[00:00:00.840] – Introduction
Welcome to the Smarter MSP podcast, helping MSPs Build Better Businesses one discussion at a time.
[00:00:10.110] – Ken Bartlett
Welcome to the fourth episode of the Smarter MSP podcast, once again, we’re your hosts, Ken Bartlett and Sophie Robinson. We mentioned in our first episode the importance of security and how that will play out in 2021. In today’s episode, I’m excited to cover what are some of the multilayered security services that MSPs should be including in their service offerings and how they can achieve this with their security solutions stack. I’m excited to bring today two guests, so we’re excited for that.
[00:00:41.010] – Ken Bartlett
Our first guest is Bob Andrews at Computer Logistics Corporation. Bob is the CEO of Computer Logistics, an MSP located in California. Computer Logistics has provided mission-critical enterprise and government I.T. support throughout California since 1986. In his role, Bob leads computer logistics, client services and executive team with extensive experience in the managed IT services industry. Our second guest is Brian Babineau, senior vice president and general manager for Barracuda MSP. Brian is responsible for the company’s managed services business and a dedicated team focused on enabling partners to easily deliver affordable IT solutions to customers. Bob and Brian, thank you for joining us today. Can you tell us a little bit about yourselves?
[00:01:33.920] – Bob Andrews
Hi, Bob Andrews, Computer Logistics. I’ve been in the industry since 2000, I started my career with Computer Logistics, thought that the grass was greener, went to a few other companies. It wasn’t, by the way. And I came back after doing some consulting. Ran into the Computer Logistics, current CEO, and started a small consulting gig with them and knew as soon as I walked in the door that I needed to come back and finish what I had started. So, I did that about six years ago and here I am back at it and really love it.
[00:02:17.750] – Brian Babineau
That’s awesome. So, I really appreciate Bob joining. And thank you, Ken and Sophie, for hosting both of us. Just a little bit about myself personally, based on the East Coast, a flight away from the Bay Area or where I spent 10 years living and then returned back to Boston. I’m on my sixth year leading Barracuda’s MSP division where we have built up quite a growth engine within Barracuda to help service, support and innovate in the service provider marketplace. What I’m really excited about is introducing products that kind of start to bring together our data protection, our email security and our remote monitoring and management solutions into a security-centric perspective, helping our partners actually deal with what we think is going to be probably their most persistent challenge for a while going forward, which is cybersecurity risks and the business threats and the business disruption that they can cause.
[00:03:13.100] – Ken Bartlett
Excellent. Well, thank you, Brian and Bob, for a little background there and joining us today. We’re excited to have you.
[00:03:18.710] – Sophie Robinson
Yeah, absolutely. It’s lovely to speak to you guys. I’m going to start today just talking about some trends that we’ve seen over the past couple of months, years, however long we’ve been doing this for, the ones that are kind of predominant now, you know, remote work. And we all know that remote work is here to stay. Businesses are expediting their digital transformation to survive. We are seeing double-digit growth in cloud adoption. And at the same time, we’re also seeing some of the largest, most sophisticated cyber-attacks to date. Guys, Bob, to start with, how has all of this impacted MSPs and the services that you’re offering?
[00:04:04.220] – Bob Andrews
I can tell you that it really sped things up on all fronts. We as MSPs needed to secure our own environments and employees first. And we made a huge investment in kind of overhauling our stack and our standards five, six years ago. And it really paid off for us inside of that stack. We’re a firm believer in “eat your own dog food.” So, a lot of what we were doing already kind of came in handy. And then from a client perspective, it really sped up, upgrading broadband projects, upgraded workloads to the cloud because they realized: wait a minute, everything that Computer Logistics has been telling me–yeah, that’s right. From home, it’s really going to be hard. So … and then you couple that with all of the security events, and you start looking at even recent ones, you know, the exchange attack–we had only one on exchange, recent water district breaches, that’s huge for us in our region. The email attacks are constant, obviously. It really opened up a lot of doors because they’re realizing their employees are at home. And that’s a huge gaping hole for them. We’ve got teenagers at home. You got everyone at home type of thing.
