May 17th, 2021 – Steps for MSPs to handling IR
In this video, Gary Pica and Wes Spencer discuss the critical importance of having incident response plans and cyber insurance for MSP clients, emphasizing that it's not a matter of if but when a cyber incident will occur. They dive into the roles and communication strategies necessary during an incident, highlighting the need for clearly defined responsibilities and effective communication channels. The conversation also touches on the importance of vendor due diligence and the pitfalls of focusing too heavily on tools rather than processes and people.<ul><li>The webinar emphasizes the importance of having a clear incident response plan and understanding roles and responsibilities before an incident occurs.</li><li>The discussion highlights the need for MSPs to have conversations with their clients about cyber insurance and incident response plans, which are crucial for managing cyber threats effectively.</li><li>The conversation stresses the balance between technology and process, emphasizing that tools alone are not sufficient without the proper processes and people in place.</li></ul>
Guests
Video Transcript
Man, sorry. Alright, everybody, week 50. Uh, welcome everyone. So good to have everybody with us joined, uh, with co-host Gary Pika and Wes Spencer. How you guys doing? Awesome. Hey, We're having some fun in the green room. It's gonna be a good one, right? We're, we're cracking each other. One of these days. We should invite everyone into the green room. How cool would that be if We could, we shouldn't do that. That'd be an after hours kind of thing.
Yeah, I mean, Wes, I'm literally thinking this is a, um, a bourbon Monday, uh, the way it's starting off. Wait, Before you introduce Chris, we, Wes, can I just say, you know, first I got your glasses and now look, Look at you, man. Yes. I should have got a Amazon affiliates code from that, though. I don't have glasses. Wes. Ah, Three snowballs. Lair. We go, Mine's in the other room today. Oh, You failed. I know.
So, Chris Lair, for those of you out there, for those that don't know you, and I'm sure most do, quick intro and then we'll get onto some, uh, some announcements and get right on into it. Yeah. Chris Lair with, uh, solid security, C-T-O-E-V-P, whatever they wanna call me this week.
I, uh, do a bunch of different things, but I spend the majority of my life dealing with incident response situations, primarily focused on ransomware events for mainly small to medium sized organizations and, uh, throughout North America. So we, I see all the, the damage done on, on a daily basis to companies of various sizes, makeups, verticals, industries, whatever you wanna call it on number 50, Broadcasting live from Colonial Pipeline. I'm, I'm outside.
I hear in Houston, Texas, just for you guys, right? Here's live. I'm live, you tell, very quiet. I don't Wanna say anything because it could be coincidence, but I've never seen Chris and Dark Side in the same room at the same time. Might be something there. I'm their, I'm their professional coach. You just didn't know it. All right, we'll get on into it here. A few, few quick announcements, folks.
So, number one, um, uh, in the call to action, um, this isn't up yet on Spotify or Apple, but, um, you have first access and we'd love to hear your comments. You can email them to Andrew at the cyber nation, wes@dictator.com, um, or wherever.gov. It'll be.gov soon. Gov.
But, um, so this is, we are, you know, we talked about doing a cyber, uh, I'm sorry, a podcast, a Hy Short podcast around how security controls map, the frameworks, regulations, policy, what are the attacks, how do you defend and what are the trends? And we have Phyllis Lee, uh, from CIS who's the guru on controls, Wes on regulation, Brian Blakely on policy and Ryan Weeks. Um, really getting into the nitty gritty of the actual tactical, you know, attacks and defenses and the control itself.
All of 'em, you know, not that doesn't mean they're, it's, that's all they're doing. But Wes might play one role one day, one the other. But we wanted to get out the first one to you. It's, it's on multifactor authentication. Love your feedback. Um, just so you know, because it's the first, there's a little bit of intro who the people are. Um, and then the main meat of its 20 minutes. And then, um, we leave the sponsorships to the end. So CIS is always a sponsor.
They're not, there's, you know, no financial sponsorship. They're just awesome. So they're, they're talking about CSAT Pro and what they're doing, and then Cisco is the sponsor for this one because it's multifactor authentication. So, again, love your thoughts and we just wanted to say we committed to doing this, and we're gonna start rolling out the controls and frameworks one after the next. So we're gonna start to get on a cadence of a weekly type thing.
Um, next announcement, we are going to do a threat modeling workshop. Wes, just high level you want to give everybody, this was really, really, yeah, it's gonna be awesome. Yeah, it is gonna be awesome. Uh, so we, we just got off a planning session myself, Andrew, Gary, um, just to pitch a few things on it. Um, so we, we've got a few guests that'll be joining us. We've got Forest Carver from Mitre who'll probably broadcasting from whatever lake of choice in Switzerland.
Uh, like he was last time. I was so jealous. Uh, then we've also got some folks from Red Canary, uh, which probably many of you on today may not even heard Red Canary. They're typically on the enterprise space. Um, and then of course, joined, uh, as well by, uh, my friend and colleague Ryan Weeks. Um, and it's gonna be a lot of fun. We're gonna really dive into what threat modeling is.
We're gonna look at kind of some case scenarios of like looking, going over to Mitre and, and picking some threat actors and kinda using that to model of like, how do we use this intelligently to build like what Mitre calls the threat and form defense. You know, so like, here's an example of this, Andrew, I hear way too often at conferences, um, like IT Nation Secure, which is coming up and you guys should go by the way, 'cause I'm gonna be there in person. It's gonna be awesome.
So I wanna see you guys there. But like, things like, you know, Hey, you know, I'm secure, I'm scared about ransomware. What are you doing? And the, the typical responses are, well, I, I got, you know, vendor X for EDR and vendor Y for sim and vendor C for firewall. And it's like, none of that means anything. Like those are just vendors we're spouting off. Or even we'd throw technologies in general at, at the wall and be like, well, I I think it counters that.
Well, that's not how this works, right? The, the real question is, who's the bad guy? Uh, who's the threat actor? How do they operate? Uh, what tactics do we know that they use? What entry points that's a threat and form defense where we model based upon that we understand who the adversary is so we can build an intelligent defense against it. So that's what we're gonna be talking about. So it's gonna be very, very, very Educational. I think you guys are gonna really, really love it.
Listen, and this idea, like this came up, um, when we had Forest on, right? The original idea, like if you can figure out how to put a process in place on a regular basis to be able to learn from common threats and about certain actors that are happening, one, not only do you build, you know, a better defense, but two, what we're gonna talk about with Chris today, you're also much better prepared, um, uh right. A boom.
And so I, I, I just think it's awesome and, uh, I would rather learn this way than how most people learn. They get much better at security, uh, after they or one of their customers, um, you know, uh, gets hacked. Yeah, very true.
