Skip to content

WEBINAR  Beyond Trends: Actionable Cybersecurity Advice for 2023 with Bugcrowd and Red Canary · December 14, 2022 ·  Save your spot!

VIDEO

MSSP 101: Adding an Extra “S” to Your Managed Service Provider (feat. CyberHoot)

Category: Informational Series

   BACK TO WEBINARS

Play

Please accept marketing cookies to watch this video.

Transcript

How about it? You guys want to get started? Let’s do it. Awesome. Sweet. Thanks, everybody, for attending our webinar today. Like I mentioned, title is MSSP 101, all about how how you can add that extra s to your managed service provider, really upgrade the suite of offering that you have, and stand out among your heavy competition in the industry today. Yeah. Let me introduce our two panelists, who are the star of the show? I am by no means the star here.

We’ve got Craig Taylor from Cyber Hoop. Craig, do you want to say hi? Hi there, guys. Looking forward to talking to you today. Sweet. And we’ve also got Tim Martin here as the rep from PlexTrac. Tim, you want to say hi to everybody? Yes. Welcome, everyone.

Awesome. Sweet. Yeah. These two are going to be your experts for the talk today, and without further ado, I’ll hand it over to them. Craig, if you want to introduce the agenda for today, certainly. So today we’re going to talk about adding this in security to your MSP. Managed service providers today require a lot of support and value for their customers, and we’re going to be showing you some of the tools and techniques and processes that you can bring to bear to help add security services to your MSP.

We’ll talk about how you add those services in the focused areas of people, processes, technologies. We’ll try to paint a picture for what your future MSP might look like, or should we say future M SSP, where you’re embedding some of these security services because they are easy, simple, automated to your MSP to bring more value to your conversations, your relationship with your clients. And then we’ll open it up for Q and A at the end. Tim, did you have anything to add on that that you’d like to focus on in today’s webinar? No, I think you hit on everything, Craig. Excellent. Okay, so we’re all MSPs today, and we have a need to add things to our very competitive marketplace or bevy of services when we operate our MSPs. But we have a lot of challenges as well, right? We have challenges on the competitive side.

We have a lot of MSPs. There’s not a lot of barrier to people hanging up their MSP shingle and saying, hey, I can manage it for you. And so there’s a lot of competition. There’s not a lot of high quality, perhaps, but there is competition as MSPs. Tim and I have gone back many years. We work together at an MSP in the past, and we always were focused on revenue. We need to bring revenue into support, our staff, our technology, all of the things that we need to do to operate an MSP through lean times and good times.

And so revenue is a big focus for MSPs. Customer value is one of the ways you differentiate yourself from that competitive marketplace. So we want to talk today about adding some customer value and security. Obviously in today’s world, security really has to be embedded in your MSP. You may remember the Casa event from last summer that threw a lot of fear in a lot of small businesses, medium sized businesses that were relying on an MSP. That what if we had a cassette event, or what if we have ransomware that’s introduced to us not by our own clicks of employees, but by an MSP. So security is a differentiator that we see today as well in an MSP, in marketing themselves, in providing that peace of mind to your clients.

Those are the four areas where security services to your MSP can play a really big role. Tim yeah, I think that maybe before we dive in, it wouldn’t hurt for you and I just to kind of give a quick overview on our background and kind of where we came from before today. Yeah, let’s do that. Yeah. So, a little background of myself. I started an MSP back in 2006. We were a pure play MSP from day one.

I exited in December of last year via acquisition cross task with Craig Taylor, came on board as our CISO back in 2014 and really helped us from a maturity level to bring us up to an MSP. So by securing ourselves first and then securing our clients. So, yeah, it was a fun journey, and we’ve been through the journey of adding that extra S, and it was a lot of fun. And there’s a lot of benefits to doing that, for sure. Yeah, we’ll get into some of those benefits. My background for those on the call is about 25 years in cybersecurity. I started out before there was a World Wide Web.

So how we live our lives today with the Internet is very different today than it was 25 years ago. I have a bookshelf with a dozen books with animals on them. Those are the O’Reilly books on DNS SMTV all the Internet protocols. So I know more than I care to admit. And I’ve worked for large MSPs and small MSPs before. Back in 1997, I think. I worked for a small MSP out of Minnesota.