[00:05:22.250] – Brian Babineau
So I think, Bob, you make a phenomenal point of the situation that we’re currently, hopefully towards the end of, given by the pandemic. You mentioned the word acceleration. I think everybody was running their business at their own pace and from the chair that I sit in, we were running our business and we have a lot of offices and a lot of camaraderie and a lot of productivity working and helping each other, whether it be real-time education, even better access. You know, we don’t have employees going around with VPN connections when they’re inside of one of our locations. And then, all of a sudden, things changed and we had to accelerate what the new norm was going to be, from our own standpoint. And that quickly took a back seat to accelerating our own portfolio and some of our services and what we needed to do on the security side for clients like you. Because while we were all making that transition, I think you appropriately highlighted the risk profile to small businesses and MSPs alike. It was astronomical. The attacks early on in the March and April timeframe last year around what the pandemic was about, I think employees were more susceptible than they’ve ever been because they were working from chaos and getting their family set up, getting their own businesses running, trying to apply for government help in certain situations, they would click on anything or circumvent good security practices, if you want and if you wish there was an acceleration from our standpoint to try to keep our workforce safe. But, at the same time, we had to make sure that our MSP business, specifically our MSP partners, were ready to deal with the onslaught of the attacks that were starting to happen and a most vulnerable state.
[00:07:07.860] – Sophie Robinson
Yeah, absolutely. And I mean, that was great because it leads on to my next question, which is: what are the kind of security solutions that an MSP must have to protect their SMB customers.
[00:07:25.650] – Brian Babineau
Sophie, I appreciate you bringing it up. And I think Bob’s perspective on this would be great. What we hear from our clients and Bob’s peer group is, you know, the Web is not the same that it was 15, 16 months ago. Applications are running in the cloud. They’re not in a data center in a central office, mostly because those are harder to access. So, technologies like virtual private networks have given way to mobile security. Not to say that they have to go away, but they have to be augmented. Something’s changed. In an earlier part of Bob’s response, you mentioned an exchange server attack that was recently proliferated through the marketplace. We saw a lot of clients go into Office 365 because exchanges again and on premise or centralized applications didn’t necessarily take advantage of the cloud. So, I think what we realized is that security couldn’t be a separate set of offerings but that it had to be part of your remote monitoring and management strategy. It had to be part of your email protection solution categories and your service offering. More than likely, you had to establish some sort of helpdesk and security operation where you’re either doing some remediation or response. And then I would just say the last part that we suggest to MSPs is the education component, which I don’t think any of us are always going to stand up and say, boy, we feel staff and our employees are the most educated and we can stop, we don’t need to teach them anything anymore. And there is an ongoing component that the security, education, the staffing and the education requirement for staffing has to be a fairly real time and committed to, otherwise, you just, you know, you feel like you’re falling behind as not only as a solution provider, but I would assume as a service provider.
[00:09:21.210] – Bob Andrews
I would tag on to that that email training and awareness is huge and it is probably the blaring, gaping hole in most of our clients. They don’t take it necessarily seriously. Let’s back up. Some of them do, but then others don’t. And it’s amazing, we will run those phishing emails [tests]. Some organizations, it doesn’t matter how much training we do, it’s: “you can’t click on that, it’s undoing all the security that we have there.” That, I completely, hands down agree on that.
[00:10:00.150] – Brian Babineau
Bob, I would love to hear your take on the lens of security, how has it changed quickly? You mentioned you didn’t have too many clients in exchange. Did you move a lot of applications to the cloud or use more mobile-friendly applications or do some shifts for your clients in the last 15, 16 months?
[00:10:19.980] – Bob Andrews
Yeah, we did, actually quite a bit of that. So even though we’re in Northern California, you might think dotcom or the Bay Area. We are not. We’re just north of Sac [Sacramento]. So, it’s definitely a rural feel up here. And broadband, broadband’s an issue. It sounds cliche, but it’s a hybrid approach for most of this, because we do have certain applications on prem [premises] that just one would be too costly to run to the cloud and the other just if we were to lose power and or Internet, you know, they would be dead in the water. So, there’s been all that broadband increase that we did with most of our clients on the other cloud perspective, there was a lot of hybrid situations which we had to find solutions for, for the most part. So, it was really interesting, interesting to be on our side with that.
