MSP Success Story: “Jumpstarting” Assessments with Effective Tools

shutterstock_428360407

As a developer of technologies designed to help Managed Services Providers (MSPs) become more profitable, we’re always thrilled to learn about the success our customers are having with our tools. Not only do these success stories validate the work we’re doing, they also serve as a roadmap for other MSPs to follow.

One of our MSP customers recent told his story in MSP Insights magazine, describing how he used the Network Detective PCI Module to address an urgent challenge for a long-time client in need. The end-user in question had to satisfy a cybersecurity insurance policy that required them to become PCI compliant.

Roxville Technology came to the rescue using our Network Detective PCI Compliance module. Find out how by reading President Drew Simon’s guest blog on the MSP Insights site.

MSP insights

If you’ve got a RapidFire Tools success story you can tell us about, please get in touch via our PR team. The more we share profitable use cases involving our network assessment tools, the more MSPs will benefit from this unique set of solutions, enhancing their business proposition—and mitigating risks for the end-user.

Internal IT Security: You CAN Deliver Benefits to All Your Clients

RapidFire Tools has implemented a new tier of cyber security services affordable enough for MSPs to offer for free – yet still generate a profit.

Earlier this year we expanded the delivery model for our Detector insider threat detection tool to include a new base-level “Bronze” service. This additional tier is appropriate to deploy across an MSP’s entire client base – even those who may not currently take advantage of one of your managed services offerings.

The idea behind this internal cybersecurity service is to make your clients aware of the potential “insider” threats to their system. And once a business sees the internal threat alerts revealed by the Detector appliance, a savvy MSP can either charge those end-customers to remediate the issues on a “break-fix” basis, or upsell them to a higher-level managed service plan that includes this internal cybersecurity component.

The key to our success in developing this product has been in containing the cost to the MSP at an affordable level, so the investment is low enough to purchase, install, and service across all your clients. To that end, we’re offering:

  • One low subscription fee to the MSP, which includes a license to deploy an unlimited number of Detector software appliances across all clients. Moreover, since the appliances are based on Linux, there are no additional OS software licenses to contend with.
  • Quick and easy deployment. The recommended Bronze level service is already pre-configured inside Detector. You can quickly deploy it with little-to-no configurations, and all your clients will be standardized with the same offering.
  • Automated service delivery. Once you set it up, Detector does all the work. Each day, the system scans your clients’ internal IT environments and sends the alerts directly to those customers for “triage.”

The beauty of this service is that an MSP can literally offer it for free – and still make a profit. Because your clients receive the daily insider alert, it’s up to them to perform a first-level investigation to determine if it’s something they are aware of (and okay with), or whether they need you to further investigate and remediate the situation … at whatever fee that you agreed upon when the appliance was installed.

Once clients realize it makes more sense for you to handle this task through your overall managed service offering, you can customize the way alerts are handled. For example, you can reconfigure certain alerts to be routed directly to you, while others (such as permissions and access violations) will still go to the client first.

“Detector has become one of our top-selling tools because it was created directly as a result of requests from our customers,” said RapidFire Tools CEO Mike Mittel. “We’ve learned that providing the right solution in the marketplace is an evolutionary process, and our development team is committed to addressing that for the long haul.”

MSPs can download our free whitepaper on offering internal recurring IT security services through the Detector SDS system here.

The Impact of PCI Compliance:Effective Tools to Protect AgainstCostly Threats

Part 2 of a 2 Part PCI Compliance-based Blog
By Mark Winter,
Vice President of Sales, RapidFire Tools
.
PCI data breaches are costing payment card-accepting companies more than ever before, which translates to opportunity for MSPs who leverage PCI compliance tools. Such breaches can result in crippling financial and reputational blows to organizations large and small. This is especially true for the nearly 22 million companies around the world – about half of them in the United States – which maintain merchant accounts and accept credit card transactions.

Major breaches affecting the payment card industry (PCI) and associated sectors have included high-profile, costly hacks going back as far as 2007 and as immediately as this September, involving TJ Maxx, Target, Home Depot, and recently both Equifax and Deloitte. Such breaches take even industry-leading merchants by surprise, turning 2017 into what’s CNN recently labeled “a banner year for cyber attacks.” The above events compromised the personal and financial data of hundreds of millions of consumers, and have so far cost the companies in question hundreds of millions of dollars in penalties and settlement fees.

The most current IBM Cost of Data Breach Study conducted by the Ponemon Institute puts the average cost to US companies in 2017 at $225 per record for a single lost or stolen record, and breaches can involve hundreds or thousands of such records. That cost has increased from $221 as per past reports. The IBM-funded study also found that security breaches are increasing in frequency and size, which would theoretically inflate the latest figures.