So, Gary, just a quick, uh, the other announcement, talk to us about where we are, uh, with the new portal coming, the security, It's getting finished up, uh, the final pieces of it, it's almost done this week, and we'll be, uh, offering people on this call next week to be able to come in and, and be able to view it for free. Excellent. So I'll put a quick, yeah, awesome. I can't, I can't wait to see it. Gary. Um, your, your portal is awesome as it is. I'm putting a quick poll up. Love it.
If you guys could respond, um, it's always much more useful if we have, you know, quantifiable the more data that we can talk to everybody about. Um, uh, so, um, put up a poll question figure. We could just take a moment, Chris, because of the colonial pipeline, it really spurred Biden to shoot out an executive order. Wes, I know you guys are gonna do something on this. I saw that you guys are gonna do a webinar.
Um, I, I did a little thing with Ryan Weeks on this, but 15 times service providers are called out in this executive order. Just if we could just take a few minutes talking amongst ourselves, I'd like each person's perspective, and then from the audience, give us your thoughts on this.
Because again, the fact that, you know, I thought the, the irony if, uh, if you will, that Phyllis Lee comes on right before the Colonial Pipeline incidents released, comes on and talks about how they've added service providers to the CIS controls. Um, and then boom, this, this comes out. So Chris, your take, uh, live from the Colonial Pipeline headquarters. Yeah, live right here. I gotta be quiet and it could be snipers looking to take me out anytime if I say the wrong thing.
But here's kind of what I say on this is, I mean, the warning, I mean, we've been talking about warning shots forever, and this also goes back to, we'd talked about again about that ransomware task force that was created that Ryan's on, and a number of others are on some colleagues of mine and such. And, uh, I think that, you know, it's finally coming together.
I I, it's somewhat of a shame that it takes something like the colonial pipeline incident that happened before it really starts triggering some, some real momentum, uh, in my opinion. I mean, there's been, um, uh, far more, uh, organizations disrupted. I mean, I know people were waiting in line for gas and all that kind of fuel, and that's not cool. But, uh, we all know that there's been tons of other victims and, and way more money over the last three years than anybody wants to think.
So it's, it's a long time coming, uh, what that executive order does and how much meat it has in it. And if anything happens, you know, it's still to be to, we kinda have to wait and see. It's kind of like this, uh, we've talked about the OFAC sanctions and stuff in the past as well. I mean, the warnings have been done, but have we seen anybody actually, you know, penalized or punished as a result of doing something they shouldn't do yet? No.
So it's kind of the proof is in the pudding, but that's where, that's what I'll say at this point. Sure. Gary, you're, uh, I know you don't have much say, well, I'm laughing because, because, you know, if you're asking whether after all this time an executive order, and we know executive orders are awesome, they get a lot done, right? That, that was drafted in, in a couple days is gonna, you know, have an impact.
The only thing it can do, it's really just to build a, it'll do nothing except build awareness. If it builds some awareness, um, then, you know, then something was accomplished. But this is tricky and I want to wes hear this on one side of it. You know, the government can't solve this, right? You know, but the government has to have some role in it. And finding that balance I, I think is hard. I would love to hear, hear what Wes thinks about that. Well, Here's what I think about this.
So a lot of things, um, so first of all, uh, I'm gonna post a link in chat. Uh, when I was reading this xo, I, I couldn't help but think that it seemed familiar. I don't know if any of you guys remember what I just posted here in chat. This is from the Obama White House, and they did something very similar way back in 2013, a decade ago. So think about this. Um, the language is very similar. In fact, this is what really drove ISAC sharing, um, this, this, uh, original Obama executive order.
Uh, we're gonna do more, we're gonna share more, we're gonna collaborate more, and we're gonna define legislation that allows us to do so. Inter CSA 2015, uh, CSA Act, not the, not the government group, right? So don't you love acronyms? Anyway, my point is I'm reading this modern one from President Biden, and I'm like, I swear I've read this stuff before. Go back and, and I'm like, oh, yeah, there it is. So there's a lot of stuff that's in all of this.
And welcome to the, the motions and Movement of federal government, right? So one of the problems that we have that we have to just discuss is this. Um, I don't worry about a Russian tank driving on my front lawn. Don't worry about it, right? I don't worry about, you know, going, you know, out on the beach and seeing a Chinese, you know, uh, whatever big battle boat submarine come up and, you know, steal me away. I don't worry about that.
The domains of warfare, the typical domains of warfare, a RC space now, thank you President Trump. Uh, and, uh, the others are not freeing land, whatever. Those are protected by our military. Yet cyber, which is a defined, uh, field of war, um, it's every man for himself. And that's a shame.
So we have to start there with that presumption of like, anytime I read something from the federal government, and I can just say this as like a tax paying civilian, federal government can say anything they want, uh, but until they start doing more, and I'll just say that like publicly, until they start doing more than they're currently doing now to protect us on the cyberspace, we we're, it, it, it, it's, um, it's gonna be a challenge for us. I'll just leave it that way.
And there's this balance, right? Like, you know, uh, do we just want them to control the entire internet? Um, no. Uh, this thing has become commercialized for a reason. So what's the balance? How do we handle this? How do we expect them to do more? Um, and it, it's a challenge, right? We could bring on, I know some FBI folks.
In fact, I think it would be a lot of fun to bring onto the cyber call and just have them talk about the challenges they have in threat actor profiling and going after these bad guys and how difficult it really is. So I say all of that to say long windedly.
Um, when you look at this executive order today, a lot of it is, you know, with 180 days, 365 days, this, you know, government group is going to define X, Y, z and process that you're gonna see this, you know, group define the future for legislation. You know, it's, it's setting the framework for the future, but it, we've done this, this is just repeated from 2013. So will it really move the needle? I think largely, no.
Um, but hopefully it does bring out some things, and it certainly does have some new flares. And as we're gonna mention in a minute, like, uh, uh, relationships to like service providers, they're now heavily mentioned inside of it. So there are some modern twists to all of this. But, you know, do I expect this thing to move the needle? And all of a sudden, you know, ransomware go, you know, vastly reduces and threat actors are thrown in jail left and right, of course not.
Uh, Chris, what do you think? Yeah, I think the same thing. I think it's, um, you know, I don't know if this, I was thinking about this while you were talking and other people were putting in the chat. I didn't know if this had, does, does this give a attorneys more ammunition to sue you by meaning that there's not a law necessarily, but they can reference the executive order. They can say, Hey, look, this was sent out, everybody should read it, so now you should really know better Mr.