[00:11:13.290] – Brian Babineau
We saw the same thing happen in the marketplace, which you just couldn’t stand still.
[00:11:16.920] – Ken Bartlett
Speaking of … Brian, you mentioned obviously a strong emphasis on security and sounds like an emphasis on proactive security as far as not just setting it and forgetting it. This is an ongoing moving target; end-users are costs and liability here. So, as we shift that focus, Brian, you mentioned, you hinted on, bringing technology to the table that’s sort of new and cutting edge earlier on in the presentation. So how do you see Zero Trust fitting into an MSP security stack?
[00:11:47.100] – Brian Babineau
You know, Zero Trust 10 is an industry buzzword. I think when you kind of peel it back a little bit and understand what that acronym is trying to accomplish is: change in mindset. So, I would first say, you know, what Bob highlighted was, look, some applications moved, some stayed on Prem [premises], some move, some went to a hybrid approach. Accessibility was key. And then you layer on the security aspect of it. So, there was some change. And what I believe that the main service provider community has to understand when they see something that kind of could be intimidating because it’s a new technology or might only apply to enterprises where you need to have a different approach than a conventional VPN access. And so, they think it must be expensive, it must be complicated because I just moved all my things to the apps and now, I need to do something different. The reality is you probably need to do something that is different. And the reason being is, again, there’s a market catalyst for change, which is MSPs have operated where they get to issue a device, whether to be you or Sophie. We give you a laptop computer. We have control over that. We know what goes on it then the last 13 months, not to pick on you Ken, but I don’t know if you … how you accessed our network. Was it a home computer that you use? Were you at your family’s residence where you had to do some work and it was theirs? Did you use an iPad that was issued from the company? I couldn’t necessarily trust the device that you were on accessing our network unless it had our technology on it. I hope you got a good deal on it. I couldn’t trust that your device, that home computer, didn’t have viruses on it, and as soon as it connected into one of our key applications it didn’t download a payload. And so I think what it boils down to is there was something, something that happened in the market. It was real. It required a change. And one of those changes was that we can clearly identify an individual. We give credentials to them, and we give them permissions and access systems. What Zero Trust was … we don’t know the device and we don’t know if the device is not protected, should it have restricted access? If it is protected, should we give it full access? Can I link through a Starbucks wireless connection? Should it be limited to not have personal information, rather than assume trust for everything that Ken is doing? We say we trust Ken, but let’s just verify his devices and make sure that we control what’s on there. And that’s how–it feels long winded on the podcast– I explain what your trust is to our partner community, which is we have a lot of technology out there to verify who the individual is, but we don’t have a lot of technology out there to verify that the device is fully secure and can be properly managed and controlled, especially when that device was issued by the company.
[00:14:49.320] – Ken Bartlett
It’s almost unconventional to flip that and not trust the user explicitly with a persistent access into the corporate network data, but to, you know, constantly reassess that and now consider that not just the credentials are important, but the device that could have a key logger on it that could circumvent other checks and balances in the system. Bob, I’m curious, do you have any thoughts, on your experience with this sort of zero trust shift?
[00:15:16.320] – Bob Andrews
Well, the main thought is that vendors—I’m not picking on anyone–the ones on this call are absolutely fine. We’ve seen nothing on our side, but we tried another vendor early, 2020, right before sheltering in place. It was supposed to be two weeks, right, and I think we were supposed to flatten the curve. And this was, “why don’t we just go ahead and roll this out? Because this seems good, this Zero Trust.” I’ve never rolled back one so quick than something that you roll out and not a whole lot of it is … a wrong time to do something like that. We had staff disruption, to your point. It was difficult for them. I mean, here they are at home trying to get stuff done and we’re not trusting them. So, I think I look back on that, probably should have paused a little bit and rolled out a little bit later as things settled down. But we did have one non-typical client for us that that rolled out. It was an IT person that we did kind of a co-managed agreement with and it was flawless, and it helped them. But they, from a budget perspective, too, that was also tough. You look back on it and go, it was two weeks, right? We were supposed to get back to normal and we were going to talk to them about the slight increase in the monthly, but it’s tough to roll something out, have some difficulties and then talk about price that was nominal. But it was still, you know, budgets were in flux and the future was rocky. So that was, you know, feet on the street for us. And I look at it now as a lot of vendors that we have right now are kind of bolting on or are coming up with zero trust angles inside of their software. So, I think as a managed service provider, just keep in contact with your vendors and keep up to date with this crazy vendor world that’s constantly merging and acquiring and keep up to date on that. And I’ll bet you, it’s going to be right around the corner for us.
