to really start thinking about this, and especially for large organizations too, that I would sit down because I've dealt with some pretty, pretty big B breaches and I would always say, Hey, look, you know, you have your stuff together.
If you're gonna get called to testify in front of Congress why you didn't turn on two factor authentication, you know why you're in healthcare and you have an electronic records management system where anybody can take a username and password from any foreign country because they didn't pay the extra $2 and 75 cents a month, the geo block from, uh, west Africa, and people are logging on. So make sure, you know, saying, I didn't know about it. That excuse will no longer work for any of us today.
Well said. Well said. Okay. My last question so we can get over to Gary, is talk to us Scott, from the law enforcement side of the house, right? They come maybe two sides, maybe they initiate by coming, knocking on the door, we see a beacon, you know, or we, as the, as the company have, we've realized we, we have a breach of some kind. At what point do we start working with law enforce enforcement from your side of the fence? Do we immediately call a lawyer?
If you guys knock on the door, do we say time out unless you have a subpoena or a warrant? I, I gotta go talk to my, to my, my, my legal counsel. Like how does that whole thing work from your perspective? Uh, always having relationships with law enforcement beforehand is a good thing, such as with the FBI or the Secret Service to either InfraGard or the Electronic Crimes Task force. When, you know, know who these people are, but also know what your expectations are.
I would get called all the time from people and they'd be like, Hey, I just got hit with ransomware. Can you come down with an encrypter decrypter key? And and under my breath, I'd be, man, it sucks to be them. I mean, it's too late. We will come down, we will collect evidence in situations to see if we can get those key indicators of compromise for intelligence purposes.
But I can't tell you, I go like this, you know, my joke has been, look, if you don't wanna do what I tell you, just here's five different companies. Call them and mention my name and I'll make sure that they take 10% off your five, six or seven figure engagement. And then they'll kick me back. And I can't say kickback because in the information security world, it's called referral fee. You know, or it'll be an account compromise.
So know what causes these things and realize that law enforcement is not gonna fix your problem. That is the, that the second truth of cybersecurity. Once the bad things happen. And if you are not in a place where you have a cyber squad, local law enforcement doesn't know what to do, and it kind of gets a little, uh, it kind of gets a little depressing. I I see Mendy. What are, what are ways we can, uh, I'm gonna give you my LinkedIn information.
If anyone has any questions to this afterwards, please contact me. I'll tell you who your law enforcement person is within your, uh, community. There is a cyber squad in almost all, in all of our large field offices that you should have a relationship with. Yeah. And they're awesome. I know many of my customers have relationships and they invite 'em to come present at like a lunch and learn, and they love to do it, and they get prospects from it and they make a relationship.
It's a win all over the place. Yeah. That's what I did for decades with the FBI And Scott, I'm gonna put in, um, your book, um, in chat. I'll get your LinkedIn. One of the things I think was so cool, I had, you know, I I mod for years, I moderated a CISO group. And, uh, a question came up about, you know, um, you know, in elementary school wanted some best practices to, to teach your kids. 'cause you were talking about Scott, how it starts really at the individual level.
And you have this piece of, you know, um, help me with the title Scott Cyber for Kids and, uh, is it grandparents and stuff like that. Well, one Of the things that I talk about all the time, and I, I put my, uh, landing page in there. Uh, I wrote a book called The Secret to Cybersecurity, A Simple Plan to Protect Your Family and Business from Cyber Crime. If you looking to read a good book by an FBI agent who saved the day and put a lot of bad guys in jail, don't read it. That's not it. No.
But it's what I've learned, what I've learned on a thousand victimizations. And if you just go to my landing page, I'm gonna give you the two best chapters of my book on keeping your kids safe and keeping your elderly parents safe. Because that is something that I use to change behavior. Because if I can get peop nobody's talking about that stuff. And at the end of the day, if your MSP has a breach, you're gonna live.
But if something happens to your kids and elderly parents, uh, it's game over. I'm just dealing with a woman now who fell for the Microsoft scam, not Microsoft, uh, McAfee, that her antivirus was out and she clicked on the link, she took the telephone call, she's out $90,000 and I'm gonna have to sit here and get to the third truth with her that she's not getting her stuff back. And people come to me, Hey Scott, we need you to save the day. I can't save the day.