In addition to fines of up to $100,000 per month alone for not maintaining PCI DSS compliance, non-compliant companies that that compromise customer data can be fined more heavily in civil courts actions brought by their customers. TJ Maxx and Marshalls eventually paid-out approximately $256 million in fines and damages associated with 2007 data breaches involving some 45 million customers. The Equifax breach, which may have exposed the personal and payment card data of nearly 145 million U.S. consumers, could cost the company far more.

With the price of such breaches at record levels and rising, MSPs serving PCI customers have a tremendous opportunity, or even an obligation, to implement PCI compliance solutions like RapidFire Tools’ Network Detective assessment modules for their client base.

PCI compliance services are easy to sell, install, and manage across SMB and midmarket customers, especially for MSPs who are just entering this highly-regulated marketplace—as long as the MSP is able to leverage the proficient tools for the job.

Toronto-based MSP Roxville Technology, for instance, had a client whose cyber security insurance required they become PCI compliant, and they turned to Roxville to accomplish that. The MSP added the Network Detective PCI Compliance module to deliver on this request, and to deter the client from going elsewhere for this service.

“PCI compliance requirements can be extremely technical and complex,” explained Drew Simons, president at Roxville Technology. “It involves a comprehensive list of standards that need to be met. Network Detective gathers a broad range of information to satisfy those requirements, producing a selection of documents and policy recommendations that would be prohibitively time-consuming to produce otherwise.”

MSPs find that PCI compliance tools like Network Detective often generate revenue once the MSP is asked to address the issues revealed by network assessment scans.

“When we implemented the PCI Compliance module, it immediately identified some internal vulnerabilities that we were able to address,” Simons confirmed. “Using Network Detective has generated thousands of dollars in additional remediation work associated with this client. We’re now in the process of rolling-out PCI assessments for other clientele, initially as a value-add, but with the knowledge that it leads to mediation projects that can be lucrative. In the future, we’ll move on to providing it as a paid service.”

The Impact of PCI Compliance: Addressing Compliance with A Comprehensive Program

Part 1 of a 2 Part PCI Compliance-based Blog
.
The Network Detective PCI Compliance module allows MSPs to deliver PCI compliance services in a non-intrusive manner, either as a one-time prospecting tool for companies that accommodate credit card transactions, or as part of an ongoing program for such companies. As industry reports show, non-compliance can have a detrimental impact on businesses that conduct such transactions. See the accompanying statistics from the 2017 Payment Security Report.

Part One of our study on PCI Compliance will explain how the specific capabilities of effective assessment tools such as Network Detective address real-world challenges for businesses, and create opportunities for MSPs, such as:

  • Comprehensive PCI assessment services: The PCI Compliance module assesses Cardholder Data Environments (CDEs) and performs PCI pre-audit services, generating reports not just on the technical status of the network, but procedural policy reports relative to each office environment as well. These documents provide a broad spectrum of information that allows the MSP to establish an ongoing compliance program, catered to the individual needs of each business.
  • Evidence of ongoing PCI compliance: The tool produces the necessary key documents that can be used as proof that a customer is taking steps to adhere to PCI standards. This weighs heavily in the favor of a business in the instance of an audit. Compliance standards require that companies not only take measures to secure PCI data, but that those businesses provide documented proof of such procedures.
  • PCI-approved ASV scans: Thanks to an agreement with an ASV-approved vendor partner, MSPs can conduct ASV-certified scans ordered directly from inside the PCI Compliance module’s user interface. This new feature empowers the MSP to conduct such scans without having to contract an approved third party.

PCI remediation opportunities. The module documents and prioritizes issues and PCI-related vulnerabilities that require mediation, which MSPs can then address through managed services. This can serve as a guideline for MSPs on how to proceed with a long-term compliance program, increasing revenue opportunities, and strengthening the MSP’s client relationships. All this while maintaining compliance for the end-client and helping them avoid potentially devastating PCI-related fines.

The Benefits of Recurring IT Assessments: A Single Scan Is Only the Beginning

By Win Pham, Vice President of Development, RapidFire Tools

Rapid Fire Tools AwardsIf you’re a Network Detective customer, chances are you’ve used Network Detective as a one-time network assessment tool to convert prospects into new clients, or to uncover new projects for existing clients. However, the greater opportunity lies in developing an ongoing program of regular assessments, which you can conduct over time. Such a plan offers a more comprehensive benefit for both you and your end-users. A single assessment is only step one in implementing an effective program that allows you mitigate risks for your end-user companies long-term. This method also lets you establish more consistent revenue streams and enhances your relationship with your clientele.