Then I worked for a multinational MSP called Computer Sciences Corporation, providing web hosting services to companies like Dupont, Citizens Bank, Bows, all sorts of different things. So I’ve been through hundreds of audits. I’ve seen the pain that can occur from companies that go through audits or have to answer questionnaires for cybersecurity insurance or have a security event itself, and have led a lot of security incidents for MSPs, for SMBs, and along the way picked up a few tips and tricks that I want to share with you today. So, security services for MSPs, we’ve got some reasons that we started to talk about to help with competition in the industry, to help with revenue. Some of these are revenue generating opportunities, customer value and security. Tim would you focus on any one of those areas as a key factor when you are leading your MSP? Or thoughts on that for our audience? Yeah. Really? All of them security.

We sort of became an MSSP because we had to. We had clients asking us for risk assessments as far back as 2014, which is when you and I crossed paths and we knew we had to make that move. I think we also had the foresight to and know that this is where the industry is heading. We need to be secure. We need to secure our clients. But the revenue part of it was definitely another MSTs are always looking for ways to add additional revenue streams. And that was another component that was important to us.

And standing out from competition 100%, I mean, that’s another big one as well. I remember when you first talked to me, you were in the thick of a security incident with one of your clients, and I came in to help out. And then we started to adopt things like the cyber hoop platform of awareness training and maybe a little bit of policy governance of clients. And we seem to drive down the security incidents for those companies that were doing the awareness training. What would you share about that? Because I do remember, but I want to see if you, as the MSP owner, had a perspective on that. Absolutely. I mean, we were probably experiencing a handful of security incidents every quarter, and that was part of the course with MSPs at that time.

Ransomware was really just starting to hit SMBs. And yes, when you came in, I think we had a school district that had 4000 MP points that had been infected with ransomware. So that was a rough situation, but we got out of it. And then on the other side, by training our clients, it really empowered them to make the right decisions and to be more secure and stickier clients as well. Yeah, I remember back then we also had to run some scans of the network with tools that were a lot less automated than Flex Track. Right. Remember, we had some of our staff trying to determine where all of the instances of the virus or the ransomware were located within the network.

We had to set up a bunch of different mechanisms to do that. So having an automated tool like Flex Track to do forensics and to do some analysis might be helpful as well. Would you agree? 100%. I mean, you and I have said it that we wish we knew about Flex Track back when we were working together because it would have saved a ton of time. Yeah. Good. So any final thoughts on this before we move on? I think we can keep going.

I do have one more. I remember that your most expensive resources, your engineers, became the biggest proponents of cyber hoop because all of those incidents happened when always after hours, weekend hours. Right. Sunday night. Yeah. So the engineers that had to get involved in the data recovery mechanisms, the email recovery, all of the different security incidents that occurred, it just never failed. It was on Thursday night.

Friday night into Sunday, Saturday, Sunday. And so the quality of life of those folks improved for the companies doing the awareness training and Cyberhood, and that actually led to higher retention of employees, happier clients, stickier clients. So there’s a lot of hidden benefits to this that you should think about when you’re adding the S security to your MSP. All right, 100%. And we’re getting into the next slide. So maybe I skipped ahead, but what happens? How do you add the S and security to your MSP? So we talked about Cyber hoot. Cyberhood is a learning management service that provides awareness training on a monthly basis to your clients.

And it’s fully automated. So you would just use individual management, user management. You can tie it into Azure Ad and it delivers an awareness training video, short ones, because we know attention spans are very short. At Cyber hoop, three to five minutes with a few questions, all with a password list environment. So the individual user gets an email in their inbox. They click on it, they say, it’s your monthly awareness training. They click the link because we know they’ve authenticated to their inbox, and they’re instantly doing training.

So there’s a lot of friction. That’s eliminated with not having them to remember the URL, log into a URL, forget their password, do a reset, struggle with complexity rules on the password. All of that’s eliminated with Cyber. So it’s getting to a fully automated solution for us. And that’s the theme today, is in any security services that you pick up as an MSP, you have to be careful that you don’t sign up with vendors that have a lot of heavy lifting on the administration side. And that’s where Flex Track maybe you want to say a little bit about Flex Track in that sense, Tim. So they understand the automation? Absolutely, yeah.

I mean, Flex Track is really a database for a single pane of glass for vulnerability management and reporting.

Yeah, it really simplifies the process and reduces time to creating these reports, which we know takes a lot of time and nobody likes to write them. So we’ve really helped out in that area. I remember running an Nmap scan years ago and writing scripts by hand to eliminate all of the what are they called? Plugins in what’s called nessus today, or I think it’s nests. And you had to eliminate all the false positives or the findings that you didn’t care about. And it was such a pain. I dreaded the monthly vulnerability scan. I had to run over a computer sciences corporation, and if I could go back in time and pull something like Flex Track in, what a difference that would have made.

To my life as a security engineer back then. Game changer for sure. And then writing up this for management is one of the benefits of Flex Track, is really pulling this together and identifying the critical things from the non critical and bubbling up the most important activities you want to focus on and need to focus on before a hacker takes advantage of it. So that’s a very valuable component, the automation, the report writing, and Flex Track that I’m familiar with. So when you look at what adding the security services like awareness training, cyber who does a bunch of other things too, which is policy management, if you have to put a password policy or a handbook or a Whisk written information security plan in front of your employees, cyber, who can do that? It does dark web monitoring and reporting, and more importantly, it does fish testing. We have an interesting study that we did with a single company that had been doing training for three years in cyber hoop, and we added fish testing to that company about two years ago. And the first test, out of 350 people, I would say 35, clicked on the fishing link to the fake website and we had seven people give us their credentials.

And their management team was livid with cyber hoop. They were like, why does this happen if you’ve been doing training for two and a half years? And what we discovered at the time, I didn’t know this. So in retrospect, I’m just sharing this with the MSPs out there. At the time I said, I’m not sure, let’s wait for the next quarterly scan and see what happens. Because it could be that the training isn’t working, but it could also be that the employees aren’t applying their knowledge because they’ve never been tested before. So we ran another test, a phishing test. This is the traditional attack email that goes to the inbox, and we actually tested 100 people more, so it’s about 450.

The second time, not one person provided credentials. We did get, I think, 15 people click on the fake website. And that continued to drop over time, but it really proved that testing your employees or testing your clients employees with a phishing test is incredibly valuable. Now, that’s not easy to do. It’s certainly not automated in the traditional sense of things. Tim, you remember we had to write Allow List to do that kind of testing. We had to run X headers because of the way emails architected, you have to tell not only your Barracuda or Minecast or proof point spam filter about the email.

That’s a fake attack email, so it allows it through. You also have to tell Google Workspace and Microsoft 365 to let it into the inbox. And sometimes you have to even write PowerShell scripts to move those messages that somehow end up in clutter junk and spam into the inboxes. So at that point, a young user can look at it and say, oh, that’s an attack, and delete it. Or they click on it and they get some additional training. Cyber Hoods reinvented that recently by eliminating all of the friction points of friction because that process is cumbersome and difficult for MSPs, but it allows the MSP now to send an assignment that is guaranteed email delivery to the inbox with none of that work. No allow list, no X headers, no PowerShell scripts.

It’s just a link to an assignment on Cyber Hoops website, which is actually your MSP branded website. Yeah, that’s something we should touch on a little bit more too. Just the fact that really talking here about how do you create happier people, easier processes and the robust technology. And we both do the Flex Track and Cyber Hoop by offering the ability to white label the product, which I think is we always look for as an MSP, we were always looking for partners that we wanted our logo on there to keep these clients sticky, right? We don’t want to take any credit at either of our companies. We want to give the credit and the value to the MSPs performing those security services. And that leads to stickier clients, doesn’t it? It’s not on this page, but it’s happier clients, but stickier clients too, right, when they see that value coming from their MSP. Let’s talk about processes for a moment, Tim.

Talk about the process of running a vulnerability scan or I can talk about it. I was talking a little bit about the process of fish testing.

I mean, you’ve surely done a lot more of it than me. But I can tell you when I talk to our service provider partners that currently they are using Excel spreadsheets, Word documents, they’re importing from four or five different applications and then have to aggregate all that data manually. And in the process of copying and pasting, they’re bringing in client information from another client that shouldn’t have been on the report. And so it’s a real headache and you can attest to that as well. Creating these reports and Flex Traffic has really eliminated all of the headaches around it and brought reporting to the point where it’s enjoyable because it’s not a time consuming process. And you can pull in data from pantera, from nests, from all these different pen test applications and then deliver it in a report that is concise and as we like to say, pixel perfect as you would deliver to your own client. There’s nothing I hate more than having to do report writing.

I’ll be honest, I haven’t heard anyone say they enjoy it, I can tell you that, ever. It’s so nasty, it just takes so much time. And you’re right, you can reuse a template, but you have to make sure that every reference to a previous client is out of it. And sometimes you miss those and can be a little embarrassing on the side of process. I think it’s really important to just underline one of the innovations that Cyber Hood has made on that fish testing that I was talking about a moment ago. With our current Fish testing, we have a zero administration Fish test that doesn’t allow any of those allow lists. So it’s an easier process to build fish testing into all of your client environments as an MSP, if you choose the cyber product, and that’s because we send it as an assignment and the user clicks on the link, takes that assignment, no different if they’re reading a policy or watching a video, they’re taking a phishing test.

We outline the seven hallmarks of a phishing attack and we walk them through is this safe or not safe? And the user can hover over help me buttons to learn about typosquatting on a sending domain or to learn why a generic greeting when they know your name is a bad thing. So we educate them along the way. It’s an easier process, but it’s a robust technology for accomplishing what most MSPs don’t have the time or the patience to learn or to even just troubleshoot when Microsoft breaks it all over again after you get the allowance working. So you have to be careful what partners you pick for awareness training and these things like fishtesting and look for some innovation because the former attack emails leave a bad taste in the mouth of the employee, and they sometimes blame the MSP for that quarterly bonus. That wasn’t a bonus. That led to more punishing training that they had to take versus an awareness campaign that says, here’s the seven things you look for. Pass this phishing test and you don’t have to have anything else done.

You’ve got your fishing test satisfied. So there’s a lot of potential value in synergy and easier process, robust technology that can really help out that Craig. Before we go to the next slide, one other thing I wanted to say is just at a big picture level, how to add the S Insecurities here MSP, I mean, how did we do it? We first secured ourselves using a stack of services as well as just kind of self reflection and running a risk assessment on ourselves as an MSP. But choosing that stack of services, adding these types of services, and do you want to talk a little bit about that? Just how we built that out? Yeah, that gets to some of the people. Right is a virtual Chief Information Security Officer, and today there are 3 million open jobs in cybersecurity. So it’s very hard to find any resources to be a full time employee either at the MSP or at SMB. So no one can get these resources.

So if you bring them as a fraction, you’re doing a valuable service to your customers or to yourself. So Tim, had you brought me in as your full time Visaiso because I was available, and then we built out visaiso services for our clients. And parts of those processes were running vulnerability scans and pen tests for those clients and then reacting to it and doing the manual grunt work of report writing, which I think you remember me complaining about. That was never fun. No, it wasn’t. But the people, when we talk about happier people, too, you have to educate them on the attacks that they face, because so much of cybersecurity today is what people don’t know. They don’t know.

If you remember, the emperor has no clothes on. He’s running around town with no clothes on, and everybody’s laughing, but he doesn’t recognize it. That’s what cybersecurity represents to all of us, to many people today. You can graduate MIT and have no training in cybersecurity yet. You have to run a computer. You have to read email. You need to run passwords.

You may not have learned a password manager. Happier employees and people are trained employees that understand the risks that they face, that recognize the value of learning a password manager, of closing and addressing vulnerabilities in their exterior or internal networks with scanning and pen testing. So it really actually helps out with the overall satisfaction and confidence and security of your people if in your MSP, you do these things within yourselves, as Tim was alluding to earlier, and build out your cybersecurity practices for yourself. Some people have said, Eat your own dog food. I prefer drink your own wine. That is part and parcel of what you’re providing to your clients so that when one of your engineers or technicians is on a help desk call or notice a problem, they’re aware of what you’re doing in your own business and can talk about it with the client. Oh, you do training, too? Yeah, we use the same product for pen testing.

We use the same product for awareness training or fish testing. And it’s actually not too bad. I don’t mind it. So those are really important things that help with creating confident, secure, happier employees within your MSP with some of these security processes we’re talking about today. But choosing the right technology provider vendor with a white label offering, with the ability to customize it for your MSP and deliver it in a way that makes sense to you, to your clients, is also really important with that robust technology. Anything else to add before we move on? I think you hit on everything, Craig. I mean.

The only other thing I’d add is just to really point out the single pane of glass and the importance of that for an MSP to be able to allow their clients to view data. Whether it’s a vulnerability assessment. Pen test. Whether it’s training and the compliance of that organization. We always look for partners that would give us that single pane of glass to the data that we needed. So I think that’s an important part of building out your stack, for sure. It’s a great point.

Maybe we’ll have questions about that in the Q and A part, but I remember distinctly talking and this was in particular at CSE and the large multinational, we had probably 30 different consoles that we had to log into and look at things from AV was here and Spam was there, and Firewalls was over here. You could just go on and on and on help desk and ticketing and like, so many consoles. And I think MSPs are tired of having so many consoles. They really want to have smaller, fewer vendors, partners so that they can get one view on things, maybe through API integration and such, those sorts of things. Right, good point. I see some chat comments here. Should we? Okay, there you go.

I’m just looking if we had any questions in the chat at the moment. All right, moving on then. So what would your future MSP look like if you added the security or the S to your MSP? So this is a rhetorical question for you to ask yourself, listening in on this today, and some of the things we were talking about pen testing, vulnerability, scanning of your clients yourself, awareness, training, governance, fish testing of yourselves and your clients. What does that look like? What are the net effects and results? We’ve alluded to some of them along the way. Tim, do you want to take it away and talk about some of those from your experience at your previous roles? Absolutely. Yeah. So, I mean, there was certainly less burnout at our MSP once we rolled out training and had a stack of cybersecurity solutions for our client, our client base.

There just wasn’t as many incidents. People could get sleep at night. So it made surely for happier employees, and our clients were psyched about it as well. They would send us emails to say, hey, look, I identified this phishing email, and they’d be proud of themselves. It was really cool to see.

So that was great. A really huge differentiator in the marketplace, for sure. I would say it was really the tip of the spear to our go to market strategy as an MSP, to be an MSP and enterprise security focused. MSP is how we marketed ourselves. We were essentially an MSP, and that one is a lot of business over our competitors. And like we were saying previously on The Last slide, the revenue increase. MSPs are always looking for those additional revenue streams.

It’s there. The clients need it. And we saw 30% to 40% increase in our MRR by rolling out a stack of security offerings to our clients. So happier clients, more revenue, doing the right things, it’s the way to go. I’ll talk about processes too, Tim. I remember you were always telling us, if it’s not written down in this tool and documented, it doesn’t exist. Right? Right.

If it’s not documented, it doesn’t exist. You got it. So your future MSP is going to take these tools and with the simplicity they have, the document could be a one pager that just says, here’s how you do this. And the steps are load users, training is automatically signed, phishing is automatically assigned, or the next document is scan the external network, deal with the seven.

And you have a systemic effective processes with these tools that enable you to be effective, efficient, and not spend a lot of time spinning your wheels. That’s a really key part of adopting some of these security services, is to systematize them quickly. And so it’s like a McDonald’s hamburger. No matter which client gets a report, it’s always going to be the same taste and shape and it’s warm and all the good things that come with that. So that’s also valuable. It brings value to your clients. I remember, Tim, that many of your clients within the awareness training platform remain clients throughout the time that we were there together, the ones that refused it because we couldn’t force them to be in that tool.

Right. That’s where we had some attrition and we had some incidents, didn’t we? Yeah, I think we eliminated almost all attrition among the clients that were using our cyber security training platform. And I would imagine that if we were also offering ongoing pen testing for our clients, they have a quarterly service, it would do the same thing. It would be in that same position where we’re giving them quality data. We’re demonstrating that we’re addressing these vulnerabilities over time, and that makes for real sticky, sticky clients and great relationships. Yet it avoids those critical middle of the night phone calls like our firewalls down, or our website is down, or this is down because we didn’t catch something, we didn’t take care of something. So scanning really helps you identify those problems when they occur and before the hackers can.

Technology wise, what would a future MSP for those on this call, tim, in your experience, what would it look like from a technology perspective with security in their MSP? Yeah, I mean, you said it earlier about drinking your own wine, eating your own dog food. I like to drink your own wine because it is like a fine wine when you build the right stack of cybersecurity services. So, for us, we didn’t just focus in on one vendor. So we weren’t just all So folks or all Microsoft. We used a few different products from different vendors to sort of create a stack that we felt was rock solid. If Sophos was breached, we weren’t dealing with all of our clients being breached. So the stack was multilayered.

And I liked the way that we did that. I think that that’s generated revenue for us too. Right, you mentioned it earlier, but 30% to 40% revenue gains from your existing customers that trust you, that trust your opinion, they’re with you for a reason. If you continue to add value by bringing these value. Added services to them. That creates a long standing relationship, some stickiness, would you agree? Certainly does, yeah. And I’ll also add that when you’re finding partners for your cyber security stack, you want to find channel focus partners, which Plex Jack and cyber hood are.

And there’s many others out there that folks should be looking at to add to their MSSP stack, that you want to make sure that you do have the ability to white label things, that you have good customer success teams to back you up, that you’re going to get the training you need and enablement to implement these solutions quickly. Because as a former MSP and MSSP owner, we never had enough time to do anything. We were always too busy. All of the folks on this call are too busy, really. They know, lucky they’re here, we’re lucky they’re here 100%, and I hope that we can provide some value and it’s worth taking that time. We used to do it quarterly, where we would evaluate our current staff and see if there were things that we wanted to add to it. I really leaned on you, Craig, as our CISO and our engineers, to bring me a one pager of recommendations on any new products and we would evaluate those and look at our current stack, the things in there that aren’t working now that we could swap out.

Yes, I remember that we finally agreed to offer a password manager service to our clients and what that was like. And I remember there’s a particular gentleman, you’ll know who I’m talking about, who was in his mid fifty s at running a print shop. And the first week he was using the password manager, I had to see him at Rotary and he was like, this is the worst thing ever. He really didn’t like me. And then next week he was like, it’s not too bad. And the third week I saw him at Rotary, he was like, oh my God, Craig, how did I live without this tool for 30 years of computing? It’s such a godsend. I don’t struggle with passwords anymore.

This is amazing. Those are the kinds of stories that really resonate with MSPs because you’re teaching someone sometimes against their will, to become more effective, efficient, secure with your technologies, with the thing as simple as a password manager. Right. We’ve heard of a recent breach at LastPass, and it was a breach of their internal network, not any client data. I would still stand by, and you can see a blog article on this on cyberrout.com. We still stand by our recommendation to adopt password managers. Every company you support should be on a password manager.

It helps for productivity, security, confidence, and it eliminates some of those password related breaches that can occur. So those are the kinds of things you have to be thinking about from a cybersecurity perspective. I’ll end this slide before we go to Q and A with this question. Tim, pre 2014, you ran your MSP for five or seven years before that, right. How was your stress levels then versus, say, after you built out the MSSP, the security. And what was your peace of mind like before and after? I mean, it was reduced significantly because we were firefighters the first five years we’re an MSP, but we were really running around fighting a lot of fires. And that was before we started seeing the ransomware, the uptick and ransomware incident, stuff like that.

Yeah. And so once that kicked in, people were twice as stressed out. And once we secured ourselves and we built out, let’s say, matured into an MSSP, I would say the stress was nonexistent. It really affected the culture in a positive way. The team was happy. I had more time to focus on sales, and, yeah, the clients were stressed out, the employees are stressed out. I was less stressed out.

It’s a game changer. Yeah. You slept better at night, right? Absolutely. I actually slept after 2014. Well, it took a while. It took us three to six months to get things really rolling. And it does take time for you MSPs out there listening to this.

So why don’t we turn it over? We’ve been 35 minutes talking now. Unless him you had any closing thought besides that, I didn’t mean to cut you off there. No, that’s all good. Okay, good. So we want to open it up to the MSCs on the call here to ask questions of Tim and I on our backgrounds, our experiences, our products or companies best practices. Give us tips if you have them, whatever the case may be. It’s an open Q and A now, and I think, Dallas, you’re back to administer or adjudicate questions.

I don’t know what the right term is. Yeah. Either way, I’m here.

I’ve got a few in here, and like Craig mentioned, if you’ve got any last minute ones, please make sure to throw those in the Q and A. We will try to get through all of them if we have the time. I’ve got one, well, a couple of general questions, and then there’s some hard hitting ones for Flex Track and Cyber hoop. The first one that I will throw to both of you is if you can only do one thing to improve your security program, what would you suggest that I do? I think that’s all in the eye of the answer. I’ll let Tim start. I don’t craig, that’s your universe. I mean, you’re the GRC guy.

Well, I’m biased, so my answer just take my answer with a grain of salt because I run an awareness training company. But I do believe this. If you could only do one thing, it would be to start training your employees. 90% of breaches this is a commonly thrown about and supported if you look at the Verizon Data Breach Report and many other sources, anywhere from 88% to 92% of breaches are human error. And the only way to address that human error is to educate them because no one else ever has. We don’t teach this in school. You learn about cyberbullying in school.

You learn about maybe sexting and why that’s bad. You don’t learn about phishing attacks or passwords. My son had his Xbox hacked and he goes, dad, I had a 13 character password or whatever it is. I said, oh, really? Well, his name was something Taylor, right? My last name is Taylor. And I counted out the letters in his name. I said, was it this? He goes, how did you know? He doesn’t have a clue about passwords. Right.

So we need to teach your employees before it’s too late. And so that if you could only do one thing, I would say do some education and training of your employees. That makes a big difference quickly. I agree with you on that, Craig. I think it’s one of the easiest things you can do right away to really reduce the amount of incidents occurring.

Sweet. I will ask one more general one, and then we’ll get into a couple we’ve got a couple of fourPlexTracs and the cyber hoop side. Sure. So as two people who have run a successful MSP MSSP, how do you find the time to adopt, learn and administer these solutions and the other ones that you are alluding to throughout this talk? Yeah, you really have to force yourself to make the time. Like I said, we would book out time at the end of each quarter, the last week or so, that we would be focused in on the evaluation of products to add to our suite or products that we needed to change within our line card or offering. And the administration, these tools cut down on administration because a lot of this stuff is happening manually.

We had folks going out and training our clients in person for cybersecurity training. Craig and I can attest to the amount of time that we used to spend writing reports. And these tools reduce time and make your organization more efficient. So that’s the benefit of implementing these types of tools into your stack. Yes. And not all tools are created equal. When you’re doing your evaluation of any tool, whether it’s vulnerability scanning, pen testing, or awareness training, fish testing, you have to ask yourself about the level of automation and the customization for your white labeling, that sort of thing, because there are certain tools that take more energy.

If you’re doing the traditional attack email fish testing, many MSPs can’t give the time it takes to set up the allow list and test and fix it when it breaks so it doesn’t get done with a cyber hood like tool. You can do it with zero administration and still get those phishing tests that are positive experiences for the employees. Give the SMB CEO and Board of directors a compliance score that shows 80 9100 percent compliance to employees passing a fish test instead of the traditional 3710 percent failure rate. And we don’t know what the other 90% of employees did. So automation and simplification is really also key in answering that question.

Great. Yeah. Thanks to you both. And I know we’re running a little low on time here, but I will ask just a couple of questions specifically for PlexTrac in cyber hoop and I’ll bounce back and forth. So this one is for Tim. For PlexTrac. Are the reports that you create in Plex TRAC limited to specific pen testing platforms, applications, tools? What does that look like inside the platform? Yeah, so we have about a dozen that we natively support at this point.

In addition to that, we have an open API to allow for other tools to be able to communicate with the platform. Great. And bouncing back to Craig. So this one is for cyber hoop. So the assignments for the training that you’ve mentioned about cyber hoop are sent out via hyperlink to a branded website. Does this mean that there’s no direct message injection required? And these emails, talking about white labeling those emails as well? Yeah, we have a cyberhood.com, we have DMark, Dkmspf records set up, we have high reputation, we’re very careful about how we operate our fish testing environment. So that you do not need to allow, list or whitelist anything.

There’s no direct message injection required. We can guarantee the delivery of these assignments, whether it’s a policy of video or a phishing assignment. None of the Allow listening, it just goes to the inbox the end user clicks and they’re instantly doing their training. That’s one of the key reasons we can get in the high 90s for compliance for companies. I can show evidence there’s a white paper on our homepage for a company called Single Digits that experience 95, 99% compliance across all three parameters. And it’s talked about in their white paper on our home page under Resources, cyber.com resources. But yes, there’s no need for that now.

We can do at cyber the traditional attack emails that leave a bad taste in the employee’s mouth, but you do have to do the Allow listing, the X headers and the PowerShell scripts. In that case, we can do both. But we find a lot of companies that are either doing both or they’re shifting to the assignment based fish testing because it’s such a better experience for the end users. It doesn’t make the MSP or the It administrator look bad because that’s who they blame. They don’t blame their own failure to identify a phishing attack. They’re like, you are a mean, nasty person for sending me that really tricky phishing attack.

Great. Thanks, Craig. This one is kind of a softball team, but it was asked in the Q and A, so I will take it. I’ll take a softball. How do I see a demo of flex track, give me a shout.

I believe we have a link right on the website that you can go in and fill out and that’ll go make sure you get to the right person. You have it right on your screen now, too. Flex driver, here we go. Right, allen. Comciverhoot. You can book time with either of us, or in this case, the person was asking about plex traffic. But I should have advanced the slide.

Sorry about that. No worries. And the last question we’ll have time for today is back to you, Craig. And then I’ll let you guys both wrap it up for cyber hoop. What does customization look like for each client for those fish tests? So, if you’re talking about the traditional phish testing with the attack emails, you can only select from the database that we’ve created of, I think, 75 different fishing tests. We continue to add to that, but we have over 150 of the assignment based phishing assignments. The beauty of the new method of fishing testing with the assignment base, where you don’t have to do the allow list and everything else, and it’s a positive experience for the employee, is this, we can impersonate anyone we want as perfectly as we want.

I have received two ceased desist letters in my Cyberhood days from the IRS and from Facebook. Who someone reported the traditional attack phishing scam to them and they sent me a legal cease and desist. You can’t impersonate us anymore. Which means we can’t help them learn how a Facebook attack would come into that client environment. But hackers can still do it. With our phishing assignments, we don’t have any such restrictions. We can impersonate exactly what we need.

And it’s less important because it’s more of an educational experience for the end user. It’s not important that you pick a technology or a product that they’re using today in the business. It only matters that they understand and they take the randomized test of is the subject safe? Is the sender safe? Is the links and attachments safe? And then if they fail that test, they retake it. We randomize it again so they can’t write their answers down and they actually have to learn how to spot these things and pass the test. And then your board sees that everyone has passed that test. So customization becomes a little bit less of a critical feature and more of, are you educating your end users appropriately? Great. Yeah.

Thank you for that. I believe all that we’ve got time for, so I will pass it back to each of you for any closing thoughts. And to wrap us up here, tim, I’d love for you to start. Yeah, I just wanted to say that I’ve been in the MSP industry even before I started my MSP. Back to 2001 was when I got in the industry. So it’s been over 20 years now, and it’s an awesome community. I think it’s a great space.

I sort of have an obsession with it. So I just wanted to let folks know that are on this call. If you have any questions that you want to reach out, you want to talk, anything MSP or that journey and going from an MSP to MSP, please reach out to me. I’d like to make myself available and happy to chat with anyone and offer any assistance that I can. And I would ditto the same comments. I’ve been doing it as Tim has for 20 plus years. I love the MSP community.

I had a choice when I started Cyber Hoot to focus on a direct sales model or a channel model, and I always chose the channel because I see the value that MSPs bring to the table in terms of technology and process and tools and the ability for you to educate and help protect the companies you support. It’s what makes the world work. The 130,000 MSPs in the world are helping the millions of businesses, and it’s what makes the economy run. So I’m really happy to be able to bring a product that is easy, simple, quick for you to use and adopt and really help empower you. And I owe him a debt of gratitude because none of this would happen if Tim didn’t work with me at his MSP to refine the tool before we turned it loose to the MSP community. So a lot of the trial and error in this product came from an MSP doing what worked and didn’t work and figuring it out, and then we brought it to market. So a lot of thought, and thanks to Tim for that in his past MSP world days and MSP.

So thank you. Reach out to me. You see all the contact information here. Sign up@cyber.com partners or get a demo with the calendar link that you see there. Thanks a lot, everyone, for joining the call today. I appreciate it. Thanks, everybody, and have a great rest of your day.