UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 69 of unhacked. You know, we're here to help business owners protect their organizations from game ending cyber crime. Brian, thank you for being here. And I've got a pop question for you. Have you ever actually seen a company go end of life game over due to a cyber attack? Can we talk about that? I'm just curious anecdotally. Okay. Me. Yeah.

Bryan Lachapelle (00:20)
haven't no yeah no I mean I've not personally not not anybody

I've worked with but I've heard of of stories of people losing their business but I've never actually met a business owner face to face

Justin Shelley (00:32)
Yeah. Heard

stories, seen the stats. I wonder how much of it's made up. I don't know. What I will tell you is I've seen cyber attacks in real life and I've seen absolute devastation. ⁓ thank God they've come back from that. So, ⁓ hopefully there's hope, shall we say anyways, I'm Justin Shelley, CEO of Phoenix IT advisors. And you know what my company, what we do is we help businesses build wealth using technology and then protect that wealth from the Russian hackers, the government fines and penalties and

Of course, the class action lawsuits because the attorneys need their piece. can't leave them out on the streets hungry and starving. fellows. Brian, tell everybody what you do and who you do it.

Bryan Lachapelle (01:10)
Yeah, my name is Brian Lashpell. I'm CEO of B4 Networks. We're based out of Niagara, Ontario, Canada. And we help business owners remove the frustrations and problems that come with dealing with technology. And we do that by making sure you have a journey to follow in both your cybersecurity and improving how you use technology to improve your actual business and how you operate in your business versus just using it for day-to-day activities.

Justin Shelley (01:37)
Do you still do the one person every day thing? Excellent. I love that. That's, that's my favorite line. And I'll spoiler alert, spoiler alert. Anyways, Brian, it's just you and me today. We don't have an outside guest. Mario had other commitments. And so the two of us are going to see what we can do. We're going to take this and run with it. Brian, this month is, is what there's a theme for this month. And what does that mean to you?

Bryan Lachapelle (01:39)
Yeah. That's how I finish. That's how I finish the talk.

Cybersecurity Awareness Month.

Well, it means that I get to send a lot of messages out to people reminding them about cybersecurity. But I do that every day of the year. So I guess it doesn't really matter or change anything. Yeah.

Justin Shelley (02:13)
Not that different every day is cybersecurity awareness day for us. So

today is also coincidentally and I don't know, is it true in the great ⁓ world of Canada that you have a holiday called Halloween? You don't have Halloween, do you? I don't know it. Listen, I've never been up there. Actually, I've only been up there once. We still need to get together. I don't know much about our Canadian friends and neighbors this month. No, it's this month. So.

Bryan Lachapelle (02:27)
No, that doesn't exist up here. Yeah, we do. Come on.

You think it's today for you, this month, OK. I was going

to say.

Justin Shelley (02:41)
I'm just,

you know, we're, we're in the mood where we're decorating around the house. I've got clients who are decorating their offices and their lobbies and, know, in the theme of Halloween and spooky stories, I thought I would bring a spooky story of my own. That's how we're going to get started today. So Brian, no shit. There I was clear blue sky, cool breeze out of the South. You know how every lie starts, but this one's not a lie. It is a scary story. I, ⁓ I got a call.

Bryan Lachapelle (02:56)
Ooh.

Yeah.

Justin Shelley (03:11)
a while back from a prospective client. They wanted to know if we could help them out. now another pop quiz for you. When you get a call from a prospective client, what is almost always their number one concern? What are they calling about?

Bryan Lachapelle (03:27)
You didn't have an immediate issue. either have a breach or they're not sure.

Justin Shelley (03:31)
What's their main,

don't fail me here, Brian. What's their main pain point with their current IT company? The main thing they complain about, the most obvious glaring problem that they always complain about, response times. All right. So that's what it was, right? Response times. So I'm like, yeah, let's let me come in, take a look and see what we got. And I go in, I find out about what, know, they're paying somewhere in the neighborhood of about $2,000 a month, company of 34 computers in point. So not a lot.

Bryan Lachapelle (03:40)
they don't respond fast enough. Yeah. Okay.

Yeah.

Justin Shelley (03:59)
roughly 60 bucks per endpoint, right? Do you charge that much for a full cybersecurity and IT help desk and everything else?

Bryan Lachapelle (04:05)
I mean, you translate that to Canadian dollars, maybe.

Justin Shelley (04:08)
Jesus.

Bryan Lachapelle (04:10)
No,

not for a full service offering. No, it's just, yeah.

Justin Shelley (04:14)
Okay.

So, you know, first thing I said was, well, yeah, you're not, you know, based on what you're paying, it does make sense that they're, they're underserving you. Um, so I expected to find some problems, but I said, here's, here's step one. We're going to go and do a full assessment. I'm going to put my diagnostic tools on your network and your computers, and we're going to take a look, see what's going on under the hood. Um, pop quiz number three, Brian at $2,000 a month or roughly $60 per endpoint. What would you, as a seasoned IT professional,

expect the deliverables to be? What should a client expect to reasonably get for $60 per month per.

Bryan Lachapelle (04:53)
⁓ I mean, it probably at the very least ⁓ cybersecurity on the desktop, meaning like endpoint detection response or an antivirus of some sort ⁓ and patch management, meaning that they're actually updating and maintaining and making sure the computer software is up to date ⁓ and backups. That would be the three major things I would think of that would be the minimum requirement. There's obviously a bunch of other things I would expect, but that would be the minimum.

Justin Shelley (05:21)
Let me tell you this. It's low. So I wouldn't expect the world, but I would expect some basics covered. Now comes the scary part of the story, Brian. This client has an on-prem server serving up their line of business application SQL server. ⁓ There was no verifiable backup in place.

Bryan Lachapelle (05:22)
The price is pretty low.

Justin Shelley (05:43)
Now I'm not saying that there isn't something hidden because not everything's obvious, right? Some of these cloud backups can run undetected, but I mean, I like, I dug through all the services that were running on the server. I dug through the list of installed applications. I dug, used AI to help. And I'm like, what are they using for backup? There's no evidence of data backup whatsoever. That's scary. When your whole business is on this server, but you know, luckily they have a brand new server and things looked healthy. Well, I start digging into active directory.

Bryan Lachapelle (06:05)
That's very scary.

Yeah.

Justin Shelley (06:13)
errors all over the place. Synchronization is not working. ⁓ Trust relationships are failing all over the network. Like this is not a healthy Active Directory environment. So that's a problem. I'm finding no evidence of consistent antivirus. I'm not saying that there isn't anything you've got. Windows has a pretty decent baked in antivirus, right? And some people use that and rely on it. Great. It was there kind of, ⁓ there was some AVG professional, I think paid versions. I think there was like four.

or five of those across the network of 34, the servers had nothing. had no antivirus, no, malware protection whatsoever. No backup errors all over the place. They, that's where, you know, I started, so I'd head down to the basement and basements usually get scarier, correct? So down in the basement, Brian, we've got most, almost all the computers are windows. What, version of windows would you guess? If you had to guess.

Bryan Lachapelle (07:11)
they're at least

Windows 7 or 10. Ugh.

Justin Shelley (07:13)
Seven, Brian,

Windows 7. I wish that's where it ended. ⁓ Three of these Windows 7 installations were unlicensed.

Bryan Lachapelle (07:25)
For the record, 7 is like two generations ago. They stopped supporting that, I think, in 2012 or something. I can't remember. Yeah.

Justin Shelley (07:25)
Pirate

Years, years ago. Yeah.

Not good. No bueno. ⁓ this is without a doubt. So in summary, I could find no evidence of any management going on whatsoever on this network. they did have an RMM. for those of you who didn't, what that means, most MSPs have some version of software that sits on your computer and does diagnostics and remote management, general maintenance, right? That did exist.

But there was no evidence there was anything else going on whatsoever. No monitoring of any sort when the network or server would go down over the weekend due to a power spike. The MSP was not there Monday morning saying, Hey, we noticed your servers down. Do you do that? Like if a client server goes down, you know about it, right? I or your, or your techs do correct. ⁓ So that was gripe number two of this prospective client was like, you know, they say they're monitoring. We're paying them to monitor, but

Bryan Lachapelle (08:16)
We know about it before they do most times. Yeah.

Justin Shelley (08:30)
When stuff goes down, they don't know anything about it. I've got to call them and beg them to show up then to come do anything. great number three is like, they're doing their own it and how, you know, not because they want to, but because out of necessity crawling under desks, plugging things in, unplugging things, you know, trying to fix these trust relationships that are breaking all the time. ⁓ so anyways, I, after doing my assessment, I just thought, Holy shit.

Bryan Lachapelle (08:36)
Yikes.

Yeah.

Justin Shelley (08:58)
You know, it's, bad enough, the $2,000. may as well take that and light it on fire every month. At least then, at least then, you know, you're getting nothing for your money, right? The worst problem is they're paying it and thinking they're getting something for their money. So that today, Brian is my spooky story for Halloween is how many businesses out there pay money to have their networks maintained and protected and secured. And they're getting.

Bryan Lachapelle (09:02)
Great. What are they getting for that?

Yeah.

Justin Shelley (09:27)
best, less than they expect. And at worst, literally nothing, ⁓ horrible, horrible situation. And I'm genuinely terrified for this organization, like one blip and they're gone. They're off the map. So, ⁓ Brian beat that story. What do you have? What, what have you found when you go, like, don't expect you to beat it. I've been in this business since 1997. I've never seen anything this bad in my life, but what do you find? ⁓ cause you don't find when you go into new client, you're not finding greatness.

Bryan Lachapelle (09:45)
I mean, that.

Justin Shelley (09:57)
Right. So what are you finding?

Bryan Lachapelle (10:00)
Okay, so there have been situations where I've gone and did an audit for a client where ⁓ they were actually getting what they were paying for and I was actually relatively impressed. So that was a spooky story for me because I was like, ⁓ I can't really do anything more for this client. How do I beat them? ⁓ That being said.

Justin Shelley (10:07)
Nice.

Okay. How do I beat them? Yeah. wait, now I want you to pause.

What do you do in that situation? That is a great point.

Bryan Lachapelle (10:20)
Well, what I do in that situation is try to inquire why they're even looking around in the first place. just because they're getting the cybersecurity component down pat, it's possible that the prospect or the person I'm meeting with has gripes about how the service is being delivered on a day-to-day basis, when they place a phone call, how long it takes to get back to them. ⁓ Maybe the relationship has gone sour. There's usually a reason why we're being called in. It's not usually about price. It's usually, right. Yeah.

Justin Shelley (10:24)
Okay.

Processes, maybe personalities. Yeah. Okay. Okay. Fair

enough. Continue.

Bryan Lachapelle (10:50)
⁓ But in most cases, in most cases when we walk into ⁓ a potential client and we do our audit and we do a full audit and it's the same audit we do against ourselves every quarter. So whatever audit we're doing against our client every quarter is more or less the same audit that we're doing for a prospect. And so we're verifying a pile of different things. And ⁓ my scary story, I suppose, is very similar to yours. ⁓ Invoice specifically says they're getting backup.

And yes, they have backup on the server. They have backup on certain workstations. But they've been failing for the last six months. So it's not even that it wasn't installed and it wasn't running. It was running. It's just been failing every single time. And so that's almost as bad as not having it at all, because it's a false sense of security. And this is stuff that you should be able to get a report on and be able to see that, yeah, it is actually happening or not happening. ⁓

Justin Shelley (11:26)
Mm. Just failing.

Bryan Lachapelle (11:46)
Same thing with patch management. Software on workstations require update. And we're not just talking about Windows. We're talking about Windows, Adobe, Firefox, Chrome, all the suite of software that you're using. All of it requires updates, because it's made by people, and people are inherently flawed. And so we introduce bugs into our software when we, not us, but the software developers do. And so they have to constantly be updating and patching and fixing. ⁓

And so, but there is such a thing as automatic updates with Windows. And so those were running on the computers. So they're paying for patch management as a line item on the invoice, but it was all automated, right?

Justin Shelley (12:26)
They're just getting what

comes built in with Windows for free.

Bryan Lachapelle (12:29)
Right, Windows is already doing that for free, but they weren't getting the third party stuff. So Chrome wasn't updating on its own. Firefox wasn't updating on its own. Adobe Acrobat Reader and all the different third party software that we would normally update on behalf of our clients. Because who wants to get messages every 10 seconds saying there's an update required and having to determine, yeah, OK, this is an update I want to install or this was actually a virus or attempted infiltration that people are trying to accept. Because our employees of our customers

Justin Shelley (12:31)
Yeah.

Bryan Lachapelle (12:58)
don't have always the discernment to be able to say, yeah, that's a real update. And no, this is just a website that's saying I need an update. So we don't want the employees of our customers to ever install updates. In this case here, they would have had to because although they were paying for updates, they weren't actually receiving anything for that money. And so it was kind of the same thing, just lighting money on fire every month for services they thought they were getting. In fact, ⁓ they were saying they were being backed up. They were paying for backups and they were failing left brain center.

So yeah, that's my little Halloween horror story.

Justin Shelley (13:32)
I

mean, I could, I forgot to add the, the updates security, basic free windows updates that happen automatically. ⁓ don't by the way, always happen automatically. And that was another thing I found in this particular case where the servers with no antivirus with failing, ⁓ processes and services, and active directory errors housing their entire life, we're not updating. we're right. Right.

Bryan Lachapelle (13:56)
Servers very rarely update on their own. I mean, it'd be very

frustrating to have your business come to a complete halt in the middle of the day because an update is applying. So by default, that's typically on manual.

Justin Shelley (14:00)
server, just go offline. Right.

Right. And, and

again, there, there was at least the, the belief that this was happening on their behalf and was not so, so today, what I really wanted to dig into, because what I don't like is coming on here and scaring the shit out of people and then just saying, Hey, deuces, see you happy Halloween. You know, ⁓ I want people to walk away with tangible action items. So let's work through tangible action items. I'm a business owner.

Bryan Lachapelle (14:16)
Right.

Hahaha

Justin Shelley (14:36)
I know nothing or I know very little or I know just enough to talk technology with my MSP. What are the things I need to be looking for? What are the questions I need to be asking? How do I know without a doubt that when I write that check, the deliverable is actually taking place? What are your thoughts?

Bryan Lachapelle (14:56)
Well, I have two thoughts on this, two different sort of areas that I would look at. If I were a customer who required managed services and I was hiring someone like me, I would want a independent third party audit happening at least annually to verify that the MSP that I've hired is doing the work that they claim. Because as somebody who is non-technical, if I'm running a business and I'm non-technical,

I have no idea if what they're saying is true or not true. And the only way for me to get justification or the root is to hire a third party independently and have them audit. And I would welcome any of my clients to do that and they would find nothing. And if they did, it would be minor and we would remediate because every ⁓ security company will be looking for something different. So it's not a terrible idea to have an independent third party analysis done anyway.

Justin Shelley (15:53)
Well, and also to be fair, if we're following frameworks, let's just talk about like the CIS framework, is one of my favorites ⁓ has, I being a favorite, I should know the number precisely, but it is in the neighborhood of 140 different controls and protections that it requires. There's three different levels of implementation and whatever. So you can always find something to improve, right? But the basics.

Bryan Lachapelle (16:05)
Ha ha.

Right. That being

said, though, CIS controls is a combination of technical security implementations and administrative and procedural implementations. And so to properly set up and properly have all of CIS controls in place, you have to have buy-in from the customer or the prospect or whoever you're dealing with on a leadership level to put in place the administrative controls and

Justin Shelley (16:29)
policies, procedures, all kinds of stuff.

Bryan Lachapelle (16:48)
the technical controls that we would put in place. So it's a joint responsibility between the client and us as the MSP, not solely on us. Yeah.

Justin Shelley (16:56)
which is the perfect picture, right?

Yeah. The way it should be in my opinion. um, okay. So continue. think I kind of derailed us a little bit, but what, what are you looking for as, as this owner non-MSP, what are you looking for?