MSP, and now they have more of a case against you. I mean, I'm thinking that angle might be a a, a pretty good one, but in the end, you're right. I mean, the more, 'cause I deal with this all the time, and I really do see this as war in, in, in a way. I mean, the colonial pipeline deal, I, I saw it as nothing else. Now I think that the fact that, you know, everybody was directly going to the Russian government that was behind this, I think that was, um, a bit aggressive.
Uh, the fact that we do know that they probably have a blind eye or they're protected or whatever. Yeah, that's probably true over there. But, but my point is, is this, the damage that's inflicted by these attacks, and especially the amount of money that is being pumped out of this country into, into Russia directly or indirectly, is ridiculous.
And, and when we, we talk about trade wars with China and all this kind of good stuff, and that's all valid, but why, I mean, Russia's probably sitting back going, well, we don't need to necessarily have a trade war because we're gaining the effects of all this money being pumped out of the US and other western countries into Russia. So, um, yeah, the executive award's a step, but it's still not drastic enough in my opinion.
I don't know what is, and, uh, you're right, Gary, the government cannot solve this. Yeah, I mean, we've been talking to MSPs for a long time. I mean, we've been saying that, you know, on the bank side of things, I relate right on the bank side, there was a number of us in the banking world that were doing the things from a regulatory perspective. And then there were the smaller community banks that were complaining that the F-F-I-E-C was not being descriptive enough in the controls.
And those of us that were doing things look, said, we don't want you to be that prescriptive. We wanna be able to manage our own risk and make our own decisions. So we wanna do the right things, but we don't want you to be prescriptive. And the community banks were just beaten the hell, uh, and just screaming in pain over that stuff. And guess what happens then? It gets super prescriptive.
And all of us that have been doing, managing our arrest the right way, now have to follow these very specific, you know, descriptions and have a bunch of examiners and auditors telling you what to do that don't live the life that we do. And I feel the same way about this. If, if we just continue to let the government and think that the government can solve that problem, they're not gonna solve it in a way that's, that's, that's good for anybody.
And so the MSPs need to stand up and figure this, figure this stuff out and actually solve this problem. Quick, quick, just real quick, Gary, close us off, but this is a thought I had just because Phyllis has mentioned, you know, the state of Nevada or this state or that state. I'm not saying that this executive order in any way, shape or form is gonna solve anything.
What I am saying is, could you see this Gary, where it's like, okay, the federal government says this, the states are starting to adopt C-I-S-C-I-S has service provider management, and therefore things like Louisiana, we're already seeing if you do, if you're an MSP working with a state agency, you have to do this, this, and this. Could you see it that way?
Or around the CMMC type things that affecting the MSPs, looking at it from, I don't know how it can, it's just only a matter of time, right? Because the current, you know, approach, uh, completely non-regulated right now isn't really, you know, getting the results. The problem with it is, Andrew, it misses so much like every time regulation comes in, there are so many unintended consequences. Um, and we've seen it right in every other industry that's become regulated.
And it might ultimately say, well, that's the price to pay, uh, for it. We could say that, but, um, we're, we're gonna, and we don't know what those unintended consequences are, but I, I don't know how it doesn't end up somewhere like that, um, with eventually some type of a national Framework. Yeah. Very cool. Alright, so, um, oh, one last thing and we'll get on into it. The, I saw some people talking about the Verizon data breach report is out.
Um, good news, uh, don't hold me to the date, but one of the main authors has agreed to come on the cyber call. So we'll be working on that. Ideally, I found out that, um, the 52 weeks of the cyber call actually falls on Memorial Day. So, but I'm hoping to do it at our quote unquote one year. So that would be really cool if we could pull that one off.
Alright, so I wanted to have Chris back because, um, again, Gary West, we've talked, you know, and, and we've done tabletops incident response, right? We've pulled the audiences about how much MSPs know or don't know about cyber, their clients having cyber insurance. But we really haven't gotten tactical and prescriptive in the sense of, number one, our MSPs in essence going back and having the conversation with their customers about, and we've talked about this.
Number one, it's not if, but when, who's responsible for what, right? So I'm just setting the stage here for everybody. You're talking About having a shared risk relationship, uh, with with every one of your customers. Yeah. And, and, and the thing that Eric brought up on, on the show, by the way, he's got a complex 'cause every time he's on, you're, you're not on the show, Gary, uh, but Eric, um, tills, the, the attorney is saying, look, you guys gotta look at your MSAs.
When's the last time you looked at one? Because in the event that happens, and Chris, you probably see this, you know, when the attorneys get involved, who's responsible for what, right? And, and, and you don't want to be going back after the fact.
And so what I really wanted to do today, Chris, in, and, and kind of the first thing to you as I set the stage and kind of hand it over to, to Gary shortly, but if you could give us a high level on, you know, what things that MSPs have to be thinking, you know, in the event of an incident. 'cause it it starts way before the incident happens if we're gonna come out the other side with a good relationship with a, or at least they holding onto that client. So it's pre during post.
Is that, can you maybe just give a high level for that, Chris? Yeah, I think preparation is so important. I mean, you gotta know, you know, obviously the technical steps, but with your, with your clients and they need to be aware of like who is playing what they really need to understand that they are part of the process, that not all the decisions are gonna fall in your lap as an MSP, because I don't think that's the right way to go at all.
Um, but I also think, you know, kind of the mental and emotional side of things they're doing. I mean, when Wes and I have done our tabletop exercises in person in the past, uh, is is easier to kind of convey that emotional aspect of things. And, and I think that really is where it comes out.
I mean, I talk about it when we do instant response tabletop exercises about, you know, you may have somebody that's in charge of the organization, uh, and you know, during all other times they're perfectly fit for that role, but in an instant situation, they may not be the best fit for that. Meaning they're too emotional. They, they're maybe, uh, what we call, sometimes they get on calls in their diarrhea of the mouth and they may say too much to a customer or something of that nature.
And we see that a lot. So I think having those conversations and they need to be con, and Andrea and I were talking about this earlier before the call, I think those conversations need to be outside of cross-selling or upselling. I think those conversations don't need to be, I guess, what would you call it, blemished by that or filtered by that. I think you just need to sit down, you know, org to org and say, Hey look, here's these situations.
We need to really, really put our both of ourselves in this situation and figure out who's gonna play what role. Everybody understands their responsibilities and understanding if somebody gets out of check emotionally, we have a, we have a plan to deal with that at that time. You know, C Chris, and this is gonna lead, oh, I'm sorry, Andrew, I was gonna ask a question, but I was gonna make a statement.
I, no, I think Gary, in interest of time, we took a little longer, let me let you take it over because the thing that, if I could just say this, Gary is on the calls, you've often talked about, you know, when we talk about a new tool or technology or process, you're like, okay, great, what's the role? What's the process? Et cetera. Yeah.
And, and I, and I think more than ever in this like role and pro, like who's responsible for what, man, this, this could not be more critical right now in, in having these conversations. So why don't you take it over from here, go Yeah. And think about all these things that we're saying, you know, besides the technology. Um, we, I'm gonna ask Chris some questions about roles. Um, they're, they're roles.
We, we talk about, uh, threat modeling is something you should be doing and tabletops is something, all of this takes time from your team. And I saw someone put a comment in here, Hey, maybe all of this can't just be a cost per seat. Like there's a cost per customer and I'm with you on that. To me, it means there has to be your, um, your minimum has, is gonna have to be set higher to making sure you can deliver it to every customer.
And so, um, one thing I'll say, Chris, before I get to my question is that I think you can combine it in some ways with certain type of cross, cross-sell or upsell. You can have these conversations about shared risk. You can have these conversations about, Hey, let me just tell you from a high level what we're doing differently compared to a year ago and why and, and what you need to do differently from a year ago and why.
And part of that is it's been a big investment on our part and here's what that's gonna look like. Here's what it looks like, you know, for you. So I think you can actually leverage it. I, I wouldn't be making product recommendations. I wouldn't be making, uh, you know, specific technical.
I think you're right on that, but using it as an opportunity of, of why, you know, you know, and, and I look in our, listen, the first thing I do when I see the numbers come in for our peer groups for the quarter, I look in, we have a line of how much MRR is growing to the current base. And if I see companies where it has not gone up over the past six months, I'm calling 'em out because I know they're not having those conversations. You have to be having those conversations. So, Gary, Go ahead.
Can you at some point, but could you also maybe, 'cause you're a big believer in looking at the metric of NRR non-recurring. Yeah. MRR if, if you have time, could you possibly talk about should this potentially be something that is looked at potentially more like an NRR if we can't Yes. If the end customers sitting there going, but wait a minute, we were 1 65 last year, now we're at 1 95 or two 20 or so. Go ahead. Yeah, yeah. If we get to the end and we have time, I'll address that.
But I wanna get to this, um, I, I wanna get Chris's opinion about roles. Okay. So when you're dealing with MSPs, how do they deal with this? Like you said, what they're trying to avoid the wrong people with the wrong background and training doing the wrong thing. Um, but like how, like how do you see this actually, you know, playing out in terms of, um, you know, how they get coverage on these roles and how they deal with it in real life? Right. I mean, it's a good question.
I mean, so I think the, I'll start from, like, the mistakes we see is we usually see a senior technical lead take the lead role in an incident response. And that person's very technically gifted, but they just, their mind is completely focused on one thing is recovery. I mean, I was, I was involved in a call last week and it was me having to convince the guy to stop what he was doing to preserve data.
And uh, you know, and if it was one of those things where I was in person, I would probably have to have my hands around the guy's neck just to get the message across. It was a very frustrating conversation. And the guy was a very smart individual, very technically gifted, but he was just all about, we gotta get this system up.
And, and that could be part of the motivation could be technically driven and part of the motivation could be, Hey, I as an MSP, uh, look better if I can get this recovered more quickly, right? The, the less the downtime, the less egg on my face. Uh, but, but, so you have to think about the best roles and the best decision makers in these particular situations.
You know, I, I've talked about, um, when I was at, well, I, I used to work, you know, at a bank one time we had a, we, uh, where, uh, we had an incident where somebody found some checks that were supposed to be shredded in a dump. So there was a guy actually looking for a pair of shoes for himself in the dump, came across a garbage bag that had a hole in it and found some checks. Well, the, the, the issue was, was those checks were supposed to be destroyed by a third party.
Those checks were not destroyed by a third party because what they had done is they had put some, uh, they put some incentives in place so that their employees, the more checks they destroyed, the more bonus money they got. Well, instead of destroying the checks, they just piled 'em all in the bags and then weighed 'em and said, look, I destroyed X amount of pounds of checks today, didn't fill 'em out in the dump. So there was no process involved. And so they were motivated to do it that way.
And then on the bank side of things, uh, behind the scenes, I knew the media and I had handled this situation with the media. It was gonna hit the news, but it was gonna be the last story of the day. Then someone else got involved and tried to play where we're the, we're the big bad bank and, and this is what we say. Well, guess what? It went from the last story to the lead story in about five minutes. And so that's that.
My point about this is, there's two kind of morals that story number one is when you're dealing with an instant response situation, you need somebody that can take a deep breath and that can make decisions on both sides on the MSP side and the client side. So you need people that can kind of reason with these situations and not do knee jerk. And then the second thing is, is you gotta really understand around the motivators around an incident response situation.
And indeed, we do need to get the company back up and running or the organization back up and running.
But there's so many other issues in today's world with exfiltration that is, is maybe even more vitally important that if you do go and you, you feel like you can raise the victory flag of getting a company up, but then the next thing you know, all their data's been stolen and leaked on the dark web, you, it, it just is, it's a terrible situation, especially with the threat of class action lawsuits and everything else that's going on.
So that, that's kind of my point on this, is really to think about the personalities that are involved. First and foremost, assign those roles, make sure they're un those people are understanding those roles. The second thing is, is to make sure there are backups for those roles. So if somebody's out of pocket on vacation, whatever, we find that happen a lot these days.
And then, and then going from there, then you can kind of step through the steps and sometimes those steps can be, um, basically modified or created in a way that fits those people in their roles. Yeah, it's not a help desk incident where whoever happened to take the call is the one who's communicating with the client. This is not that Exactly. Right. I, I see Wes, you were chomping on the bit over there. You're, uh, you, you're muted. There we go. I, I thought of something muted. Yes.
I thought of something Chris, and I want to get your, your input on this. When you initially were saying that we tend to jump, especially technical people, right into like recovery, because we're IT people, I almost wonder if we security people and we who build, not we me, but those who build frameworks are somewhat to blame for this. And here's what I mean by this. So I'm looking at NIST guidance right now, and I'm looking at their, um, NIST 800, is it 61? I think I'd go back up. Yeah.
61 in incident response. And when you look at the guidance itself and you kind of look at the phases that they put forth, it's interesting to me because they sort of go into these phases of like, obviously detect you, you can't begin something unless you've detected something. Um, but then the next phase is this group of containment, eradication and recovery. And I can't help but thinking if I'm an IT guy or even a security guy, and I say, okay, we've confidently contained this thing.
We've confidently eradicated this thing, ta-da, now we get to go to recovery. But we, we, my my point is this, it doesn't seem like the frameworks themselves do a good job of covering that. There's a piece in between that it's almost like we should shift recovery to another new phase and make it containment eradication, and then some kind of like regulatory compliance, like forensics type of terminology there to make sure that we've done the right things before we move to recovery.
And it seems like that's a gap that's missing. Do you, do you see the same thing? Yeah, I, I see the same thing. I never really thought of it that way, Wes. I mean, even take eradication as an example. I don't know how many times we've gotten involved with saying, Hey, did you grab the, the actual executable for ransomware? No, that we deleted it or we, you know, the antivirus that quarantined it, but we deleted and it was gone.
Well, that ransomware executable can be so important, especially if we could take it in a sandbox environment, execute, I mean, I know, I know Wes, we've been involved in situations with you and your team has asked for that just to be able to use it for research purposes and stuff. Yeah. And I will tell you, and I, and, and this Colonial pipeline thing and, and all this other stuff with the OFAC sanctions comes up is I am starting to see a trend and it's very early.
So, uh, take it as it is, is I think we're gonna start to see ransomware groups, and you heard it here first, we're gonna start to see ransomware groups become more anonymous and not as boastful about labeling themselves or identifying themselves. I'm already seeing it now we're seeing some variants come out where they're, we can't tell what they are. There's no labeling.
The ransom note doesn't have that fancy signature line LA West, like we've seen the reval or, or anybody or Doppel payment or anything else on that. And when we go to the actual sites themselves, we're actually seeing that there's really no fancy colors, no icons, none of that stuff either. And so, um, more and more around this, this, this investigation aspect, this forensic aspect really needs to be well thought out.
Because if we don't, if we can't grab those things, we are really in the dark and it puts us, puts us behind the eight ball when we're dealing with these types of situations. Chris, Do you, do you think if dark side could go back, they regret Colonial Pipeline, right? Well, I think Dark Side ends up doing like these other guys have done. And I think, uh, Doppel Pam has done the same. It's just rebrand themselves. Yeah, I think what we saw gang crab and re do. So yes, I think they do.
I think there's a lot of, we saw, I don't know if everybody saw that Revo had come out as soon as Darkside made their public statement. Revo had come out and said they were redoing their guidelines for which types of organizations could be hacked and which ones could not. So I think it did serve some ripple effect and maybe changed a little bit of the lines of engagement.
So yeah, from that aspect, I think they're sorry, but I'll tell you what I'm disappointed in is I'm disappointed that that payment was made at all. I mean, if it is $5 million, what they said this was, I really thought dark side was just gonna say, Hey look, you know, this wasn't the idea. $0, here you go and, and go off into the sunset. But the fact that they still got money out of it kind of p****s me off more than anything. Yeah. Hey, and, and I did want to be fair.
This, this is kind of what I'm, I'm I was talking about earlier. I wanted to show this on screen is, so this is actually from, uh, 61. And you see, this is what I'm talking about. It's not that it, it's omitted like if I were talking to those who write this thing, you see step four right here. And by the way, I wanna know yes or no from chat. You guys listening today. Y give me a yes or no. Does your organization incorporate exactly what you see here? It may be more than this.
It may be in a different like structure set. But do you have defined incident response that includes a checklist in your playbooks of any kind that include these things specifically? Gimme a yes or a no. I, I'm just very curious. No. Now, while I'm saying that this is my point right here. If I had feedback to those that write 62, I would say, you know, look, containment eradication, discovery is really good. But notice step four has nothing to do with that. And yet it's in containment.
In fact, containment picks up at step five. So personally, I would love to have like this middle phase add a new one that's called acquire preserve, secure document. Find a way to to say that in one line, um, did the yes or yessing a lot of nos coming back. And, and that's okay. And even some ID ks right? Chris, does that surprise you? No, it doesn't, it doesn't surprise me at all.
Um, 'cause I still, it's, it's very rare that we, uh, see people that, um, aren't in some kind of situation where they weren't prepared for from an Ms P perspective. You know, that kind of leads to the next que I want to ask you, Chris, interesting.
Like when you're involved with an MSP and they have to, let's say, communicate with the client, how many times, like what percentage of the time do you know that this is the first time they're having that conversation about what to expect and what's gonna happen and what they need to do so the client understands it? In other words, you can tell, right, if this is the first time they're having a conversation or have they already had that conversation prior to this and so it's a little easier.
Does that make sense? Yeah. And, and well off the bat you can, you can tell that they don't, they haven't had that conversation and they're, they're kind of spinning their wheels to, to a certain extent. Uh, so, and, and in many cases we know that that's the case. And, and a lot of times MSPs they'll admit that. They'll say, Hey, this is the first time we've dealt with it.
But I will tell you, most of the time what we see them though is the MSPs will come out and they have dealt with this situation, but maybe not formally or like with insurance or an IR firm involved. And so they've just kind of done their own thing and they've, they've been successful at that, whether those steps were the, the right thing or whatever.
And so they'll say, Hey, look, you know, we've had other clients with ransomware events and we've restored from them and, and, and been fine, but we've never encountered something to this degree or with exfiltration or had to deal with insurance or something of that nature. So I I, that's what I think. I think a lot of times the planning has been somewhat in a vacuum that the MSP and their client is the only parties involved.
They haven't expanded that planning or that thought around having the other, you know, legal IR and, and PR and whomever else involved. You know, I have a dream that on that, on a future cyber call, we're gonna again ask the question, how many of you have talked to every one of your customers, uh, about their cyber insurance? And a hundred percent of people are gonna say, yes, Gary. We'll, and That's it. Wes, at that point, Wes, we're done.
You and I just right off into the sunset, our work is done. Gary, to, to that point, I'd love it if people could, again, I, I said, oh, the poll was up early on and I forgot I, it was hidden, but I put it up. Um, I'd love it if you guys could, could res could respond, because I think it's really critical data. Gary, we're getting, you know, right now we're at 87 regarding, you know, percent of client, uh, of MSPs who know if their clients have an incident response plan.
Um, and we're at, you know, 88%, zero to 25%. Yeah. So, So I see this as again, not as a yes, it's not great, but the point is you can use it really as if you can get some command over this piece. And Chris and I are, and, and we're gonna be doing some more things on tabletops and, and IR plans. But I, I see this as a great opportunity for, for the MSPs out there to number one, to differentiate yourself. Like who's having a conversation on, yeah. Hey, let me tell you the worst thing.
You know, that, and again, Gary, you always say, it's my fault if I'm not having this right. This is my issue. Mm-Hmm. As the go. Yeah. And, and listen, the one I working with people that are, that are pretty far down the line with this, and they're able to create such a wedge, they're, they're having these conversations not just with customers. And you see their average, you know, price, cost, price per customer going up, but they're having the same conversation with prospects.
And that's why we see churn going up. 'cause there's people that are coming in and having these kind of conversations. And it's almost like, it's not one of those things like, do I want to go back? Do I have to go back and ask my current MSP If they haven't had the conversation with you, they haven't had it, there's nothing to go back and and discuss. It's already an issue right there when you're in front of a prospect, right? So you're creating this wedge.
But the other point I, I wrote down, and I wanna make sure is that a lot of what Chris is talking about today, what we talk about with tabletops, uh, with, with incident response planning, um, with alignment against standards, it's all process. And people we're not even talking about technology. And when I talk to MSPs, ev like you alluded to it, Wes, every response is another is talking about another tool.
And I'm concerned that the tool stack is getting so big and so complex that it's creating a security issue. 'cause there's like an overload of things. And it's almost like you feel like that is solving it when every week on this call, all of these experts we have come on the best people right, in their fields.
And it always comes back to those feeling you're not building that in and understanding those roles and that process so you can build it in to your, uh, pricing to your customers and use that as a reason they do business with you. Um, you're not staying even, you're going backwards right now, Gary, and you're gonna get backwards. Hey, Gary, Quicker, you're making me, you're making me think. Now, do you think, so you work with more MSPs, uh, than anybody I know.
Uh, do you think, is there a, is there a value? Do you see top performing MSPs, disambiguate, the vendors that they have in place, the stack from the value provided? In other words, when you work, when you work with like top performing MSPs, do you notice there's a correlation or do you not of like how much they list all the vendors they work with? Um, a Hundred percent. They don't. Okay.
They don't, they don't think the customer should be concerned, um, whether they work with perch or, or wanna purchase, you know, uh, competitors or whether they're using this tool. In fact, they should be able to make changes and swap out tools without really even letting the customer know, uh, about it. And I'll take it a step further. When they get in front of a prospect and the prospect ask them What X, Y, Z do you use? They use it as an inflection point. C can, can I ask a unusual question?
Why do you ask about what, you know, virus protection we use? Yeah, my doctor got mad at me when I told 'em I wanted to have a GE Dynamics versus a Keira cat scanning machine. You know the Why? Yeah, exactly. Right. Exactly. It's a, it's a way of almost saying like, Hey, if you're asking that question, you're missing the point. You're not buying virus protection software. You're buying the fact that we're gonna greatly reduce your risk.
Some of it's software, but some of it is our process or approach and what we do. Can I explain it to you, Gary? I'm, you understand why my customers are willing to invest a little bit more? You, you pick two or three of those things and have a conversation. Trust me, price is not an issue. It's not an issue. And that is not my opinion. That is my observation in my experience. Gary, I was just gonna say, I'm really glad you brought up the, the tool piece.
Meaning when we were doing West, I dunno if you recall when we were doing the, um, the first cyber cast, and, and Ryan, Ryan brought this up to, actually, I don't know if you were on it or not, but Ryan brought this up to me offline, Gary, which is, and he's a vendor fair. So he's like, look, you know, we have these tools and it's like blindly like, do you grant tool X to have administrative access to your PSA as an example? And he's like, people just go, yep.
And he's like, and there's like, there's no kind of like, like let's walk through again the attack chain. Like if I'm giving full administrative access to my RMM from this third party tool, what are the ramifications potentially of this? So Chris, I see you shaking your head on this. Well, I mean, it's, it's the way, I mean we've, I've been in a situation lately where we just found, you know, they outsourced all their accounting until let their, the, the, the accounting people came in.
It was through RDP and, and everybody else can fill the blanks in, right? But it's the same concept. I mean, you know, we look at that for as an MSP, we look at that situation. We mean those people didn't even think about, you know, the questions they should asked and how they should have secured that. But you're right on the MSP side and the RMMs and all the integrations and stuff that we allow, we're not doing the same thing. We're not doing the level of vendor due diligence we did.
And I'll echo what Gary, I, I mean I've been a, I I think I heard Gary talk about that years ago about you don't need to tell your tools because I always saw it too as a contractual issue, right? If I'd say I'm using x, Y, Z as your AV and the, and I sign, let's just say for easy a a two year commitment with the client, I, if I change that tool in the middle, is that an issue with them? Right? And, and so there's, even from a contractual side, there's some limitations be behind that.
So, and I always want the flexibility. I mean, we've seen it, we've been in situations where an antivirus tool has just failed and we've had to make a change overnight just because it was unacceptable. And so by, by kind of putting yourselves in that corner on the tool, but that, but again, on the tool side of things, the vendor due diligence is, is, is increasingly important.
And when you start to manage risk of those vendors that way, that helps with that tool sprawl because that process is, is painful. You can automate it to a certain degree, but it is painful. But then it makes you really think a lot harder as an organization. You're just not going online and putting a credit card down and signing up for tools. Willy-nilly every, Listen, I I don't wanna, uh, let the cat outta the bag. Everybody has the same tools as you people, okay?
The one man show and the biggest, they, they all have access to the same tools, uh, that you do. And that's not changing anytime fast. Okay. Not impressed. Gary, you wanna have Wes uh, take over a little bit here? Yeah, yeah, absolutely. Uh, Wes, I, uh, One thought came into my mind, not only are you right Gary, but we vendors, uh, because we know that there's a lot of ubiquity and commodity in between us, which is true. It's a hidden secret. What do we do?
We throw marketing teams at language, um, and generate buzzwords and ambiguities that lead people into out. It seems like this one's really powerful and really interesting, right? Uh, as, And but every vendor also is trying to teach you how to resell their product, right? They're gonna give you sales training. So think about that.
And I don't want, and I don't want to get wrapped on this 'cause I want to hear your questions, but just the, the Reader's Digest version is if I had eight vendors and all of 'em are teaching me how to resell it, they're just training me to be a reseller. Again, I'm saying bridge out, turn back. Yep. Yep. I agree. Uh, go ahead, Let it fly. 'cause we could go off on this. I've always, we got Chris here, so I wanna make sure we're using this time. Yeah, No, I'm with you. Yeah.
And as long as I'm in the vendor space, it's important to me. Like I think we should be honest about those things, right? Yeah. Uh, 'cause I'm a practitioner that got stuck in the vendor space and so I think it's valuable. Okay, so lair, here's a question, uh, for you that I'd love to get your, I'd love to get your input on is let's just talk about like approved IR channels and unapproved IR channels, and obviously using signal for everything, right? I'm joking about that.
Um, talk to us, when you're going through an incident, you know, and you're pulling out the IR plan, you are, you know, you're thinking about the communications, you know, unpack all of that for us about what approved IR channels are and how important that is. So the, you know, the really important rule to kind of learn is verbal is the best in a situation, right? Because, um, you know, the more things people write down, the more things that can be misinterpreted in, in context.
And so channels are, are ridiculously important. And so even though we're living in this kind of remote worker age, uh, and we all can't necessarily get into war room right now and talk, but try to put yourselves in that war room situation and try to say that's really what we wanna deal with, with the majority of, of what we're talking about in an incident situation. I mean, there are times where things need to be updated and things need to be recorded and that type of thing.
But as an example, last week, you know, that we were, I was on a call and, and it was, uh, the, the actual victim had set up the call, I think it was a teams call, and they're like, Hey, can we record this? And the attorney's like, no, don't do that. You know, we just don't, there's no, there's no real need to do that. And so I've had other people just get up, get upset, says, well, I thought you would write up minutes about the call we were just on and send 'em out.
I'm like, no, we don't do that. And so the channels are increasingly important. And so what we've talked about this and we've talked about is the PSA kind of the right place. And I, and my response is no. And I, and again, I like to simplify things and kind of keep 'em compartmentalized when we're dealing in a PSA, people are programmed to document the living hell out of things, right?
And so that's great when you're dealing with it and you're dealing with tickets and that type of stuff makes perfect sense. But if you're gonna try in your instant response plan to say, Hey, look, okay, we're still gonna use the PSA, but we want you to change how you communicate and what you say and what you do. It's very easy to say, but it's not easy to execute on perhaps the participants.
So I always think it's easier from an instant response situation to shift and have more and have defined channels just for that, and then have the rules around those channels. And again, I think there's, and that comes back to the roles which we started out. I think there are roles in, in the incident response, uh, that should be in charge of what gets recorded and what gets put.
So, hey, if, if the group needs to see updates, there's a role assigned to who, who puts the updates out there, and then that's the person that you know, is gonna make sure that the updates are correctly worded and people are, they're vetted and all that kind of good stuff, right? And so that's, that's where it comes out.
And I think, uh, you know, it's interesting you say about Signal and WhatsApp and those types of things, you know, we have in, in certain situations, especially when we're dealing with global events, those tools have become very, very essential. But you just gotta know again, how to use them and use them correctly. And not to overstate, I mean, I I, I even get onto my own team sometimes I'll see just, you know, even it's a one the sentence thing in email and there may be just one word in there.
I'm like, you gotta think about it from the worst case situation. And somebody, when I first got involved in incidents, the, an attorney attorney actually gave me the example of how, uh, something got misrepresented. And the Attorney General basically took what was gonna be a two year plan of security improvements and basically forced this company to get it done in 30 days. Uh, because they took that out of context. So you gotta be just super careful of it.
I know some people might find it ridiculous, but I'm telling you it's better to, to, and, and it's better to err on the side of caution. And in the end, there is absolutely no con to doing it. Meaning like if you, if you over communicate and over document that stuff, that's gonna bite you in the butt more than it's gonna serve a purpose. That's good. That's really good. Um, so be cognizant of this is, is, uh, the, the lessons learned here.
Uh, I'm gonna go off script and I see that question from Felicia is a really, really good one in chat. So I'll just go ahead and read this. But, uh, she's saying, you know, I've heard, uh, several MSPs went bankrupt this month alone because in arbitration they were not using an E-D-R-E-P-P that was top rated by Gartner Pay to Play. Oops, Freudian slipped there. Uh, or Mitre Attack framework. Can you comment on this, Chris? Do you see the same thing? And is that an issue? I haven't seen that.
Um, and that's one thing I've always, it gets kind of brought up on these MSPs and bankruptcy and stuff, and I just don't hear those stories. I'm sure they happen, they just don't come by way, um, at all. Yeah, I I almost feel like, um, as someone who's been through n not that situation, but, but similar ones, we have opportunities to direct, um, the messaging and the council, uh, and to understand, you know, my response back would be go ask anyone from Mitre.
Um, and they would, the, the last thing they would say is they certify anybody, um, as A NGO, right? Uh, or look at Gartner, I guarantee you having not looked, but guarantee you they have disclaimers galore that say things like, you know, you're responsible for your own decision making. You know, we we're not certifying any of these as like, you know, uh, fit for, for, uh, fitness and all that stuff that's in there. So I, I just find that to be really interesting.
And I'm not saying that that hasn't happened, but I'm like you, Chris, I've not heard of that either. Um, but boy, that's an opportunity missed, uh, by whoever is sitting in deposition or arbitration to not correctly steer and answer that. Don't you think, Chris? Yeah, I mean, just hearing that it's kind of interesting. I don't, I don't, it's, um, you know, that whole concept of that's just a weird Yeah. Uh, situation at all.
I mean, that whole Gartner thing and being in the, that's, that's weird, man. I don't know. I mean that's a, that's a great use case. I'd like to peel into and find out who was representing whom. Me too in that arbitration. Yeah.
Well, so I would think from what we heard over the years, you know, or you know, from, uh, you know, Justin who's been in the courtroom a lot, Justin Mout, Chris, it's, you know, I, Chris, tell, tell me if, if you're, if you're, and I'd love your thoughts was gotta be a lot more about, you know, what your internal security posture looks like. Policy, what do care you have third, fourth party vendor risk management, et cetera. What's in the MSA, what's not in the MSA is gonna hold up.
Uh, so versus what's the tool efficacy? 'cause that's certainly debatable, but what are your thoughts, Chris? Well, it always comes down to, uh, yeah, it always comes down to you having evidence that those things are in place. So let's just take this EDR one as an example and definitely hypothesizing here. I mean, if you, let's just say you were using a DR tool that wasn't in there, you would probably need to provide some evidence of a decisioning, the decisioning around that, right?
So if it was, the decision was based on, well, it was because my M-R-R-M-M vendor gave a great discount on it, or because the pricing was good, that's not gonna hold much water. But if you as an MSP did through and did some type of, you know, due diligence and some bake off or something like that, you don't have to make it fancy and documented it, then that would come in. But that's just like, and I think, you know, some of these, just the way we run as MSPs, were somewhat at fault.
Let's just take more of a more mature organization. Like, again, come back on banking, Wes, and I know you just couldn't go out there and sign a contract on a, on a, on a vendor that you wanted to do. You had to go through a governance process and, and ultimately sometimes, and often the board would have to approve it. And so, and you need to have somewhat of a similar structure around that.
You don't need to have a bunch of crazy committees and stuff in MSP, but you should have a process and something to define why you chose that EDR tool and why you, you stayed with that EDR tool. So then when you get in those situations, and that's the, the argument that opposing counsel is making because there are lawyers involved in that arbitration and usually they're litigators, then you have a, a leg to stand on if you don't have any defense on that.
So again, it comes back to you made decisions. An EDR tool is a very critical decision. You need to have some documentation around doing that. And the same thing with anything else you need to do. When I talked to people that were involved in that target situation years ago when they were on the ground with Target, they said Target was doing lots of great things, but they got roasted because they had no evidence, they were doing the right things.
And so it was actually, it actually came out in the public worse than it actually was behind the scenes. So as an MSP, you need to understand that as well. It's all about proving that you, that you did the things, you can't just say it in front of a, a court or an attorney 'cause that's not gonna hold much water. Yep. Yep. I agree.
And just shortly is another analogy to all of this is, you know, breaches don't result from the failure of one tool breaches result from the systemic failure of multiple points in the design of your system. So for example, take, you know, where where does an EDR pick up an EDR picks up, uh, when some kind of threat has occurred on the endpoint system? Well, how did that get there in the first place? Doesn't happen by magic.
Um, so probably a user clicked on something or opened a phishing email, which is a whole slew of things in there that also failed. And as an example, an analogy to this, I was thinking about like the challenger explosion. You know, I remember watching that documentary a few months ago and it was amazing. Yes, the o-ring, the, uh, seal was what caused the problem. But when you go back in the aftermath and you looked, there were systemic problems that led to all that.
It was actually documented, known they failed to have a process in place and prioritization in place to fix and correct and communicate that there were, there were up upline problems, but it was one problem specifically that caused the event to blow up. And sometimes we focus on that piece missing everything else. That leads up too. It Gary. Yeah. Uh, everyone should watch that. I watched that too.
Uh, and not even, because it's interesting 'cause it's super interesting thing in our history, but it does make you think about business and about process and uh, I, I always, well, I'll let it go there, but everybody should watch that and I'll put everything else in my face. Yeah, I think this colonial pipeline's gonna be, I'm, I mean, I'm so interested in hearing as much about as possible because there's so many underlying things here.
Um, you know, I had always heard that the Edward Snowden thing was a process issue. It was not a, it was not a person issue, it was a process issue on that side, and they solved it through process. Yep, indeed. Um, we got maybe time for one last quick question, Chris, and this is one that I've had burning that I wanted to ask you. We, we've touched on pieces of this a little bit, but, you know, let's say some kind of major incident occurs and happens with the client.
At what point do you, as the MSP tell the client, Hey, it's time for you to reach out to your insurance carrier and contact your breach counsel versus us doing the detection, containment eradication. At what point do we bring them in and tell 'em, Hey, you gotta do your stuff now? Yeah, so I would say in most cases, you're gonna give 'em that option and you're gonna have 'em make that decision. So there's, there's, there's a lot of factors.
I mean, um, I would say that the mi the, the minority of cases we get today really wouldn't, don't require that. So we've gotten into some, some particular situations and you just ask the questions, what kind of data did you have on the network? Well, blah, blah, blah, blah, blah. And you're like, wow, that has really no value, or who cares about it? Or whatever, it's boring stuff or whatever the case may be. Big freaking deal, right? Well, you know, you have backups, you, you restore.
So really you go through some questions like that and you put that and you're like, Hey, look, there's there, there's no need to do that, right? In other cases it may be just put your cyber insurance carrier on notice. 'cause that's really important. That doesn't mean you file a claim, but at least you notified. I mean, that, that happens quite a bit. Hey, look, we have a situation here, especially with third parties.
So somebody gets affected, their business is down as a result of a cloud provider or somebody getting popped and they really can't do nothing or they can't do anything, sorry. And then, uh, but they have to turn around and put us on notification just in case, right? So that may be it.
And then there's the case where, look, you've got some, you've got some stuff in here, you're in, you're in healthcare, you're in legal, whatever the case may be is you, you need to call the insurance carrier regardless of what the situation is. Uh, let them get involved. They might, you know, a lot of times the insurance carrier might give the advice to say, no, just go ahead and proceed what you're doing. We don't see anything here.
Uh, but I think it's, it's best to do that, especially with legal sides of things. I mean, I don't think there, I mean, you definitely wanna have somebody that specializes in breach counsel and somebody that knows those situations in your industry. I mean, we have situations where, you know, we have a number of law firms that we work with and there's a certain situation, I'm like, I know that law firm's fantastic for this particular case, especially with MSP cases.
We have one law firm that's just superb at dealing with those situations very well. They know the right people and players to bring in and all that kind of good stuff. So that's where I think it, it really helps. I mean, sometimes when you, you're dealing with a general counsel or internal counsel or just somebody's uncle's, you know, cousin, sister's, brother, whatever, down the road, uh, that doesn't really work well and just causes more interference.
So short and sweet, you gotta really find a reason not to get them involved. But most of the time you're gonna have them involved. Go ahead. I know we're short on time. Yeah. So, um, just wanted to kind of wrap up here real quick, Chris. Thanks a million as always.
Um, Gary, um, wondering if we could do a cyber call next week on this whole, you know, BS really is, you know, bringing, bringing the future to the present maybe we call it, which is again, we know the majority of MSPs don't know if their clients have cyber insurance. And now we know the majority of MSPs, their clients don't have incident response plans. And we know it's only a matter of when there's gonna be an incident. So the most, Yeah, let's think about it, Andrew. Yeah. What week we do.
'cause I might wanna bring on an msp Okay. That I think is pretty good. And maybe you having these conversations, I think that'll make it meaningful. Okay. Very Cool. And the last thing I wanna close up with today is, uh, a friend of mine wrote a book, the book's, the guy's name is Steven Little and the book's called The Milkshake Moment. And the punchline to it is, uh, I think fits, uh, today's conversation. Don't let your systems make you stupid. Hmm. Wow. Really good stuff.
Um, you've had him at your event, Gary? I have. He spoke at N Fest some years ago. Yeah. That's fantastic. Okay, so I know we're at the top of the hour again, Chris, thanks so much for coming on. What we're gonna do is consolidate maybe the, the pre, during and post and we'll get like kind of a, a little guide guideline out to everybody. Would that be helpful? Just give us a quick yay, a yes or no on that. Would you like that?
Uh, again, if you could give me some feedback on the cyber cast, I would greatly appreciate it. Um, I'm putting my email in chat for everybody that, um, would be kind enough to, to look at that. And, um, with that, um, Gary West. Thanks as always. Ryan will be back next week from vacation and, uh, we look forward to, uh, to talking to you all very soon. Have a wonderful week. Thank, take care. Thanks. Thanks everyone. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois