SMB & Security: Finally, They Believe! (Part Two)

How One MSP Uses Network Assessments to Win the Trust of Once-Skeptical Small Business Owners

Part II

We recently spoke with Jeff Sumner, president of Tech Guides. Tech Guides is a 19-year-old MSP and IT consulting company located in Media, PA, and a proponent of the RapidFire Tools network assessment tools. The company offers managed services, security consulting, and digital media services such as digital signage and web sites. Sumner and his team swear by network assessment reporting and the Network Detective solutions—especially the Security and HIPAA Compliance modules, and the Detector insider threat detection appliance.

Here’s Part II of his comments on how he leverages network assessments to help increase business in the area of security offerings, and how such documentation helps him justify implementing the type of security solutions he knows his clients need and deserve.

How have network assessments changed your clients’ attitudes toward security?

Let’s face it, as MSPs, we’ve been beating the drum for years on the crucial nature of security. In the past, many businesses didn’t take that to heart and were willing gamble a bit on the side of danger. We’re finally coming to a place where companies are more mindful of the threats they’re facing, due in part to highly publicized breaches. Having an assessment done of their own network hammers home that point. Finally, small businesses are starting to believe us.

This strategy is most effective if assessments are delivered on a quarterly basis, detecting patterns that manifest over time. At that point, the customers say, Okay, I see the proof. I should have believed you before, but I believe you now.

What kind of financial impact does this have on your MSP practice?

A security consulting project can bring in anywhere from $10,000, $15,000, even $20,000 in revenues, depending on the scope. Typically, we’ll start off with a CEO or CIO who’s looking to discuss best practices. We’ll provide a security assessment, which almost always reveals significant shortfalls in the customer’s security, and that leads to work.

For example, we went into a company in the insurance industry. They had two locations and about 100 seats. An assessment showed the that client had rogue wireless activity on their network. They had no idea what was going on in the back corners of their offices. That generated a conversation on how to secure their access points and firewalls. We recommended remote tools that could be managed via the desktop to keep a better handle on network activities. This evolved into a comprehensive upgrade, which they sorely needed, in addition to a HIPAA assessment.

That was a $15,000 project, which we finished in about a month. We’re now set to conduct quarterly reviews for a smaller fee, building on what we’ve established. The ultimate goal with this and every client is to implement regular quarterly assessments. We advise clients from the outset that assessments, and long-term initiatives such as HIPAA compliance, are not a “once-and-done” activity. They’re an ongoing procedure.

What advice do you have for MSPs?

Don’t be afraid to introduce new services to your clients, and to ask for compensation. A valuable MSP must always bring new tools to the table. No client should expect their network, and your services, to remain static. The cost to maintain a network has been rising as security gets more complicated and external threats become more nefarious. So it’s reasonable to ask clients to pay for those costs.

SMB & Security: Finally, They Believe! (Part One)

How One MSP Uses Network Assessments to Win the Trust of Once-Skeptical Small Business Owners

Part I

We recently spoke with Jeff Sumner, president of Tech Guides. Tech Guides is a 19-year-old MSP and IT consulting company located in Media, PA, and a proponent of the RapidFire Tools network assessment tools. The company offers managed services, security consulting, and digital media services such as digital signage and web sites.

Security comprises a considerable portion of Sumner’s business, and due to the frightening acceleration of breaches and viral threats we’ve seen in the business community in the last few years, this momentum isn’t expected to slow. If anything, Sumner sees an unintended upside to the scenario for the MSP community. Small business owners are finally starting to believe what their IT advisors have been telling them for years:  That no one is beyond vulnerability, and that a single solution simply isn’t adequate.

Sumner and his team swear by network assessment reporting and the Network Detective solutions — especially the Security and HIPAA Compliance modules, and the Detector insider threat detection appliance. He uses them to identify the specific vulnerabilities and malicious activities that need to be addressed on his end-customers’ networks, legitimizing his recommendations, and better clearing the way for Tech Guides to implement major security upgrades.

Here’s Part I of what he had to say about the issue of security and IT assessments.

Why do you use network assessment tools?

As an MSP, we’re always looking for ways to differentiate ourselves, to create a competitive edge. The way to do that is to give our customers more tools and more ways to benefit from our services. RapidFire Tools enables us to conduct a broad range of services without having to be on-site nearly as much. We service customers across New York, New Jersey, Pennsylvania, Maryland, Delaware, and Virginia. It’s tools like the Network Detective that allow us to service such a broad range of areas, since I can do more with less personnel. This is especially true of the Detector appliance, which when installed at a site, serves as a watchful eye for that client.

How are you using the module to benefit your customers?

When you’re in the IT security business, you want to do what we like to call “Defense in Depth.” You want to assemble multiple layers of security. Network Detective is terrific for this, because it gives us insights into what’s going on in the network and highlights the different areas to be addressed — and there are always vulnerabilities to assess. The Security module adds a lot of insights to the standard network assessment reports. But our goal is to have Detector appliances on-site for our clientele, so even when we’re not around the Detector appliance is watching the client’s network for us, 24 x7, creating an ongoing picture of network activity and sending alerts regarding questionable activity.

How do the assessment tools enhance your relationship with your customers?

We’ve always advocated security as a top priority. Network Detective legitimizes that effort in the business owner’s eyes. The tools create documentation for what we’ve been trying to impress on them all this time. It brings concrete evidence to the table of risks that need to be mitigated and tasks that need to be accomplished to lock down the network. The more of this we present, the more our clients want to give us projects.

For example, sometimes convincing a client of the need for a new firewall can be a struggle. The client will counter us, saying, “The firewall is functional, we can get on the network, it seems fine to us.” They don’t understand enough about what goes on across their network to justify a replacement in their minds. The more documentation they see, the more they come to believe our recommendations, and let us proceed with the level of security that we know they require.

MORE NEXT WEEK on the revenue potential of the typical security compliance project, how compliance assessments can change the MSP customers’ attitude about security, and Sumner’s advice for MSPs offering security services.

Case in Point: Roxville Technologies

Turning Compliance Scans into Remediation Work – and Thousands of Dollars

Meet Drew Simons, president of Roxville Technology, a RapidFire Tools MSP located in Ontario, Canada. He’s found that cyber security and PCI compliance are without a doubt a “hot topic” with his customers. In fact, one of his clients in the hospitality field went as far as to apply for cyber security insurance—requiring them to become PCI compliant as a condition of the policy.

Simons and his team used the RapidFire Tools PCI Compliance Module to bring the client in question up to compliance quickly, generating thousands of dollars and keeping that long-time customer satisfied. Roxville Technology is now looking to roll-out the assessment scans with other clients. Listen to the story in our three-minute podcast below.

MSP Success Story: “Jumpstarting” Assessments with Effective Tools

shutterstock_428360407

As a developer of technologies designed to help Managed Services Providers (MSPs) become more profitable, we’re always thrilled to learn about the success our customers are having with our tools. Not only do these success stories validate the work we’re doing, they also serve as a roadmap for other MSPs to follow.

One of our MSP customers recent told his story in MSP Insights magazine, describing how he used the Network Detective PCI Module to address an urgent challenge for a long-time client in need. The end-user in question had to satisfy a cybersecurity insurance policy that required them to become PCI compliant.

Roxville Technology came to the rescue using our Network Detective PCI Compliance module. Find out how by reading President Drew Simon’s guest blog on the MSP Insights site.

MSP insights

If you’ve got a RapidFire Tools success story you can tell us about, please get in touch via our PR team. The more we share profitable use cases involving our network assessment tools, the more MSPs will benefit from this unique set of solutions, enhancing their business proposition—and mitigating risks for the end-user.

Internal IT Security: You CAN Deliver Benefits to All Your Clients

RapidFire Tools has implemented a new tier of cyber security services affordable enough for MSPs to offer for free – yet still generate a profit.

Earlier this year we expanded the delivery model for our Detector insider threat detection tool to include a new base-level “Bronze” service. This additional tier is appropriate to deploy across an MSP’s entire client base – even those who may not currently take advantage of one of your managed services offerings.

The idea behind this internal cybersecurity service is to make your clients aware of the potential “insider” threats to their system. And once a business sees the internal threat alerts revealed by the Detector appliance, a savvy MSP can either charge those end-customers to remediate the issues on a “break-fix” basis, or upsell them to a higher-level managed service plan that includes this internal cybersecurity component.