Ongoing IT assessments create a series of regularly scheduled network “snapshots,” which can identify patterns and behaviors that alert you to a potential breach. IT assessment tools can identify vulnerabilities, patterns, and red flags that could indicate existing issues or risks. In this way, you can establish baselines for overall network health, as well as document all assets and configurations associated with the system, and then generate “change reports” that reveal what improvements and/or degradations have taken place.

Recurring IT assessments allow you to share professionally-produced and easy-to-consume summary reports, management reports, and QBR reports with your clients. These items are critical pieces of tangibility, providing evidence of the value of all your hard work.

Another reason to conduct regular assessments is to observe changes which you, as an off-site MSP, may not be aware of. Clients are constantly adding and removing hardware, software, and users. These changes can significantly impact your cost of service. If your service contracts are based on either endpoints or active users, then you’ll certainly want to keep track of these things. Monitoring systems are not designed for this purpose.

What’s more, regular network scans and reports can be automated, making it simple and cost-effective for you to stay informed regarding users, assets, and network changes that could result in new vulnerabilities. A small investment in regular assessments will pay-off by way of mediated risks and protection of your end-users’ assets, avoiding network compromise and downtime.

Think of network assessments like a protective suit of armor. IT assessments point out chinks in the armor, or holes in the chain mail where a sword can penetrate, leaving the suit’s owner vulnerable to injury during an attack. Yet if that armor is in continued use, it will naturally require inspection on a recurring schedule.

Other MSPs who use our tools have found ongoing assessments to be a successful strategy for growing their businesses. Many others want to, but don’t know how to get started. For example, they’re unsure about how best to structure an offering, or what types of service to provide to what customers. We suggest that you offer a tiered menu of services – e.g., a basic, enhanced, and premium program – creating a structure that can be applied across a range of clientele.

RapidFire Tools understands the challenges you face in establishing effective, ongoing programs. To that end, we’ve put together a “blueprint,” that outlines how to structure an ongoing assessment offering. You can download the “Expanding Your Service Offerings with Recurring IT Assessments” white paper for details. In this way, we provide not only the tools by which to deliver network assessment services, we also provide you with instruction on how to apply those tools and monetize the offering on a recurring basis.

You can start with a basic program, appropriate for most SMB customers, including baseline assessments, network and security risk reports, and external vulnerability summaries. An enhanced program would add internal vulnerability scans and additional components such as Network Security SQL Server reports, and Layer 2/3 diagrams and details. A more comprehensive premium program, appropriate for end-customers in more complex markets such as healthcare, would include HIPAA and/or PCI compliance management, demonstrating ongoing compliance and remediation activity that can serve as documentation in the instance of a compliance breach, or an audit.

Savvy managed services providers who leverage long-term network assessment programs stand to differentiate their service offerings, gain consistent revenue, and increase loyalty among their clientele. By engaging in regular assessments, your end-users can gain a more secure, reliable infrastructure, while potentially avoiding compliance violations, through a more proactive, sustained strategy.

Preparing for the GDPR – PART 2: MSP Strategies 

By Michael Mittel, CEO RapidFire Tools
As seen in MSPinsights magazine

 

 

Rapid Fire Tools AwardsPart 1 of this blog explored the urgency of the European Union’s new GDPR mandates, and how they will impact US companies, affecting what Computer Weekly calls “the first global data protection law.” Yet savvy MSPs can prepare their end-customers, gain trust as a valued advisor, and gain new business opportunities by implementing strategies around this new development.

Educate your business customers

Many non-European businesses have been reluctant to review the EU GDPR because they’re not even aware it applies to them. As a managed services provider, it’s your role to make your customers privy of the extent of the regulations and their impact on US organizations.

Gather links and resources that will help educate your customers and make sure they comprehend their vulnerabilities under these new compliance regulations. An informative marketing campaign, and/or an online resource center on your web site, will go a long way to generate new dialogs with your customers—which often lead to new business projects.

Stress documentation of compliance through Network Assessments

One of the main statutes of the new regulation dictates the following:

“Those subject to the regulation must prove they are compliant. This is true even if the organization outsources its data processing to a third-party processor, such as a cloud provider.” [TechTarget]

Therefore, organizations need not only to become compliant, but to maintain concrete evidence that they are compliant. Network assessment reports can provide detailed reports and analysis on exactly what changes a company has made to comply with data protection requirements.

RapidFire Tools has developed specific compliance modules that address regulations, including the HIPAA and PCI Compliance mandates in the United States, and is now turning an eye toward GDPR awareness. Along those lines, the company also recently implemented a Data Breach Liability Report, which points out personally identifying information that is stored on an MPS client’s network, including driver’s license numbers, credit card data, and other personal identifiers.

Create an overall compliance program for your client base

While positioning yourself as a security/GDPR resource, counsel customers in a holistic approach to compliance. In addition to adequate IT security solutions, companies can implement overall policies such as regular staff testing on security procedures, training on recognition of phishing tactics, etc. A review of physical security processes is also helpful, including how data is exposed on company monitors, and whether sensitive locations where data can be access are properly locked or restricted from general employees.

Implementation of such measures will help demonstrate that companies have gone above and beyond to protect personal data relative to EU citizens on a long-term basis. Such actions factor heavily in a company’s favor in the event of a regulatory audit. It also creates a “culture of compliance” through an organization that bodes well for long-term adherence, whether to the GDPR mandates or other regulations such as HIPAA and PCI compliance.

As the gravity of the GDPR begins to take hold beyond the European Union, savvy MSPs will be able to help their customers prepare, supporting the EU’s effort to create a more globally secure technological marketplace.

Preparing for the GDPR

Part 1: Repercussions Far Beyond Europe

By Michael Mittel, CEO, RapidFire Tools 

The European Union’s GDPR (General Data Protection Regulation) is one of the most sweeping global IT regulations in history, set to take effect on May 25, 2018. Designed to protect European consumers from breaches of their personal identifying data (PID), it regulates how and for how long this PID can be stored on the network following a transaction.

If businesses in the US have been complacent about this new set of regulations so far, they’ve been doing so at their own peril. A majority of US companies conduct online commerce, making it virtually impossible to restrict purchases from European consumers. And if data from a European customer or business partner is transmitted via a US company’s network, that company is subject to the GDPR.

In essence, the GDPR compliance mandates will impact just about every organization that does business online, regardless of a company’s geographical origin. Reports from the UK’s Computer Weekly concur, calling GDPR “the first global data protection law.”

“One particular aspect of the regulation that makes it much more far-reaching than it would otherwise be: The GDPR applies to any organization, anywhere in the world, that collects data on citizens of the EU,” confirms security editor Warwick Ashford. “As such, even a small, web-based business located on a different continent would have to be GDPR compliant.”

However disruptive this may be for the global marketplace, it presents an immense opportunity for MSPs—beginning with the task of educating their customers about these expansive implications. The EU is threatening penalties of up to €20 million, or up to 4% of a company’s previous fiscal year’s worldwide turnover, for non-compliance.

One of the stricter caveats of the GDPR is that it broadens the status-quo definition of personal data to include any information that can be used to identify an individual. This includes such granular categorizations as such as genetic, mental, cultural, economic, or social information. This will leave a host of companies vulnerable, especially those in markets such as healthcare, finance, non-for-profit service organizations, municipalities, and education, where such personal classifications often come into play.

Part 2 of this blog will explore strategies MSPs can implement to help their business customers prepare for GDPR compliance, avoid penalties, and mitigate ongoing risk of global PDI breaches.

There’s No Crying in IT – If You Utilize Network Assessments

Combatting Ransomware and the WannaCry Crisis 

By Win Pham, Vice President of Development, RapidFire Tools 

Win Pham VP of DevelopmentInterestingly enough, the Chinese word for “crisis” is composed of two characters: One means “danger” and the other, “opportunity.” According to a report in ZDNet on May 18, the recent WannaCry ransomware infected more than 300,000 PCs last week, spreading chaos through hospitals and businesses in multiple countries, encrypting data and demanding a ransom for its release. Yet this outbreak also presents an opportunity for MSPs looking to protect their customers—or gain new customers. Many a business owner is likely shaken by the awareness that the WannaCry virus and the ransomware-enhancing “Eternal Blue” tool has struck in their hearts. The truth is, customers who are not actively engaged with security are not prepared for such attacks.

Rapid Fire ToolsBut what if a simple security offering could protect your customers from these and other potentially devastating disruptions? While ransomware can’t be entirely eradicated, an in-the-know MSP can mitigate its damage by limiting Internet access from the customer’s network. Through IT assessment and detection tools, an MSP can mitigate network vulnerability attacks by identifying vulnerabilities early and addressing them.

Want to find out how? Watch this recent webinar on our new internal vulnerability solution, the Detector SDS (Service Delivery System). This system is designed for MSPs such as yourself, empowering you to quickly bring a new security offering to market for your existing customers. With network assessment tools in place, there’ll be fewer tears.

HiTech Computers Uses RapidFire Tools to Implement an Ongoing HIPAA Compliance Program

Tara-Newman_HeadshotManaged Services Provider:

HiTech Computers, Ruston, Louisiana. An 18-person shop focusing on healthcare IT networks, founded by President Richard Raue.

End-customer:

Reeves Memorial Medical Center, Bernice, Louisiana, a rural healthcare facility with 10 physicians and close to 90 employees, serving a community of 1,600.

The Challenge:

HiTech wanted to present concrete evidence of HIPAA issues, in the order in which they needed to be addressed, to mitigate risks and establish a “Culture of Compliance” at the facility, using network assessment tools.

The Details:

HiTech Computers had been providing ongoing IT services to Reeves Memorial Medical Center for several years, in addition to serving a roster of other healthcare customer in northern Louisiana. The company approached Scott Dickson, director of information technology at Reeves Memorial, stressing the urgency of HIPAA compliance and offering an assessment in addition to their regular networking services. Like many healthcare entities, the staff at Reeves Memorial was aware of the importance of HIPAA, but had been slow to develop a formal strategy, not knowing how to begin to address such a monumental task.

HiTech had long been using the Network Detective HIPAA Compliance module from RapidFire Tools, along with the accompanying Inspector appliance, to conduct network assessments on its healthcare customers. The combination of tools allows HiTech to conduct “deep-dive,” Layer 2 assessments, and also guides the IT company through the complete HIPAA review process. The data collected is used to create the crucial Risk Assessment and Management Plan reports required by HIPAA regulations—reports that can serve as evidence to document HIPAA compliance and avoid fees during an audit.

“Everyone knew we had to make changes to keep up with evolving HIPAA regulations, but no one knew where to start,” said Dickson. “We’d been approaching compliance by way of random changes, not knowing what the greatest threats to our network were. The vague nature of that approach made it difficult to get administrators on-board with a full-fledged program to improve patient data security.”

The value of the network assessment project was three-fold for Reeves Memorial, says HiTech’s Richard Raue. “It helped the medical center identify any current vulnerabilities, gave them confidence and direction to move forward with an overall HIPAA compliance program, and it assessed our own performance as their IT provider.”

The Solution:

HiTech used the Network Detective tools to craft a detailed presentation for Reeves’ top decision-makers. In addition to important information about the network data, it included recommendations on the center’s physical security policies, ranging from which doors and supply closets were sufficiently locked, to the way that charts were stored, to how patients’ records were displayed on staff desktops. The reports pointed out a series of vulnerabilities, and assigned a level of risk to each one. HiTech gave Reeves Memorial a clear outline of what items needed to be corrected, organizing those items according to their level of urgency.

When faced with a concrete listing of issues, administrators at Reeves were motivated to take immediate action. The center assembled a Risk Assessment Committee to investigate specific breaches. They created a formal staff training that explained how to avoid future breaches, outlined new policies, and raised awareness of both network and physical security concerns. Reeves Memorial was on-board to create a market-leading compliance program.

“When we provide HIPAA-related services, it’s never a break-fix approach. We want to create a culture of compliance within the organization,” said Raue. “Facilities often start out with a lot of apprehension when it comes to compliancy. But once they see the results of a comprehensive network assessment, they embrace the process.”

The Results:

HiTech was contracted to address the network-based vulnerabilities and infractions revealed by the Network Detective’s HIPAA Compliance tool. These ranged from unauthorized personnel access to software and hardware updates. What’s more, HiTech was hired to conduct the staff trainings, continue network assessments on a regular basis, and execute an overall compliance program.

“We’re on site all the time now at Reeves Memorial,” says Raue. “We’ve got a Network Detective Inspector appliance permanently installed at the facility to conduct quarterly assessments, which includes change reports that indicate any questionable behavioral patterns or new areas of concern.”

Scott Dickson has HiTech’s engineers do regular inspections of the facility at undisclosed times to make sure the staff is compliant with the new policies, by way of both network and physical activities. Overall, the facility has made patient data and network security a priority, assigning it a level of awareness that had never existed before.

“We’ve become a trusted member of their team,” says Raue. “A network assessment is a long-term relationship-builder. When a client reveals their most crucial vulnerabilities to you, and is relying on you to address these issues, it puts you in a position of trust that is difficult to achieve any other way. You become a company that the client wants to keep around, since you’re so intrinsically vested in their business.” This strategy has led to ongoing growth for HiTech as an MSP in the healthcare market.

“HiTech’s assessment services have helped us better mitigate risks, avoid HIPAA penalties, and become a more secure facility with an increasingly robust network,” said Scott Dickson, director of information technology at Reeves Memorial. “Despite being located in a small rural community, this center is now ahead of the curve in its infrastructure and its overall security network policies.”

1 2 3