The Security Collective

View Original

96. Securing managed IT services with Jeremy Herbert

See this content in the original post

Claire chats with Jeremy Herbert, the CIO of Premier Technology Solutions. They covered how small businesses were affected during COVID, and what organisations of all sizes need to consider when it comes to the partners they need to manage cyber risk. On the podcast, we don't often cover cyber risk for organisations as small as maybe just a handful of people, so it was so great to change things up a bit and hear about the challenges that Jeremy and the Premier team are managing for smaller business.

Jeremy Herbert is the CIO of Premier Technology Solutions with a unique approach to technology. As a CIO of a Technology Managed Service Provider, he is not only focused on the strategic business direction for Premier but also focused on the strategic direction for the clients that Premier support.

Links:

Premier Website
Premier - free cyber check
Premier Talk
Premier LinkedIn

The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.


Transcript

Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's guest is Jeremy Herbert. Jeremy is the CIO at Premier Technology Solutions. As a CIO of a technology managed service provider, he not only focuses on the strategic business direction for Premier, but also on the strategic direction for clients that Premier supports. Our chat today covered how small businesses were affected during COVID, why security services became part of Premier's baseline product, and what organisations of all sizes need to consider when it comes to the partners they need to manage cyber risk. On the podcast, we don't often cover cyber risk for organisations as small as maybe just a handful of people. But it was so great to change things up a bit and hear about the challenges that Jeremy and the Premier team are managing for smaller business. So here is Jeremy Herbert. Jeremy, it's great to have you with me on The Security Collective today.

JH: Thanks for having me.

CP: So let's start with why an organisation might outsource their IT. What do you think drives this decision, and what would be the benefit?

JH: Yeah, I mean, there's so many sections and technology now takes such a big part in every business, no matter if they're large, small or indifferent. Everyone uses things like email and applications and having someone with expertise and the range of different areas of technology that can touch on, is often a little bit more valuable than hiring one or two people to look after their IT. And so when you're outsourcing, it gives you a larger field of technologies and expertise to tap into. Often it's a lot cheaper and robust for companies to do these things than outsource them if they're anywhere between, you know, 20 and 30 users, all the way up to about three or four hundred users. It can also be a compliment and provide organisations with enough protection as well if they do have internal IT, you know, because we always talk about what's your disaster recovery plan. You know, what happens if your one internal IT person gets hit by a bus, where does that all that information, that data lead? So having that outsourced also provides a very good layer of protection for most organisations. And businesses really want to focus on what they do. If you're not doing IT business you don't really want to focus on IT, it should be a compliment. Outsourcing that to people that that's what they do day in and day out is often a smarter decision. And people often outsource accounts and outsource HR or expertise, it's not their core competency. So part of our unique offering is we offer a really good service around not just IT support, but consultation around technology. You know, we always like to say if it touches the internet, we can help talk about it and find what's right for you. But more and more it's you need those people that are living those things day in day out, especially when it comes to things like their security and their compliance, which since the start of COVID is a hot topic. And people like us have had to actually try and keep up with that trend and stay ahead of the curve instead of falling behind him and being reactive.

CP: So if we think about COVID, and lots of organisations have had to pivot, it's such a cliche word now, but pivot the way they do business, everybody went home. As a managed IT service provider for small and medium businesses particularly, what has the past few years been like for you, people working from home, etc?

JH: I think the trend that's still coming through today is those hybrid work environments. And some people love being in the office, like our team loves being in the office. We love collaborating and being around people, and some people love to work from home. And that challenge of those hybrid work environments where are you more productive at home? How do we make sure that you are productive? How do we get you back to the office or is it worthwhile you getting back to the office? And some people they had what we called COVID fatigue, and they were sick of being at home especially you know with the kids and you know what happens when school holidays happens and the kids are around all day every day. And some people in organisations are really strict around the concerns of their employees and working from home and then some really want to continue to have that work life balance. So we've seen a lot of transition for people and we know in the market that getting staff at the moment is very hard for a lot of people. So taking care of those staff and making sure they've got the flexibility these days is really important. Some of the challenges though have been those organisations that were maybe using think lines or PCs, they had to think about why we need to get people laptops now. And then we have got them working on networks that we're not monitoring that aren't secure. So we have to then look at, how do we secure the applications that they're on? How do we give them training to make sure they're aware of some of the threats that are out there as well? And how do we make sure that, you know, we set up their environment so they can work like that? So there's been for us and especially, you would think IT companies that they'll be affected as well. I think we have been more busy in the last two years than we've ever been, because we've got companies that were thinking about doing that digital transformation, maybe moving to more cloud based platforms and have a little bit more flexibility and scale, they've now gone from thinking about it to now how quickly can we implement it? You know, their challenge is very much being we now have to think how do we manage everyone that's working everywhere? And we had some clients and you know, some of their key people moved interstate. How do you address that? You know, and we're coming to the tail end of COVID, of course, there's still some issues. But you know, it's been interesting to see how it's gone from where we were, it was very strict, you could only be in the office if you're wearing a mask. And we had to have our checking systems and, you know, setting those up for clients before the federal government put in the applications for them to use as well. So there's been a few changes over those solutions. But it's a new way of working now. And the first one was making sure people had that environment. And then the concerns around security, how do we, one, make sure you've got flexibility and collaboration, but how do we make sure it's secure when you're working from home, and the kids are downloading movies from pirated websites. And how do we segregate your network and your corporate information from that as well. So it meant that we had to as a technology provider, we had to have a really quick learning curve. And it was very good because we went to market we have a really great network of suppliers and vendors. And then we had to make sure that we had solutions that could be deployed quickly that were easy to use, and that were providing security, but not getting in the way of clients being productive. And them having that functionality that they really needed to make their staff feel comfortable, you know, and get jobs done too. You know, it's either been working from home is super productive for some people, for some it's not. So how do we manage that? How do we find ways to help our clients enable that new style or new age work environments now.

CP: Yeah, I was going to ask you how your services had to change over the two years as well. Because you mentioned as a company, your own shift, and then for your clients that rapid response and having to or trying to help them do what they needed to do to get their staff home, and be able to reach them interstate. But your products and services, how did they change over the two years, or over the last little while in order to meet that demand from your clients?