The only way I can save the day is through education and awareness. And that's what I'm trying to do now with my Cyber Secure Mindset movement. And Gary, as we go over to you, it's, it's really the, I, I've, I've read Scott's book and those chapters like, what a great kind of thing to send to prospects or do a lunch and learn on, and it's free, absolutely free. Um, so thank you for that, Scott. Um, it's great. It's really great stuff. Okay. Gary, over to you.
Yeah, Gary, I've been waiting to talk to you over here. Where you been. Come on. Yeah, yeah, Yeah. Following up on, uh, this issue that a plan may work, but it might not work at scale. And I know that one thing, um, both some of my peer members have told me as well as when I talked to, um, uh, to Eric and Robert, they're me, you know, members of peer groups, they got a lot of help when they had their incidents.
Like they had all these friends, peer members, right, who flew in, got online, like they had a SWAT team to help 'em. If you, if you're, if you don't have that, do you recommend that maybe people get like reciprocal agreements with other IT companies? So when one person needs it, they can get access to, to more brains, hands, fingers.
I think the only way we're gonna deal with this, uh, problem is through communities, through communities like this, through starting out small and being able to see how do you formalize this on somebody, figure this out. 'cause we can't do it on our own. We can't, I I can tell you right now, and I hate to say it, there's probably a bunch of people on this call right now going, should I, should I sell my business today? This sounds hopeless, and I don't think it's hopeless.
I think there's a lot of things that we can be doing. There's a lot of CSA from the federal government side has so much great information, but they do a terrible job of marketing it. You have to find, you have to find that information, but develop your peers belong to organizations like this. Stay with other like-minded individuals because as a community is the only way we're gonna stay safe. Yeah, a absolutely. And uh, like Robert says, when you attack one of us, you attack all of us.
And that's the truth, man. It it, it affects everybody. And everyone thinks that, well, like you said, uh, you know, we're small, we're not gonna be targeted. You might not be targeted, you might just be caught in the spray right. Of, of what's happening. So it, it can happen to anyone. Um, how do you define, uh, a crisis versus an incident?
Well, every day we're dealing with hundreds and hundreds of incidents that we're able to stay in control over, you know, so when, when you have an incident and you can control the narrative, that's an incident to me. You know, okay, you lose money, you want to tell someone about it is there's no obligation to it. A crisis is something that's beyond your control and it's something that you're gonna have to react with and you're gonna have to deal with.
And you can't really sweep it under the table when you get ransomware and your network is gone. That's a crisis when your data, when the FBI shows up at your door because all of a sudden your sales force has been dumped on, uh, on the dark web. And I'd love to ask that question. I mean, I see this all the time. You know, this is what is causing a lot of crises today.
We have organizations that have cloud-based platforms such as Constant Contact, Salesforce, your payroll, uh, your HR accounts that are compromised, taken over by threat actors dumped on the dark web, it shows up and somebody finds it. Now that's a crisis. They call you and you're like, and I've seen this happen all the time. And it's like the, it's out outside of the scope of traditional IT for my for, and that's what's attacking small businesses right now.
So for my MSPs out there, are we educating our clients on what's causing crisises in small businesses? Or are we solely focused on keeping ourself safe? Because, and before we can go out and we can inspire others, we gotta find our own voice. Is everyone here and they don't need to answer in the chat? The chat will be completely dead.
Now, are you 100% sure in your MSP that there are no cloud-based platforms that hold client information that are being run by different departments that you have no idea about? It's, it's, it's such a great, Gary, can I just say something? Yeah, Go ahead man. It's interesting. It's really interesting.
Um, in talking to, this is a great one, Jim Lippy, you know, at SaaS Alert, they're, they have this product, Scott, I know you're not, you know, about, about pitching products, but it's really interesting because it basically can look at cloud shadow it, and they'll like run the, this platform, this like assessment. They'll go, Hey, by the way, do you know so and so's running this and has an account over here? And they're like, you had no idea.
Or even using something as simple as what Evernote or just something, or even using Trello and having one of these things, or even storing things like on Dropbox. This is, this is a problem that when I went out and I did a conference with a hundred, um, CISOs of large organizations, I brought that up and man, you could have heard a pin drop. Mm-Hmm. Because everyone's trying to keep track of their own stuff in their own domain.
And I'm like, look, at the end of the day when your constant contact is popped and now they send an email out to all your people to get them to click on something that causes the distribution of ransomware, nobody's coming after the marketing person for that. Okay, Well, it's funny, um, and I'll just say this and get back to you, Gary Slagel's on here.
I, um, he had, you know, I know he got a, a customer as a result, like a small business that came to him prior because just that reason, Scott, they got compromised. And of course, you know, Jason runs a great shop and they, they taught him the right way, but it's just really interesting. Anyway, Derek, back to you. Well, I mean, I just on that topic, here's something interesting. We keep a tools matrix now for our, um, uh, for our peer members. So on average, the MSPs have 30 tools.
This is just the MSP and I don't know, we could probably go through 'em and determine how many of those have an agent. Um, how many agents do you have on all, all your customers, Andrew? Like this, Right? Right. In fact, we're gonna do a special project, uh, around, around tools, what, why we have 'em, what we're using them for, and then, you know, what the attack surface is, uh, on them because we tend to just buy 'em. You know, these are MSPs that have 15 employees and 30 tools.
They're, they're, it's, it's like when you have your third kid, right? You can't play one-on-one, uh, defense anymore. You have to go to a zone. So they're playing, they're playing zone defense. Yeah. Well, it's interesting. I know Jason knows this well, he's, he's, I think he's at IG two, so like all he is commenting now about tool matrix. So I know he did this, and I remember Phyllis, you and I were on with Jason about the complexity.
You know, even a well run MSP has when they have this many tools of, of, in, of inventory. Um, so it's, it's a real thing. Um, yeah, it's, it's definitely a real thing. So listen, we're getting up top of the hour. Um, first off, Scott, this was awesome, man. Really, really good. Yeah, it really was. So, uh, thank you so much. But maybe to close out this story, we've been weaving in and out talking about like how there's a small MSP and we kind of started with this, and I want to finish with it.
How do they deal with control issues? This happens now and there's insurance breach counsel, ir, law enforcements regulator, like, and, and I'm a 10 man MSP, I've never been through this before, and there's all of these different parties. How do you make maintain control? Or do you, or do you cease it or do you Yeah. Or do you, Unfortunately, every single one of these things takes a life of its own. You know, luckily I was retired, uh, two years ago in Nashville.
We had a bombing on Christmas morning. Okay, yeah. When usually 65% of the office is out when only 35% is in. And here you have eight o'clock in the morning on Christmas, uh, morning. You have people all over the state and they're trying to get in. And I, it, it's really coming back to what is the plan? But, you know, you never take into account that all these things, what, what is gonna go wrong could potentially go wrong.
And the more you understand that going into it, so when you get hit with the crisis and you're overwhelmed, that's normal. How much can you roll through it? How flexible are you? If you are a complete control freak, you are going to fail because yeah, you'll learn right away. There is no control on these situations. You can try to maneuver it, you can, but at least doing things like this, and this is why this was such a great thing because, you know, we're all talking about it.
We're kind of sharing these things. So I don't want anyone here going, wow, I'm not prepared. The fact that you're here, the fact that you're communicating with this great group over here from my point of view, is just awesome. Yeah. You're more prepared than you were an hour ago. Absolutely. So that's, that's what you should come away with. And I, I know what's funny is I actually give pause like before Thanksgiving or before Christmas.
Now I always give pause and think about both from a cyber and as you said, from a, you know, kind of a terror standpoint. I, I, I, I, I always think for a minute because it is a time where adversaries know that people are not prepared. Yeah. Yeah. So, hey, this was, I'll, I'll, I'll hand it back to you, Andrew, but, um, really, really good hour. Psyched. Oh, Well, thanks Gary. I, I, I, I, I think it was all of you. Right.
Especially, and Scott, thank you for making it so, uh, not only entertaining, but really informative. It was really, really well Done. And now I gotta go on stage and do a whole presentation. I'm exhausted. Andrew, you're gonna get a bill for this. Okay. That is absolutely fair, Scott. Um, thank you for coming on, Scott. It's awesome to see you. So great working with everyone. Yeah, absolutely. Um, Wes, Phyllis, Gary, and, and let's go people.
Um, we look forward to seeing you all, um, next week and we'll do it again. This is gonna be a tough one to follow up, Scott. Really appreciate it. Thanks everybody. Take care. Thanks everyone. Alright, thanks guys. Take care, Phyllis. You too. All the best, Scott.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois