UnHacked

Welcome everybody to episode 35 of unhacked. Guys, I said every week, unhacked, it's kind of an intentional misnomer. We we lead people in thinking, hey. If you if you get hit by the Russians, just talk to us. We'll fix it all.

We'll put you right back to the way it used to be. Have have you guys ever seen that happen actually in reality, somebody truly getting unhacked? No. No. Me neither.

The damage is bad. It's long lasting, and sometimes it's, terminal. We don't like to talk about that, but, we are here really to prevent it. We're here to make sure people do not get hacked in the 1st place because that's really the only way you can get unhacked is to just, you know, never go there. We we believe in best practices and standards, and we're gonna talk a little bit about that today.

We talk about it pretty much every week, but, you know, it's a firm belief that 97% of the breaches that we hear about, that we know about, that we investigate or deal with in any way, shape, or form could have been prevented almost always.

Right.

You've got that little bit of a gap, the 3%. There's always the you know, if if you've got a big enough target, if somebody wants in bad enough, they're going to get through, and that's where policies, procedures, and insurance come into play. So, that's what this app or what this podcast is all about week after week. We're just here to empower business owners, because listen, we're all overworked. We're overwhelmed.

This is one thing that we don't really wanna have to deal with, but I mean, this this can be life or death. So, real quick funny story. So I've got, I got my good friend, Liana, who goes back and and listens to all these episodes, and she pulls clips out. Right? I've told you guys about that.

We we

push that out to social media. And it's hard because as an IT guide, like, I don't know about you guys, but I get kinda bored with this stuff because we do it all day every day. We talk about it. It's like, this isn't new. It's just everybody knows this stuff.

Well, she starts asking me about, like, hey. Are you guys doing or are are we are we doing this for our clients? Are we doing that for our clients? I'm like, yeah. Why why do you ask?

I don't know. I just learned

it on podcast. I didn't know anything about that. So, listen. Apparently, there is value for the layperson, so that's good. It was a a little reassurance that I got from her this week.

So, you know, we keep doing it, and and hopefully there's there's benefit in in our listening audience. I don't know about you guys, but there is huge benefit in it for me personally. This is a very selfish endeavor for me. Alright. Let's do some quick introductions.

I've been talking a lot, so I'm gonna punt to you, Brian. And then, Mario, tell us who you are, what you do, and who did you do it for. Brian.

Excellent. I'm Brian Lachek with B4 Networks based out of beautiful Niagara Region, Ontario, Canada. And, we provide, computer support to, businesses throughout Niagara. And the way I like to explain is that, every business tends to struggle with dealing with technology, and there's headaches that come with having technology. We make those headaches go

away. Alright. Mario.

Mario Ozaki, CEO of Mastech IT. We are located in New Jersey right outside, New York City. Been in business for 20 years servicing, the tristate area, and, we help, people do pretty much similar things. If you have a computer, we'll protect you and and, give you an outstanding service while we're doing it.

And recent winner of better your best nationwide competition. Mario came out number 1. Guys, we are sitting here in the presence of royalty, Mario.

Royalty.

Always good to have you here. And Brian as well. Like, I I can say to you guys close friends, so I I love being able to do this. My name, Justin Shelley. I'm CEO of Phoenix IT Advisors, and we do IT consulting.

We have a a focus on compliance first. That's my model. And I'm gonna talk about why today. So I'm I'm kind of excited about today's episode. But, anyways, we do business in the Northern Texas area, Northern Nevada, Utah, Idaho, with and expanding.

I don't wanna, like, limit myself, because I do plan to, like, Pinky and the Brain take over the world someday.

Except for except for

our QA area. Except for where Mario and Brian live. You guys can have your little cutouts, but everything else is mine. Goddamn it. Alright.

Guys, we, we had a hell of a week last or a week, a hell of a month last month, the month of October, cybersecurity awareness month, and we went through a pretty good series of how to do this stuff. And and today, I really love Mario, kudos to you for the topic. I wanna pull it all together into if I'm a business owner, this is not my world. I don't know anything about it. How do I really know I'm protected?

Because while we'll sit here and tell you guys what needs to be done, do this, this, this, and this. But by the way, don't do it yourself. Hire somebody because this is not DIY. Right? We say that all the time.

But if I'm an accountant, for example, or if I'm an attorney, how do I actually know that the guy I hire, the company I hired, the check that I'm writing properly protects me? So that's that's what I wanna go in today. Thank you, Mario, for the the the topic, the actual title of the episode, 6 signs your IT company is leaving you exposed. Take this information, audit your IT company. Like, make sure that they're really doing what they tell you they're doing.

Alright. So we are gonna dive straight into this, and, could be a short episode. We might get long winded, but we're gonna go in and we've all, you know, divided it up and we've taken 2 points each that we're gonna discuss. And this is, again, from the perspective, if you're a business owner, listen closely because this is what you need to look for to know that that check you write every month, which by the way isn't super cheap. This is not not a not a Walmart scenario here.

Oh, I'm gonna get sued by Walmart now. Take some notes and find out, you know, just just use this as a kind of a scorecard so you know if you're being properly protected or if you maybe need to to make a change. So, Mario, you are at the top of the list. Let's go ahead and, kick this off to you. What should I look for as a business owner to know if you're charging me too much and providing too little?

Yeah. So the the first my first point was, documentation. You know? So as an example, like backup reports, executive reports, recommendation for implementation, and doesn't necessarily need to say mean, you know, it's gonna cost you a lot more money. You need to buy brand new computers, brand new servers.

But just that they know that you know that they are looking over your your network. You know? Are they telling you that you're running a server that's has an operating system from 2012 or from, you know, a computer, a PC that is about 10 years old, that is not gonna be able to be upgraded to, like, Windows 11, you know, next year when, you know, Windows 10 is not going to be supported anymore. So it it's stuff like that that it's, you know, are they actively or proactively checking looking out for you? You know, it's, not necessarily something that's gonna have to cost you money.

You know, most so a lot of computers now, that have Windows 10 can be upgraded to Windows 11, and it's a free update right now. But that's how you know you know, it it's not it you don't wanna be with that IT company that you only call when there's a problem. You know? Yeah. In our world, like, no news is good news, but you have to also let them know that, listen, this is what you're paying us for.

This is what we're doing. We, are always gonna give you recommendations or at least at minimum say, you know, here's a report letting you know, you know what? Your shit is, you know, is is up to par. You know, you're good. You know, there's if there's anything beyond this you want, we can talk about it.

But, you know, we we onboarded a a customer, a few weeks ago, and they have 3 servers. They're all running server 2012. You know, their, their firewall had, you know, 3, RDP ports open right through going right to the desktops and

So server 2012 is pretty good. Right? Yeah. I mean, because when I bought this and and again, I'm I'm playing your business owner that you're talking to. When I bought my server, I paid, like, $20,000 for it.

It's only been a few years. So it I mean, are you telling me that's a problem?

Well, actually, in their situation, their server, their actual physical server was only about a year old. But what they kept what they kept doing is taking that virtual servers that were on there and just transfer it over. And they're like, okay. You're done. Give us $20,000 for the server.

You know, they didn't actually keep up with with that stuff. Meanwhile, they they the reason they came up to us they came to us is guess what? They got they lost a $150,000 in

a week.

Oh. And, you know, the IT guys pretty much told them, oh, no. You're good. I don't it must have been something you guys did. We didn't do anything wrong.

Yikes. You know?

Okay. So two points here. Number 1, business owner thought they were covered. They weren't. They're paying money, but they don't know what they're getting for it.

Point number 2, preventable. Right? We talk about this is a perfect example of something that's completely preventable. And, Mario, I was trying to I was, like, loving you a softball here, trying to get you to talk about server 2012. Why is that a problem?

So I get a report. Right? I'm the business owner. You send me a report, server 2012 on the server that you bought last year, 20 grand. I'm good.

Yeah. So the reason you're not good is because that server has been end of life for several years now. It's no longer being supported by Microsoft. They're not releasing patches or updates for it. Most security softwares like, you know, EDR and the and, you know, like, antiviruses are not supporting it.

And, even backups backups are are not working great on on something that is made you know, since 2012, they've came out with server 2016, which is also end of life. They came out with server 2019, which is gonna be end of life next year, and they came out with server 2022. So you're they're they're, like, 4 or 5 versions back, and it just been completely neglected.

Yeah. You

know? So they need to at least, at minimum, tell you, like, listen. This is what you're running. Like, when we provide executive reports, it tells them right there if they're running any outdated operating systems. You know?

So my point is that they need to, you know like, when we met with this company, we actually asked them, like, where's the backup reports that you're getting? Where is any type of information that they're telling you about, you know, you know, what you need to do? Like, we haven't received anything in, you know, x amount of years.

You know? Yeah. I I'm gonna guess that if they're not getting any reports, they're not getting the documentation, they're probably also not having regular conversations. Is that a fair fair assumption? Yeah.

Those usually go hand in hand. So okay.

Yeah.

Because and and I'm I'm pressing because trying to put myself in in the seat of a business owner who isn't focused in technology. I can get documentation, but I don't always know what it means. And and you're saying it, but I just wanna emphasize the point that you you need to understand this stuff because I'll be honest, I get paperwork, and this is a completely, you know, just unrelated example, from my insurance company, like health insurance. I'll get something in the mail that says, this is not a bill. Fucking throw it away.

I you know, like, I

don't know what it says. It's 30 pages of stuff that I don't understand. So I just throw it away. I'm I'm they're gonna duke it out. I don't know.

Right? So

You know what? The thing is and I've had conversations for years and and and, every almost not every time, but a lot of proposals that we do. And they look at, like, what we're providing and, you know, price cycle. Oh my god. This is significantly more than what I'm paying now.

You know, people sometimes have that mentality is I'm paying for help desk. If I can't print, I I want to be able to call you. Okay? Yes. We do do that.

But if it's only we do that because we do all the other stuff so well that we could include that because we're confident with what we do. We're we know we're gonna do it right. So you shouldn't have those problems of you can't print, you can't open this, you you've been hacked, you know, and stuff like that. You know, if we do our job well, then the help desk part is very easy. Right.

And they always think that the help you know, they're purchasing a help desk, and help desk is trying to sell me a backup and an antivirus and that stuff.

Right. Which

is not what we're selling. We're selling the other stuff and including the help desk.

Yeah. I always like to say that, if you're calling me for something that's broken, then it's likely your team is now taking up their time and effort, in calling us and having us resolve the problem. Meanwhile, had we done our jobs in most cases correctly, we'd be proactively repairing those things so you don't have to call in the 1st place. And so my sign of success in in my company anyway, and I would imagine it's the same for you guys, is that the client hardly ever has to call anymore. If they hardly have to call anymore, then I know I'm doing my job right.

Yeah. I could honestly, I could go off on this. So there's a lot of information here. We could probably do a whole up a whole episode on this. Okay.

So, Mario, documentation, communication, understanding, just basically knowing what's going on. Right? So, and I think you had a couple points. What else do I need to look for as a business owner to know if you are doing your job?

So for my second point is what we say does the back the back end match the front end. Right? So there's a lot of times where we are sitting with somebody for a first time appointment, and they're telling us, like, their IT person's unresponsive. They can't, you know, they can't reach them or they can't reach the company, or they'll open up a ticket and not hear from anybody at the company for a few days. And I wanna say 98% of the time when we hear that, we realize that the back end security matches what they are seeing in the front because they can't see what's happening on the back end.

Are they actually doing proactive maintenance? Are they actually watching the antivirus and, you know, the, stuff like that? You know? So a lot of times, the neglect is also on the back end. It's not just on the front end.

You know? They can't keep up with tickets. If they can't keep up with tickets, most likely they can't keep up with the maintenance and the monitoring and checking the backups and checking, you know, the updates and patching this and, you know, making sure the firewall has the latest firmware and stuff like that. You know? And there's times where sometimes when we get busy, we have to kind of, like, shuffle some things around with some technicians, but, you know, that usually will happen for one day.

You know? But, a lot of times we see the front end and the back end both matching, and what's being neglected on the front end is also being neglected on the back end.

So what I'm hearing you say is if, if I don't get fast response times, which by the way is the number one reason somebody will come to me looking for new IT service. Right? That's that's a metric that everybody knows and understands and is super obvious. But you're making a really solid point because if that's a problem, there are way that's the tip of the iceberg. There are way bigger problems that nobody knows about, which like you said, firewall is being updated.

That's like how many times do you go, evaluate a new prospective client and their firewall's out of date? Like, almost always. Always. Yeah. Almost always.

Their the firmware's out of date or it's the subscription's expired or, you know, like, almost always. Yeah. So, and it's not just in with outsourced IT. You look at great big companies, enterprise, with seemingly endless resources, but nobody has endless resources. Right?

And so if it's the same thing. If you're working at a large organization and you don't get good response times, you don't get resolution to your problems, There's there's probably, there's probably other skeletons hiding.

So Yeah. One one of my favorite, things I've seen in the past was somebody who was showing, you know, the rack in the server room, and most people don't like looking at that. But it was just like a spaghetti dinner. Right? It was just like cables everywhere.

And, the caption said, if this is how they treat the things you can see, what are they doing to things you can't see?

Exactly.

Like, this is something that you literally can see walking in your server room. Is it clean? Is it tidy? Is it documented? Is it neat and organized?

And if the answer is no, well, that's what they're doing in your network as well. That's how they're treating your servers. That's how they're treating security. That's how they're treating security. That's how they're treating everything because if that's what they do with the things you can see, what are they doing with the things you can't?

And, I think there's a bunch of IT providers who are gonna listen to this now going, oh, no. I gotta go clean up a whole lack of service rooms. Exactly.

I'll I'll tell you what I am doing, Brian, and and I will admit this over and over that I I primary benefit for me in doing these podcasts is my own self improvement. And Right. While I don't have a bunch of closets that I feel I need to go clean up right now, I am gonna add this to my internal standards because we have both, public standards or framework standards, but then we have internal stuff that I do want this to be inspected on a on a regular basis. So I'm actually gonna, improve myself 1% as we speak. So Excellent.

Mario, was that pretty much it for that one, or did you have more to, talk? Because I'm distracted because I'm I'm like I said, I'm I'm doing my own shit right now.

No. That's I mean, that's that's about it. Like, you know, chances are you you it's very rare. I have never seen, us go to somebody for the first time, and they say, yeah. Their their support is excellent.

Every time we talk to them, they are, picking up right away, resolving it all within 2 minutes, and then their back end there's no antivirus. There's no backup, and, you know, stuff is 10 years outdated. They usually very you know, they go hand in hand. It's very rare where they're very good with support, very good with answering everything, very good with resolving everything, and then everything shits the bed in the background. They do that's I've never seen that.

Usually, it's either they're both really good or both really bad.

It's, it reminds me of our our mutual mentor, Robin Robins. Mhmm. She frequently says, how you do anything is how you do everything. Exactly. And that that's what I'm hearing you say right now.

Exactly. Yeah. So alright. Good points. These are these are solid points, Mario.

So Brian, let's go ahead and, pass the ball to you, and let's see if you can beat Mario's, points in his hand.

Yeah. I can't say I'm gonna beat them, but I wanna say, the 2 that I have and

it's competition, but if it were, I'd be winning.

No. Oh my god.

Well, I

was gonna say they play off of the ones that Mario Mario had mentioned. Okay. So while he's talked about documentation and having executive reports and and and backup reports and things like that, My first one of what you should do to know you're absolutely getting what you pay for is, take a look at whether or not you have regular standing meetings with your IT provider, either quarterly or or biannually. The intent is to have some sort of strategic planning. Right?

And those type of reports typically come out during your strategic planning sessions. But essentially, if you're doing if if the MSP is doing it right, then in those sessions, we're looking at how we can improve 1% better every single day, which, if you look at it from that way, when I meet with, our clients, we create a 3 year plan. Here's what you've got. This is what your organization is planning in the next 3 years. Here's what we need to do in the next 3 years.

We map it all out, and then we create a 1 year, highly detailed plan and then a 90 day like, what's happening in the next 90 days. And every 90 days, we get back together. We sit down, and we take a look at what is coming up next. What else do we have to do to improve? And during those sessions, that's where you're starting to talk about things like maybe you've gotta put 2 factor authentication in if you don't already have it.

Maybe we need to upgrade or install a new workstation or a new server. Like, we're always trying to improve and get 1% better, from the previous month, and that only happens if you have strategic planning sessions. If you're not having any kind of strategic planning sessions, how do they know what your strategic goals are and and how do they relay their goals as to what they're going to accomplish from the IT side with you if they don't have those meetings, those regular meetings. So, if your MSP offers those, take them up on it because that is one of the in my opinion, one of the most important ways that you can ensure that they're doing what they say they're doing. You can know you're getting what you pay for.

And if they don't offer those, you're going to get sued. Remember Joe Brensman? Mhmm. With the insurance agent. Right?

He talked about this is the smoking gun. If Yeah. If you get breached, if, business gets breached and they don't have a plan that they're working on, there's likely a class action lawsuit following on the heels of that breach. So what you just described is a get out of jail free card in the event of an attack. We don't know.

We're not the terminology, you know, it gets me. I'm not a lawyer. Yeah. But if you get attacked and sued, you want to have that plan in place.

Right. All the things you have accomplished over the last, you know, 2, 3 years, and you have a record of it every 90 days. Here's what our plan was. Here's what we accomplished. Here's our next 90 day plan.

Here's where we're going for the next year. You get sued. You can gather up all that information and say, we have a plan. We have a strategic plan. It just takes time to implement all of these things, and we can't possibly do it all at once.

Yeah. For time and money reasons. Right? We we all have limited resources. So

okay. And to touch I guess it kind of relays with with, a little bit about the same thing. Like, we talked about how, if the front end doesn't match the back end. And I wanted to add one small thing and that is oftentimes and I've I've I've met with a lot of IT providers. I coach a lot of IT providers.

And in a lot of cases, their their entire team is just gathered into one big jumbled mess. Right? It's everybody does everything at all times.

Right.

So everybody's on the help desk, everybody's doing on-site support, everybody's doing proactive support, which means that

Nobody is.

Fires that happen take priority. Yeah. And that means the proactive falls in the wayside, which leads right up to what Mario Mario is talking about if the front end matches the back end. If it's done correctly, there's segregation of roles and responsibilities, and maybe somebody's responsible for the proactive side at the organization at the MSP, and maybe somebody's responsible for the help desk, and and one other person's responsible for projects, and so on and so forth. And so if there's segregation of duties and responsibilities, you're pretty comfortable knowing that the MSP has, they're a little more mature in the sense that not everybody is a jack of all trades.

You've got specialization happening, and you've got prioritization happening in each one of those different roles and responsibilities. So I just wanted to add that in there.

Yeah. Well, let me play on that as well because there are cases where, you know, we do have to wear multiple hats in Mhmm. That's just life. Right? So if if there can't be segregation in people like a full in FTA, full time equivalent employee, and you have to divide your attention, then and I and you may have already mentioned this, but, like, that's where metrics come into play.

I am a huge EOS fan, and you've gotta have that weekly scorecard where you're looking at, you know, as a business owner, you better know what are the signs that you're, not safe, not secure, and have that number in front of you all the time.

Yeah. I I and when I talk about segregation of roles and responsibilities, it doesn't necessarily mean that that person only does that. I'll give you an example. When I first started growing my team, I had people working the help desk. They were doing on-site support, and they were doing deployments, and it was just like all the same people doing all 3.

And of course, fires would happen and the deployments never happened. The on sites would happen because those were priority. There were fires. Help desk people would but, like, people calling in would get their calls answered because nobody likes a ring phone ringing. But the deployments of new workstations is, like, we were weeks behind.

Mhmm. And all I changed was to say we had, like, 3 or 4 staff at the time. It says your primary responsibility is help desk. If there's a help desk call coming in, that's you. Your primary responsibility is is desktops and getting the desktops deployed.

And if there's a deployment to be done, that's you. And then I went to the 3rd person, if there's an on-site to be had, that's you. Otherwise, if there isn't, you can go and help everybody else. But now you have a priority, and all of a sudden, boom, deploys were going out, help desk was being answered, on sites were were taking place, and everybody everything was running smooth. And it all the only change was is that I I let everybody know what their primary responsibility was even if they were they were multitasking, and that seemed to have worked really, really well.

I like that.

I mean, in a higher level, what you did is you put a system in place and you put some accountability in place, right?

Correct. Yep. Yeah. If everybody's responsible, nobody's responsible.

Yeah. And you know, where in the IT world, this is I've heard it referred to as the reactive spiral of death. If if all you're doing is fighting fires, then that is literally all you will ever do or all you ever can have the capacity. You just keep throwing more people at it as you grow. But until you stop and put some systems in place, some accountability around it, you're just gonna keep fighting the same fires, and the fires get bigger, unfortunately.

So Yep.

Okay. So beyond that, the the other one I was struggling between 2 2 of them for my second one, and I think I'm gonna go with, having a third party vulnerability scan. And and I say that because as much as you wanna trust the person who's handling your IT, second opinion is always a good thing to have. Now good managed service providers will have a third party that they work with that they will get them to run a vulnerability scan separate and then bring that report unchanged to you. If you don't have that, then you could contract a second MSP or second IT provider to give you, like, a biannual or a quarterly, vulnerability scan.

But the idea is have a a third party vulnerability scan in one way, shape, or form, and that will give an unbiased, report as to where they're at from a security point of view. And I I went with this one because the other one was metrics. But being that with this security podcast, I felt like the 3rd party vulnerability scan made more sense to know you're getting what you're paying for. Have that second vulnerability scan done or that third party vulnerability scan done, at least quarterly, I'd say. And, it doesn't like I said, you could use your current IT provider as long as they're dealing with a 3rd party, or you can contract your own third party to just look over the shoulder.

I like to use the what is the phrase? The not having the fox wash the hen house. Right? Yeah. So Yeah.

Alright. I guess that, does that put me on deck here?

Puts you on deck, sir.

Not on deck or at the okay. So again, Mario, I I love that when you first I've I've got to admit, when you first threw this topic out, I'm like, ah, this just sounds like a shameless self promotion. But then the more I got into this, the more passionate I became about it because here's here's the reality. Yes, of course, I want everybody to do business with me. In fact, here's here's what I was gonna say was, top 6 ways to know your IT company is leaving you, exposed.

Number 1, look at the invoice. Does it say Phoenix IT Advisors? If not, you're being exposed. But then I like that wouldn't be very fair to you guys. So, then I'm like, okay.

Well, I'll just put off some fine print. We can also include b 4 Networks. We can include Nasdaq. But, okay. So so jokes aside, in, I mean, and and this is just straight up me being who I am.

My my number one company core value is we take care of our own. I have a genuine interest in the people I I associate with. If if I've got a client who gets hit, that's personal to me. I lose sleep over this. I, like, I have bad dreams about it.

I wake up in cold sweats. I'm like, oh, shit. Did this happen? Did that happen? So it's it's not just that I want to grow my business, which I do, but I genuinely want businesses to be protected.

I really want this to be something that you can take, to your IT company and and stay with them. I don't care. Stay with them. But make sure that you are getting what you pay for. Make sure that you are are properly protected.

And for me, a key part of that is that we are all on the same page. We have agreed upon standards because we talk week after week about these industry standards, best practices, whatever. Okay. So with that background, I'm scrolling Reddit as I love to do in my spare time, and and I came upon this post. So I'm gonna I'm gonna read this word for word.

And this is from an IT provider, an IT company, the owner of a business. A prospect asked for a list of the, quote, best practices I would be applying. This got me laughing. Like, the fuck you're okay. Then thinking.

So this got me laughing, then thinking, where do I get my best practices from? What are they? This has been bothering me as I start with my coffee. 30 plus years of experience in the industry, and I doubt my list and your list are the same. Though they should have overlap if they're truly best practices.

Right? Time to dissect this one and look at the policies in my RMM for my own comfort. It's been a while since I compared these. So many things I wanna say about this, guys. Number 1, RMM.

Are you shitting me right now? That's where you're getting your best practices from, your RMM. Are we even talking the same language here? Brian, what's an RMM?

Remote monitoring and management system. It's essentially the tool we use to connect to your computers, manage your computers, push out updates, scripts, but there's no policies. There's no best practice.

Oh, dear.

No. It's it's whatever we program in.

And maybe that's what he's talking about to check what he's programming. I don't know. But I'll tell you what, 30 years in this industry, and he's scratching his head and he's like, I don't know what are my standards. Jesus Christ.

I'm not entirely surprised, though, Justin, honestly. Right? Like, you have to remember, our industry is unregulated. We don't have, you know, a fairy, you know, like a an association ferry that says, here's what you should do, and here's how you should do it. Right?

Like, accountants are regulated. Plumbers are regulated. Hair dressing companies are regulated. They like, here's what you have to do and how you have to do it. IT, not a chance.

I mean, we're not really that important. We don't impact national security. We don't keep businesses alive. We don't, you know, we really why would we be regulated? It doesn't Yeah.

It doesn't make sense.

No. We have we have organizations that put out standard practices, but there's no agreed upon standard. And that's For me that's

the core. To market myself as an IT provider, as a cybersecurity expert, I don't have to do anything.

That's true.

I can't do that as a

as a law. As a business in your local area. Yeah. That's pretty much it.

The closest to some regulations that I see is stuff that cybersecurity insurance companies are requiring. And even them, you know, you check 3 different ones, they have 3 different things that they're requiring. You know? Yeah. But that's the closest to and the and and the

whole thing regulation.

And it's not regulation. I'm saying this is, like, the closest Yeah. And that's not even you know, cybersecurity insurance is opt technically optional. You know? Like, it's you don't even need to do any of that stuff, but that's the closest to what I see.

Mhmm.

So this is horrifying to me if I'm putting myself in the the shoes of a business owner. If a 30 year veteran IT company doesn't know what his best practices and his security standards are, how in the hell do I as a as a business owner vet this guy? Right. So that that was terrifying. And then okay.

So the the very first comment and you guys know how Reddit works. Right? The top comment is the one that's been upvoted the most, and this is in a forum of IT company owners. And the most updated or upvoted comment was, are you guys ready for it? Uh-oh.

You don't tell them in specifics. That was his advice because a prospect saying, what are your standards? And the most updated upvoted comment from IT companies is, don't tell them. Oh my god. Are you shitting me?

Oh, man.

Guys, this is our industry. This is our industry. Okay. So number one point for me in how do you know if your IT company is leaving you exposed is they post on Reddit that they don't know what the fuck they're doing. And you'll never know who it is because it's all anonymous.

But we can at least here, let's let's do this. Let's make it easy. We have an agreed upon set of standards. Okay? So this kind of wraps up what you guys have already been talking about.

But if I've got proper communications, if we're having meetings and we have a plan, that should be based on a meeting where we start off with, hey, business owner. These are the standards that we use, and by the way, very transparent. Here they are. You wanna read through them all? We can sit here for 5 hours.

We'll go through every single one, and I will tell you what they all mean and why they're important. I will do that. But if we don't wanna do that, let's at least agree on what you want as a business, you know, what what's your risk aversion, what what are you regulated? Because I'm not as an IT company, but you might be. So we're gonna we're gonna set these standards.

We're gonna agree on them in the in the beginning. And then just like you said, Brian, we're gonna go, quarter by quarter, and we're gonna start knocking these out. We can't start. We're not gonna hit everything all at once, but we're gonna take the most important things. Let's let's make sure that firewall is updated.

Let's make sure your, server 2012 is decommissioned and upgraded to something that's currently being supported.

2 f a.

You know? And then yeah, 2FA. Let's let's just take these basics, and we'll start with that in quarter 1. And then quarter 2, we're gonna sit down and have that conversation too. This is, by the way, mister business owner, what I recommend we do for quarter 2.

Does that match with what you want as a company? And if you're regulated, we're gonna bring in frameworks into it, which I like to do anyways. CIS is a great one. Mhmm. There's a bunch, NIST, PCI, HIPAA, CMMC.

I mean, there's a lot of overlap here, but what I really want is the the biggest bang for the buck. Right? How do we just get, know that we have the basics? We can report on it. We can run metrics on it.

We can, hold ourselves accountable. And then and then we just I I mean, Brian, I'm gonna steal from you. Right? We just get 1% better, and I don't know that it's I'd like to think it's a little bit more than 1% every quarter, but we do what I call maturity levels. And so we're gonna start with the basics, and then each quarter, we're gonna plan, okay, next step, next step, next step.

So my that was and I've I've kinda jumbled these up because I had number 1 was agreed upon standards, and number 2 was company goals. So I'm gonna I'm gonna come back to that. And I'm just gonna say, dear mister business owner or missus business owner or whatever pronouns you choose to use, if you and your IT provider do not have clear communication and consensus regarding cybersecurity, run, get out immediately, and and don't wait. So so those are my 2. Have and, like, guys, I think we could we could merge a lot of these together.

We've talked about similar things with a different spin on it. But, you know, if I just had to sum it all up, we've gotta have good communication. We've gotta have good meetings. We've gotta have a plan in place. And then do not, do business with this guy on Reddit who after 30 years has no idea what his standards are, and he's gonna go look at his RMM and see if he can figure it out.

Jesus Christ. Okay. Okay. I'm gonna I'm gonna try to get my blood pressure back down over here. I think I think we've kinda hit what we need to hit today.

So we're gonna we're gonna move to wrap up. Do you guys have any thoughts on on, my little rant there?

No. I love

Yeah. The only thing yeah. The only thing I would wanna add, Justin, is, when we talk about 1%, it's not always about just improving things that, you know, like, I'm not I'm looking to improve all the time, of course. But when you you know you're getting what you're paying for, if the MSP or you're the person you're dealing with has made an error and they admit that they made an error and they work towards correcting that error, having the the the the faith in your own ability to say, you know what? Yeah.

I messed up here. I I I you know, we could have done better in this capacity or in that like, here's what we're going to do to improve it and an acknowledgment that things went awry, but that we can we can course correct. That takes a lot of maturity in an MSP to be able to admit when you've made a mistake and just move forward and and and figure out how you're gonna make it better for next time. That in of its own shows that that MSP has that growth mentality and that improvement mentality versus somebody who's like, yeah. No.

We didn't do anything wrong. It was on your end. You you did this and you did that. Right? It's a collaborative.

It's a shared experience. It's a shared model. We both have to figure out how we can get better at things. So

No. I absolutely love that. That, that's actually our one of our company core values. I I'm really big on core values right now because, for for reasons, just stuff I'm working through, but, only outcome is one of ours. You know, I don't I don't care.

I don't expect to be perfect, but goddamn it. If if something goes sideways, let's talk about it and work through it so that it doesn't keep happening. Right. So that that's huge. I love that.

Mario, I think you were gonna try to say something. I cut you off.

No. No. It's fine. What I was saying is to add on to to that what you guys are saying too. It's like, you know, you're improving and even if it's 1% better, You still have a you have to have a decent foundation.

You know? You you can't be starting from 0 and then go to 1% and 2%. You you have to have, you know, some of those foundations in place that will automatically bring you, you know, at a higher level. You need to automatically start with 2FA. You need to start with a real backup.

You know? Certain things like that, you need that has to be the foundation of of everything. You know? If you if the if you're not currently getting any of that, then you really have no foundation and you know, or a very weak foundation. And a weak foundation, anything is gonna collapse.

It's a matter of time where it just collapses. So, you know, you need to have a solid base and build upon that. Get 1, 2% better, you know, you know, in in, you know, improving on this, adding this, you know, stuff like that. That's that's what what I think, you know, a a real partner, you know, not necessarily a customer or a vendor. A a partner needs to have back and forth and discussions about

Alright. Guys, listen. I, I think I've said more than I needed to already. So, again, dear mister business owner, missus business owner, this is hugely important, and and it's a little bit risky because as we've said and we've, today and we've said before, the IT world's unregulated and that's just a terrible position that it puts a lot of people in. So if if your gut's telling you honestly, if you're listening to this episode with questions or concerns, that's probably all you really need to know.

If, if you even have to ask, if you even have to question, probably it's time to make a move. So, guys, let's let's wrap up. If you have any final thoughts, key takeaways, or just a quick sign off, we'll go ahead and do those quick, and then we're gonna pull the plug and start prepping feverishly for next week's episode. Mario, go ahead and take it away.

I mean, I I know you're gonna say this anyway, and, you know, just like every week, we offer our our assessment, you know, but I think this week, it fits best, you know, you know, just like what you said. If you have any doubts, you know, reach out to us. You know? We will be able to tell you. Like, you know, we have our own checklists, and we say, this is what you should be getting.

This is what you have, or this is what you don't have. You know? So if you're not sure, reach out to us and, you know, any of us 3, and we will sit there and tell you if if this is what you're, you know, you have the foundation. Is your foundation, you know, steady or not? You know?

Or could it collapse at any time? You know? Again, no obligation.

Yep. Brian? Well,

for me, it is the encouragement of or my my what I'm trying to accomplish is encourage business owners to start the journey. If you're don't currently have anything in place for cybersecurity and or IT, start the journey, make the phone call, meet with 1 of us, have us do an assessment, and we'll give you basically a recipe book on the things that you can do even if you decide not to partner with us. Here's the 4 or 5 things you can do right now to include your or to improve your posture where you're at now. And if you do wanna work with us, great. We'll start the journey together.

Where you're at now. And if you do wanna work with us, great. We'll start the journey together. I will be your guide. You will be the hero in the story, and I will make sure that we get you from point a to point b as quickly and safely as possible.

Nice little story brand plug there. Love it. Alright. Thank you, guys. Always a pleasure.

I'm I'm gonna sign off with just one thought, which is, hire, slow, fire, fast. Right? This is common, conventional wisdom in the HR world. If you even think, if your check engine lights on, if your spidey senses are tingling, you know something's off a little bit, start that process now so that you can slowly work through and vet a good IT company. And then if things are bad and you know they're bad, you've gotta pull the ripcord and you've gotta get out of there, because if you get hit, like we've said before, you cannot get unhacked.

So with that, we are gonna sign off, guys. Visit us at unhacked.live for all of our social media links, all of our episode recordings. You can subscribe on pot Spotify Spotify, Apple Podcasts, and wherever the hell else you listen to podcast. With that, guys, I'm gonna say goodbye. We'll see you next week.

Brian, Mario, thanks for being

here. Take care, guys. Take care.