[00:17:17.650] – Brian Babineau
Bob, let me ask a follow up, if I might. You had a motivation right at the beginning of the pandemic to try something with Zero Trust. What was the motivation? Was it because these devices are coming on and your ARM solution wasn’t on those devices?
[00:17:36.120] – Bob Andrews
Yeah, so … We’re scared as hell, right? This was … We had people coming to us going, “hey, pretty much all the staff is going to go home.” And we were just in talks to do this. I’m a firm believer in going to our clientele on those quarterly business reviews and saying, hey, we’re thinking about this. What do you think? And we had a couple. Two were nonprofits, but the one that really took it on is a nonprofit that has no problem with adding, they have very adequate budgets. So, money wasn’t the problem there. The other one was a nonprofit with a lot of budget issues. They were going to get the budget. It just wasn’t going to work right then. But the second phase of that was the worry that here we are at home and we’ve got to do something different for the security of those going home because their infrastructure for that one nonprofit without the budget was scary. Like we had long-in-the-tooth servers. We had just taken them over six months before that. A lot of security holes were there with the CEO that came from a bank background. But what we didn’t realize was the end-user pushback. You know, we got ourselves into some dynamics that I think we didn’t expect. So, I think that’s my two cents for other MSPs, is in those QBRs make sure that, you know, you’ve tested it internally, you’ve maybe tested with someone else. But be careful on who you roll this out to. And when you roll out, obviously for us, I look back and I said I didn’t think we were pandemic level. Obviously two weeks we’re supposed to flatten the curve, and everything would be fine. I look back and probably there were a couple of days there with my head in my hands hand going, “What? What are we doing here?” You know, it was tough.
[00:19:38.280] – Brian Babineau
We’re seeing a lot more OK, unmanaged, it has a very tough policy to manage, has a, I would say, full trust policy. And I think your ability, service-related ability to monetize both of those situations is an opportunity, but it’s also a responsibility because you’re going to have situations where you have control and where you don’t have control and you want to make sure security kind of overlays both of them, right?
[00:20:04.330] – Bob Andrews
It’s interesting, you’re the managed service provider and you’re cleaning things up to your standards and everything’s running smooth and then to roll out something that’s a wireless application or ring-fencing and they’re not used to it, right? And, then you layer on top of that the pandemic. And it was a perfect storm of some really bad feedback. So, we promptly undid that and waited. We’re going through a transition on most security items. We’re constantly talking internally about what’s working, not working. That one showed us maybe going to our vendors before rolling out something new, going to our vendors and saying–because we found some of the same things that we rolled out are in some of the other applications that we had. They charge you a full 100 percent for that software. But if you’re only using 10 percent of it, you’re not keeping up to date on what they’ve changed, it doesn’t bode well. Go back to your vendors that you have right now and make sure that you’re not missing anything is my two cents.
[00:21:14.970] – Brian Babineau
Thanks for the color there.
[00:21:16.230] – Sophie Robinson
Yeah, that’s great, guys. And thank you so much for taking your time out, Bob and Brian, and to be with us today and give us your insight into what’s new and what’s coming up in the in the world of cybersecurity. So, yeah, really, really great. And thank you to all of our listeners that have been listening to us over the over the past couple of episodes, and especially this one. Have you guys have gained something from that? In our next episode, we will be discussing the latest developments around remote monitoring and management tools. So, stay tuned for that. And we will speak to you again soon.
[00:21:53.790] – Outro
For daily insights delivered directly to your inbox, subscribe to Smarter MSP Dotcom.