Bryan Lachapelle (17:06)
Yeah, no worries. Yeah.

So if I didn't have an independent third party coming in and doing their own separate analysis and giving me a report, at the very least what I would want to have is, depending on the size of the company, if I'm just like a five, six person shop, maybe a once a year would be enough. But if I'm a larger operation, I would want to meet with my MSP at least quarterly. And during that quarterly review, we'd be looking at things like at least having access to reports.

reports saying here are the devices I have and are they up to date? ⁓ Is there any ⁓ security patches that are not installed? And if so, what is the status of them? ⁓ We, in that same ⁓ report or an additional report could be here's all the backups we did showing success or fail, right? Throughout the entire, because there'll be failures. There'll always be failures, but then there should be followed failures with successes. And so that you should at least have a report on a quarterly basis minimum showing like here's all the backups and they're successful. ⁓

And if you really wanted to test people on a monthly basis, you can just say, hey, I've deleted this file. I need you to recover it for me. And that would be an individual verification that you don't need the MSP to give you a report or anything. It's like, hey, I had a file there. I deleted it. And I accidentally deleted it. Accidentally. Can you restore it for me? And if they can't, then that's a red flag. And if they can, great. At least the backups are running. Whether they're complete or not, that's a different story.

Justin Shelley (18:13)
I love that one. Yep.

Bryan Lachapelle (18:36)
but at least you know that there is some form of backup in place. ⁓ In addition to that, during that technology business review or during that meeting once a quarter, it would be also establishing, are they bringing forward to me new things that I need to be concerned about? New policies, new procedures, new ⁓ policies that I should be putting in place in my business. Are they working in conjunction with us?

on a quarterly basis to improve every single quarter, right? We talked about the journey and 1%. You know, on a quarterly basis, they should be at least trying to do something every quarter to improve my baseline operations, whether it's like, you know, helping me ⁓ implement more CIS controls, because you can't implement everything at once, it's just not possible, right? ⁓ And then lastly, is just what are they going to be?

Justin Shelley (19:21)
No.

Bryan Lachapelle (19:28)
implementing to improve my business moving forward that's outside of security, outside of CIS, right? Are they working with me to establish a 90 day action plan? Here are the computers that would need to be replaced. Here's a budget for your business. Here's all the devices that you have in your network and here's roughly when they're going to be replaced or they should be replaced. Of course, it's a joint decision making process on when those things happen. But like, are they actively involved in your business to help you improve it from all angles? Cybersecurity, technical?

⁓ efficiency, making sure the technology is up to date, and are they actually helping me improve my business on a day-to-day basis ⁓ using technology? And that's how I would know I'm getting what I'm paying for is if I'm at least getting that meeting once a quarter to go over all of it.

Justin Shelley (20:15)
Right. And I love that because you're aligning not just with the technology standards, but also with their individual standards. Not only do you have, you know, because every, every company has its own goals and vision, obviously they also have a risk tolerance. Not everybody is prepared to, or willing to, or interested in being completely secure or locked down a hundred percent. Like, you know, there's, there's because with every security control comes a trade off in both.

cost and convenience, right? And that is a decision that is a business decision that needs to be made. There are baseline controls that I believe everybody should have. And then there are decisions that need to be made along the way of what's the trade off. And, know, let's look at the whole picture and decide what fits for your environment and your culture. So perfect. Absolutely love that.

Bryan Lachapelle (20:55)
Right.

100%, a good analogy

to that would be, can secure your business 100 % and guarantee that not a single intruder will ever get in. And that involves turning off every computer in your office and turning off the internet. That would be secure. It would be unusable, but it would be secure. And so somewhere between that and doing nothing is where we want to be. So definitely a trade-off.

Justin Shelley (21:11)
Right. Yep.

Yeah. Right. Right.

Always, always. So okay, so you've got yours. These are mine. This is if I'm a business owner. I don't know a whole lot about technology. Again, you have to know enough. You got to know how to talk to business. ⁓ But if I just had a few numbers that I was looking at, or a few items that I was looking at to know that my technology was being taken care of.

The number one thing I would look at Brian is response times because that is always what people call in about. And in that case, response times, my experience, tell me if I'm wrong, never really the problem. The problem is not response times. The problem is that's a symptom, but what's always going on behind the scenes is a lack of procedure. ⁓ lack of really anything. The basics aren't being handled. The company's on fire. The MSPs on fire in one way or another.

And they're just not delivering response times is what the client notices first, but a lot of things are probably happening in the background that they don't know about whatsoever. So I would look at that. If your company is on, on top of it, they're responding quickly. That's a good kind of gut check that they're doing something right. Of course we got to dig deeper and I love your, ⁓ you know, your, quarterly review. ⁓ for me, I look at, I do kind of the same thing, but I frame it differently. I am a stickler for frameworks.

⁓ published standards, you know, I've already mentioned CIS, ⁓ along with that comes some version of a poem, a plan of action and milestones. ⁓ And so one thing I would tell business owners to ask their MSP is what framework are you following? And it doesn't have to be published. I will say that because not everybody ⁓ subscribes to this theory, but if it isn't ⁓ a published agreed upon industry wide standard,

They at least should have their own internal standards that they're measuring against. And I should be able to come to you, Brian, as my MSP and say, Brian, show me the controls and protections that you're putting in place in my business. Show me the gaps and show me the path forward. And you should be able to deliver that. Correct? Any MSP should be able to do that. ⁓ And then maybe, and I'm stealing this from you, honestly, because you've said this a few times, ⁓ ask about their processes. Show them to give me your printed processes and procedures, Mr. MSP.

Bryan Lachapelle (23:39)
Yeah,

for the record, won't give anybody my printed processes and procedures, but I will bring a book and I'll say like, here are my printed processes and procedures. That is the secret sauce to our business, right? You don't go to McDonald's and say, give me how to make every single thing in your company, but they have that because you buy a cheeseburger ⁓ here in Canada, you buy a cheeseburger down in your neck of the woods and it tastes the same, right? They have a process that they follow on how to cook it, how to prepare it, how to make it, all of it.

Justin Shelley (23:42)
But what can you do then? If you won't give it to him, what would you do?

Right. Correct.

Bryan Lachapelle (24:07)
It's the same thing in our business. have all of our processes in the minutes are electronic, but I printed them out, put them in a book. And sometimes when I go to a sales call, they like, here's our processes. I challenge you to ask your competitor, my competitor for their processes. And in most cases, they won't be able to produce them because they don't have any. Right. So if a breach occurs in their business, they're going to handle it differently every time. If a password is requiring to be changed on somebody's it'll be just winging it and just changing it. However, there will be no process.

or procedure like, hey, maybe we need permission. And who do we need permission from when that happens? Okay, we got to go to the point of contact at the business. Who's the point of contact? Well, you can find the point of contact in this very spot in the documentation for each client, right? So, or approvers list example, right? Every single thing that we do at B4 Networks has a process and a procedure that is documented and our team is trained on it.

Justin Shelley (24:59)
Yep. I love it. And you know, really it's, you can tell by asking the question, I would submit that you don't even have to see the procedures printed or otherwise. I can just say, Brian, show me your procedures and you can give me that speech right there. At least I know you have them, but a lot of times what you're going to get is this look, you know, it like, ⁓ well, I'll go, I'll get back to you or like, those are top secret. ⁓ but,

Bryan Lachapelle (25:09)
Right.

Heh.

Justin Shelley (25:29)
And the same thing with frameworks. So the reason I love that question is like, what framework do you follow? If you get a deer in the headlights look, or you can't, you know, say, well, we, follow internal frameworks, you know, internal standards. If there's not an answer to the question, you know, there's a problem. So these are just some simple things that you can do. I'm going to throw these together in a PDF that's downloadable. So we'll, we'll, come back to that, but ⁓ I just wanted business owners to have just a really quick cheat sheet to cut through the, the noise, the garbage, the lies.

I would argue fraud, you know, in the case I'm talking about, like, I believe this to be criminal. I it's, it's just, it's a terrible thing about our industry that people can get away with this. So ⁓ anyways.

Bryan Lachapelle (26:10)
I find

most people mean well, they just don't often know because here's the reality of the situation. You don't require a license to be a managed service provider. If I go to a hairdresser, a plumber, an electrician, an accountant, a doctor, a lawyer, they are all governed by law and require a license to do what they do in one way, or form. And ⁓ with what we do, you require nothing. You can have somebody who's fresh out of high school,

Justin Shelley (26:20)
Exactly.

Bryan Lachapelle (26:39)
set up a shop and claim they're a manager, service provider, doing cybersecurity. And unless you know what you're looking for and what kind of credentials to ask for, and even then most people don't even have those credentials because there are no requirements for them. And so you won't know what you're getting unless you know what to look for.

Justin Shelley (26:56)
It's a weird world. And, you know, I'm glad you brought that up because next week, here's a little teaser for next week. We're bringing the great, the one and only Robert Choffee back on. And we are going to talk about that very thing, the, the lack of regulation and the government's role in all of this, because quite frankly, it's absent and it is, it's scary. You talk about a scary story. ⁓ you're writing a check to somebody who is keeping you in business or potentially putting you out of business and there's no oversight.

Bryan Lachapelle (27:07)
Yeah. Right.

Justin Shelley (27:26)
So crazy, scary, spooky world that we live in. Brian there, we're going to keep this one short and actionable today. We're going to go ahead and wrap this up, but tell me, ⁓ you know, just final thoughts, key takeaways, anything you want the listeners to know before we sign off here.

Bryan Lachapelle (27:34)
Awesome.

It would just be that very thing. Expect your provider to work with you as if you were going through a journey. I love the whole journey concept and whole journey idea because the reality is if I were taking over a client today, there's no way I can put everything in day one. It's going to take time and some things could take three months, six months, a year to get in place because some of the things are administrative and they take a lot longer. As long as you're expecting and you're ⁓ instructing,

your MSP to work with you on a regular basis to improve every single day. That's what I would recommend for you. ⁓ Just have that in place. What is my next thing that we're going to be doing to improve today or this week or this month?

Justin Shelley (28:28)
Well, and honestly, Brian, even you're absolutely right. I'll add to it that even if you could implement everything all at once today, the, well, the fact is it, change the world of technology changes, the world of cybersecurity changes. ⁓ it has to be a journey. has to be something that we're looking at in an ongoing basis. So, ⁓ great points. I'm going to wrap up with, ⁓ saying again, that this is an unregulated industry. And if that doesn't scare you, it should happy Halloween. ⁓ trust, but verify, right? So.

Bryan Lachapelle (28:35)
You wouldn't want to, it'd be disruptive.

100%.

Justin Shelley (28:57)
Trust your MSP, have a great relationship with them. Have these quarterly meetings that you're talking about, Brian, ⁓ and also download this checklist that I'm to put together. It'll be in the show notes. ⁓ and, use it, ask questions, find out from your MSP. If you really are getting what you pay for the thing that I hate more than anything else, the thing that terrifies me more than anything else in this world, in this, in the world of technology is when I go to somebody and say, Hey, how do you know your MSP is taking care of you? And they say, no, they've got it covered.

Bryan Lachapelle (28:57)
Trust but verify.

Justin Shelley (29:25)
And they, but they can't answer why they can't answer how they just have this, this trust, this unverified trust that is dangerous. That is scary. Um, so guys, if you want more, go to unhack my business.com, you'll have the show notes, you'll have the downloadables. Uh, you can just tap the link in the show notes. If you're on Spotify or Apple podcasts or whatever, go to the details for this episode, hit the links in there. You'll have this one. You'll have Brian's, uh, company website, his contact information and everything you need to know.

Bryan Lachapelle (29:28)
Right.

Justin Shelley (29:54)
to keep your business unhacked. That's what we've got guys. Join us next week to visit again with a great Robert Trophy as we break down government regulations and what that means for our industry. So Brian, thank you for being here as always. And with that, we're going to sign off. Take care guys. We'll see you next week.

Bryan Lachapelle (30:08)
My pleasure.