The key to our success in developing this product has been in containing the cost to the MSP at an affordable level, so the investment is low enough to purchase, install, and service across all your clients. To that end, we’re offering:

  • One low subscription fee to the MSP, which includes a license to deploy an unlimited number of Detector software appliances across all clients. Moreover, since the appliances are based on Linux, there are no additional OS software licenses to contend with.
  • Quick and easy deployment. The recommended Bronze level service is already pre-configured inside Detector. You can quickly deploy it with little-to-no configurations, and all your clients will be standardized with the same offering.
  • Automated service delivery. Once you set it up, Detector does all the work. Each day, the system scans your clients’ internal IT environments and sends the alerts directly to those customers for “triage.”

The beauty of this service is that an MSP can literally offer it for free – and still make a profit. Because your clients receive the daily insider alert, it’s up to them to perform a first-level investigation to determine if it’s something they are aware of (and okay with), or whether they need you to further investigate and remediate the situation … at whatever fee that you agreed upon when the appliance was installed.

Once clients realize it makes more sense for you to handle this task through your overall managed service offering, you can customize the way alerts are handled. For example, you can reconfigure certain alerts to be routed directly to you, while others (such as permissions and access violations) will still go to the client first.

“Detector has become one of our top-selling tools because it was created directly as a result of requests from our customers,” said RapidFire Tools CEO Mike Mittel. “We’ve learned that providing the right solution in the marketplace is an evolutionary process, and our development team is committed to addressing that for the long haul.”

MSPs can download our free whitepaper on offering internal recurring IT security services through the Detector SDS system here.

The Impact of PCI Compliance:Effective Tools to Protect AgainstCostly Threats

Part 2 of a 2 Part PCI Compliance-based Blog
By Mark Winter, Vice President of Sales, RapidFire Tools
.
PCI data breaches are costing payment card-accepting companies more than ever before, which translates to opportunity for MSPs who leverage PCI compliance tools. Such breaches can result in crippling financial and reputational blows to organizations large and small. This is especially true for the nearly 22 million companies around the world – about half of them in the United States – which maintain merchant accounts and accept credit card transactions.

Major breaches affecting the payment card industry (PCI) and associated sectors have included high-profile, costly hacks going back as far as 2007 and as immediately as this September, involving TJ Maxx, Target, Home Depot, and recently both Equifax and Deloitte. Such breaches take even industry-leading merchants by surprise, turning 2017 into what’s CNN recently labeled “a banner year for cyber attacks.” The above events compromised the personal and financial data of hundreds of millions of consumers, and have so far cost the companies in question hundreds of millions of dollars in penalties and settlement fees.

The most current IBM Cost of Data Breach Study conducted by the Ponemon Institute puts the average cost to US companies in 2017 at $225 per record for a single lost or stolen record, and breaches can involve hundreds or thousands of such records. That cost has increased from $221 as per past reports. The IBM-funded study also found that security breaches are increasing in frequency and size, which would theoretically inflate the latest figures.

In addition to fines of up to $100,000 per month alone for not maintaining PCI DSS compliance, non-compliant companies that that compromise customer data can be fined more heavily in civil courts actions brought by their customers. TJ Maxx and Marshalls eventually paid-out approximately $256 million in fines and damages associated with 2007 data breaches involving some 45 million customers. The Equifax breach, which may have exposed the personal and payment card data of nearly 145 million U.S. consumers, could cost the company far more.

With the price of such breaches at record levels and rising, MSPs serving PCI customers have a tremendous opportunity, or even an obligation, to implement PCI compliance solutions like RapidFire Tools’ Network Detective assessment modules for their client base.

PCI compliance services are easy to sell, install, and manage across SMB and midmarket customers, especially for MSPs who are just entering this highly-regulated marketplace—as long as the MSP is able to leverage the proficient tools for the job.

Toronto-based MSP Roxville Technology, for instance, had a client whose cyber security insurance required they become PCI compliant, and they turned to Roxville to accomplish that. The MSP added the Network Detective PCI Compliance module to deliver on this request, and to deter the client from going elsewhere for this service.

“PCI compliance requirements can be extremely technical and complex,” explained Drew Simons, president at Roxville Technology. “It involves a comprehensive list of standards that need to be met. Network Detective gathers a broad range of information to satisfy those requirements, producing a selection of documents and policy recommendations that would be prohibitively time-consuming to produce otherwise.”

MSPs find that PCI compliance tools like Network Detective often generate revenue once the MSP is asked to address the issues revealed by network assessment scans.

“When we implemented the PCI Compliance module, it immediately identified some internal vulnerabilities that we were able to address,” Simons confirmed. “Using Network Detective has generated thousands of dollars in additional remediation work associated with this client. We’re now in the process of rolling-out PCI assessments for other clientele, initially as a value-add, but with the knowledge that it leads to mediation projects that can be lucrative. In the future, we’ll move on to providing it as a paid service.”

The Impact of PCI Compliance: Addressing Compliance with A Comprehensive Program

Part 1 of a 2 Part PCI Compliance-based Blog
.
The Network Detective PCI Compliance module allows MSPs to deliver PCI compliance services in a non-intrusive manner, either as a one-time prospecting tool for companies that accommodate credit card transactions, or as part of an ongoing program for such companies. As industry reports show, non-compliance can have a detrimental impact on businesses that conduct such transactions. See the accompanying statistics from the 2017 Payment Security Report.

Part One of our study on PCI Compliance will explain how the specific capabilities of effective assessment tools such as Network Detective address real-world challenges for businesses, and create opportunities for MSPs, such as:

  • Comprehensive PCI assessment services: The PCI Compliance module assesses Cardholder Data Environments (CDEs) and performs PCI pre-audit services, generating reports not just on the technical status of the network, but procedural policy reports relative to each office environment as well. These documents provide a broad spectrum of information that allows the MSP to establish an ongoing compliance program, catered to the individual needs of each business.
  • Evidence of ongoing PCI compliance: The tool produces the necessary key documents that can be used as proof that a customer is taking steps to adhere to PCI standards. This weighs heavily in the favor of a business in the instance of an audit. Compliance standards require that companies not only take measures to secure PCI data, but that those businesses provide documented proof of such procedures.
  • PCI-approved ASV scans: Thanks to an agreement with an ASV-approved vendor partner, MSPs can conduct ASV-certified scans ordered directly from inside the PCI Compliance module’s user interface. This new feature empowers the MSP to conduct such scans without having to contract an approved third party.

PCI remediation opportunities. The module documents and prioritizes issues and PCI-related vulnerabilities that require mediation, which MSPs can then address through managed services. This can serve as a guideline for MSPs on how to proceed with a long-term compliance program, increasing revenue opportunities, and strengthening the MSP’s client relationships. All this while maintaining compliance for the end-client and helping them avoid potentially devastating PCI-related fines.

The Benefits of Recurring IT Assessments: A Single Scan Is Only the Beginning

By Win Pham, Vice President of Development, RapidFire Tools

Rapid Fire Tools AwardsIf you’re a Network Detective customer, chances are you’ve used Network Detective as a one-time network assessment tool to convert prospects into new clients, or to uncover new projects for existing clients. However, the greater opportunity lies in developing an ongoing program of regular assessments, which you can conduct over time. Such a plan offers a more comprehensive benefit for both you and your end-users. A single assessment is only step one in implementing an effective program that allows you mitigate risks for your end-user companies long-term. This method also lets you establish more consistent revenue streams and enhances your relationship with your clientele.

Ongoing IT assessments create a series of regularly scheduled network “snapshots,” which can identify patterns and behaviors that alert you to a potential breach. IT assessment tools can identify vulnerabilities, patterns, and red flags that could indicate existing issues or risks. In this way, you can establish baselines for overall network health, as well as document all assets and configurations associated with the system, and then generate “change reports” that reveal what improvements and/or degradations have taken place.

Recurring IT assessments allow you to share professionally-produced and easy-to-consume summary reports, management reports, and QBR reports with your clients. These items are critical pieces of tangibility, providing evidence of the value of all your hard work.

Another reason to conduct regular assessments is to observe changes which you, as an off-site MSP, may not be aware of. Clients are constantly adding and removing hardware, software, and users. These changes can significantly impact your cost of service. If your service contracts are based on either endpoints or active users, then you’ll certainly want to keep track of these things. Monitoring systems are not designed for this purpose.

What’s more, regular network scans and reports can be automated, making it simple and cost-effective for you to stay informed regarding users, assets, and network changes that could result in new vulnerabilities. A small investment in regular assessments will pay-off by way of mediated risks and protection of your end-users’ assets, avoiding network compromise and downtime.

Think of network assessments like a protective suit of armor. IT assessments point out chinks in the armor, or holes in the chain mail where a sword can penetrate, leaving the suit’s owner vulnerable to injury during an attack. Yet if that armor is in continued use, it will naturally require inspection on a recurring schedule.

Other MSPs who use our tools have found ongoing assessments to be a successful strategy for growing their businesses. Many others want to, but don’t know how to get started. For example, they’re unsure about how best to structure an offering, or what types of service to provide to what customers. We suggest that you offer a tiered menu of services – e.g., a basic, enhanced, and premium program – creating a structure that can be applied across a range of clientele.

RapidFire Tools understands the challenges you face in establishing effective, ongoing programs. To that end, we’ve put together a “blueprint,” that outlines how to structure an ongoing assessment offering. You can download the “Expanding Your Service Offerings with Recurring IT Assessments” white paper for details. In this way, we provide not only the tools by which to deliver network assessment services, we also provide you with instruction on how to apply those tools and monetize the offering on a recurring basis.

You can start with a basic program, appropriate for most SMB customers, including baseline assessments, network and security risk reports, and external vulnerability summaries. An enhanced program would add internal vulnerability scans and additional components such as Network Security SQL Server reports, and Layer 2/3 diagrams and details. A more comprehensive premium program, appropriate for end-customers in more complex markets such as healthcare, would include HIPAA and/or PCI compliance management, demonstrating ongoing compliance and remediation activity that can serve as documentation in the instance of a compliance breach, or an audit.

Savvy managed services providers who leverage long-term network assessment programs stand to differentiate their service offerings, gain consistent revenue, and increase loyalty among their clientele. By engaging in regular assessments, your end-users can gain a more secure, reliable infrastructure, while potentially avoiding compliance violations, through a more proactive, sustained strategy.

Preparing for the GDPR – PART 2: MSP Strategies 

By Michael Mittel, CEO RapidFire Tools
As seen in MSPinsights magazine

 

 

Rapid Fire Tools AwardsPart 1 of this blog explored the urgency of the European Union’s new GDPR mandates, and how they will impact US companies, affecting what Computer Weekly calls “the first global data protection law.” Yet savvy MSPs can prepare their end-customers, gain trust as a valued advisor, and gain new business opportunities by implementing strategies around this new development.

Educate your business customers

Many non-European businesses have been reluctant to review the EU GDPR because they’re not even aware it applies to them. As a managed services provider, it’s your role to make your customers privy of the extent of the regulations and their impact on US organizations.

Gather links and resources that will help educate your customers and make sure they comprehend their vulnerabilities under these new compliance regulations. An informative marketing campaign, and/or an online resource center on your web site, will go a long way to generate new dialogs with your customers—which often lead to new business projects.

Stress documentation of compliance through Network Assessments

One of the main statutes of the new regulation dictates the following:

“Those subject to the regulation must prove they are compliant. This is true even if the organization outsources its data processing to a third-party processor, such as a cloud provider.” [TechTarget]

Therefore, organizations need not only to become compliant, but to maintain concrete evidence that they are compliant. Network assessment reports can provide detailed reports and analysis on exactly what changes a company has made to comply with data protection requirements.

RapidFire Tools has developed specific compliance modules that address regulations, including the HIPAA and PCI Compliance mandates in the United States, and is now turning an eye toward GDPR awareness. Along those lines, the company also recently implemented a Data Breach Liability Report, which points out personally identifying information that is stored on an MPS client’s network, including driver’s license numbers, credit card data, and other personal identifiers.

Create an overall compliance program for your client base

While positioning yourself as a security/GDPR resource, counsel customers in a holistic approach to compliance. In addition to adequate IT security solutions, companies can implement overall policies such as regular staff testing on security procedures, training on recognition of phishing tactics, etc. A review of physical security processes is also helpful, including how data is exposed on company monitors, and whether sensitive locations where data can be access are properly locked or restricted from general employees.

Implementation of such measures will help demonstrate that companies have gone above and beyond to protect personal data relative to EU citizens on a long-term basis. Such actions factor heavily in a company’s favor in the event of a regulatory audit. It also creates a “culture of compliance” through an organization that bodes well for long-term adherence, whether to the GDPR mandates or other regulations such as HIPAA and PCI compliance.

As the gravity of the GDPR begins to take hold beyond the European Union, savvy MSPs will be able to help their customers prepare, supporting the EU’s effort to create a more globally secure technological marketplace.

1 2 3