JH: Yeah, so Premier always had really high level competencies in managing infrastructure, and providing security or infrastructure. You know, as we're evolving with technology, software services, or SAS solutions and infrastructure services, like private cloud solutions, and Azure, all become a lot more popular, because it has that flexibility to work from anywhere. So clients became less and less reliant on sites and then had to figure out like, how do we provide a bit more flexibility and access to our data and tools? So instead of migrating environments, we had to shift and really look at do we have the capability to advise you on different applications and different ways of working that are more productive in this new world in this new environment? So we had a really steep learning curve around improving the way that we consult about business process, not just here's some tools, off you go. It's like no, what are your challenges? What are your pain points? What are you struggling with? And how do we move you to this environment? You know, at one point last year there was a real shortage on laptops and just getting actual devices for people to move away from an old PC and talking to businesses about their work from home policies. I think that was a big one. People hadn't thought about it. Now they had to create these new internal policies, and they were looking to us to provide a bit of information around that. And you know, you have to be concerned about that person's work environment at home. If they have dual monitors and a set up in the office, do they have that at home as well? If not, do they supply in helping them think about those HR based policies as well. I think the biggest curve for us was with COVID came a lot more threats and a lot more cybercrime and it now, historically it had always been targeted, you know, the big fish and it always be targeted at the top end of town and that's not our market. We work with companies that you know, have 10-15 staff all the way up to 300-500 staff. Those small and medium businesses, you know, they they've done some things and our base level offerings always covered a lot of security. But as you lead into more sophisticated approaches, people are now thinking about getting certifications, and also just the baseline protection against, you know, phishing attacks and brute force attacks. And now that we were seeing that more and more it's like, hey, we need to address these things, we need to start talking to our clients about implementing these baseline and taking that approach that, hey, we need to get ahead of this curve. And now with everything that we do, whether it's a new application, we have to think about the security. We have to ask them about their compliance, and making sure that if they need compliance, making it work for them in real life, as well. And you know, if they have a certification that's going to help their business improve their posture and their security understanding. Whether it's an ISO certification, or NIST, or the Essential 8, which is very popular. And you know, there's been a lot of advertising on the radio and on TV about these standards. And what we did as a baseline is start aligning our services to that Essential 8. And then having to go and have conversations that always talked about security, but now it's talking about, let's put a formula behind this, and let's start talking about this is the baseline and we want to improve your levels of maturity over time, and make sure that we've got some framework to work around. But taking that a step further and saying, you know, we're going to do these alignments, is there something that in your business that you were trying to do? Are you trying to win a tender, or, you know are the tenders you're going for, are they asking you to have this sort of level of sophistication? You know, we've even worked with some companies that tried to get Defence Force contracts, and they even have Defence Force certifications, there's different levels of security amongst that as well. So we shifted our methodology and really reached out to our network to help us build that practice over the last few years. And have done a very good job of appealing to clients around, hey, this is something that we've always mentioned, but now everything that we do, we have to look at this as a category. We have to look at as an overall, because all of our clients, they you know, they have backups. You know, they have encrypted backups, and two years ago, at the start of this we really sent out emails about the benefits of multi factor authentication, and strongly recommend and let people know about credential theft is one of the largest areas of breach and it can be done. And so after that we then went to how can we do an educational piece to avoid these problems as well, we look at it same as healthcare. The best way you can approach healthcare is in a preventative way. You take care of yourself, you drink water, you take vitamins, you take care of your health, you go to check-ups with the doctor. It's the same approach. We are now trying to convey that, you know, the preventative measures and having disaster recovery plans is very important now, because it's not just the big four banks and the fortune 500 companies, every company now is a target. Whether it's a small amount, or it's a large amount, and you know, protecting those clients. And the reputation is really important. It's what really they're concerned about as well.

CP: And so how did your clients respond to this expansion of your base product? Because obviously, not everybody buys into the need to invest in securities, especially smaller organisations. I think they often, in fact I know from talking to small business, that they often think their IT service provider would be covering that anyway. So, for you to go to your current clients and say, okay, this is what our base product looks like now. And it's going to have security as part of it. What was their response like in relation to your new approach?

JH: Yeah, we have client Chief Information Officers who work as IT strategists. We also then have a proactive approach. We have client IT managers that go to site and do checks, and we try to proactively address issues. So those guys are always having consistent conversations about these threats in these areas. And we always talk about preventing breaches and what we can do around those things. So with our baseline, most providers we were providing remote monitoring, and AV and mail protection, things like DNS filtering and web filtering out of the box. And we were talking to people about multifactor authentication and upgrading to make sure they enabled those services. But what we really did is we upgraded to a product called XDR. And we also upgraded a few other things around remote monitoring to do more third party patching on desktop applications like Zoom and Java and Adobe and all those sort of things that you know people download and have an Oculus, but you know, they end up being a threat as well with not upgrading them. So for us, it was a challenge because it was an increase expense to us that we, you know, had to talk to clients about and pass on. This is what we think we do well as an organisation is explaining the very complicated ins and outs of things in a very simple format that anyone can understand. We try not to patronise our clients, we try to educate. But I think what we found is that we're explaining something, you know, what's the Security Operation Centre look like? You know, what's this product doing? And how can we explain why we're doing these things. And that was hard, you know, we tried to provide enough information as possible. But a lot of it came down to, you know, customers were feeling the pinch, you know, and we're asking them to spend a little bit more per user per month to work on things like data loss prevention, and how the products we were introducing, were going to help in these areas. We were talking about the proactive approach about, we can only stop the breaches and address the breaches, we can identify and see and taking that proactive approach to try and stop a lot of those coming through and get in that catchment. And we have great relationships with a lot of our clients. You know, we did a lot of testing, you know, and there's a lot of vendors out there. And it gets even for someone like us that's experienced in the market and have a lot of great people in turning your team close to 50 people in different disciplines and areas. But we went through five or six top tier vendors in different solutions, and tested them all before we said yes, this is the one that we think is going to suit the small medium market best. And it was an enterprise solution, as well. So you know, it's tested and tried. And we had to really go through an in depth process to find that out. And yeah, I think the problem always is, is how do you explain why you're implementing something that a client's not going to touch, feel and se. Something that runs in the background and the cost associated to that. So it was really good, because we have those relationships with clients, we had that trust and ability. But you know, trying to work with over 100 clients and close to 4000 endpoints and having 100 conversations with 100 business owners and explaining those things and making sure that we weren't just forcing it on something that they were comfortable. And they understood why we were making the recommendation. It's very easy for clients to spend money on things that they can use, and you know, an application they're opening or a new computer that they get on their desk because they can touch, feel and interact with it. I think that's a lot of the challenge is when you're talking with small-medium businesses, if you hadn't spoken to them about increasing their budget to consider increasing their security maturity and presence, and education around cybersecurity. That's the challenge for a company like us that deals with small businesses. And the first case is that you have to inform, you have to educate, you have to understand that there are levels of risks in the market, and what are these clients? And what are our customers and the people who work on what's acceptable and what's not.

CP: And so, when you think about incident response, and organisations who outsource to you in their mindset, IT and security is with you guys. And as you said, they're running the business. But when you have an incident, what's the challenge for you around the fact that you might be dealing with an organisation that doesn't have someone on the other side for you to work with, or doesn't necessarily have someone who's cyber savvy or cyber literate, or even IT literate, to help you to remediate on an incident or resolve something for them. As an IT service provider, you obviously have a role to play and they have expectations of you. But with these smaller organisations that don't necessarily have someone inside that can help technically, how do you find that the complexity of that to resolve incidents and contain them, so they don't blow out to be a large scale cyber incident?

JH: Yeah, and that's our own internal offering, and how we took the initiative to talk to people about uplifting their posture as well. And it's much easier to have that discussion if someone's had a breach or someone's opening an attachment or an email that's encrypted a bit of malware or lost their credentials to somebody. That becomes a little bit easier to have that conversation, because they see us respond, us help mitigate that situation, and actually go back. And our team does a really great job of actually going back and finding the root cause of these things and what's been affected, and the ability to respond and lock down. Now when we have to look at it, a new piece of software that helps us as their IT Managing Partner, you know, they have to understand that, yes, we need these tools because I can stop this before it happens. Or if I can catch it, I can isolate it. And if we can isolate it, we can deal with that one incident, we can stop it from spreading. And that's really key is that we tell people nothing's 100% certain. There's a lot of really smart people out there and there's many ways for them to get around these things. What we have to do is put our best foot forward to try and mitigate those things. Now, they have asked for when something goes wrong, when you get that breach, you have a whole team that gets to them. And one of the things we always talk about with clients is making sure they have cyber insurance. You know, we're not an insurance broker, but we always tell them that we can help you reduce your premium by showing that, hey, you're aligned and you're taking these steps. But nothing's 100% certain. So working with the cyber insurance companies is actually really good. I mean, that's one of the separating factors for us is that you can consult on everything that touches the internet, we also will work with every third party that you need us to. So you have a third party supplier, or broker or when we have experienced clients that had breaches and they've engaged their cyber insurance company. Which really helps them with responsive emails that have gone out to their clients, and how they from a PR perspective do that response. And we then report to them about the root cause and where it came from. We then will do mitigation factors and stop those things from occurring again. But the real trick for us is to start getting our message across a bit more that we want to stop these things from happening. We don't want you to be the next victim of a cyber-attack or a phishing attack, and they come to us because we will help them with those things. Now getting the message across is we tell people, hey, this is very clear. This is what's happened, transparency, what happened, and this is what we're doing next. Now we keep them informed, we keep them up to date, we make sure they're very aware of what's happened and what we're about to do and address that first. Now, after there's that level of comfort, and we've removed the threat, we can then go back and talk about what's the next stage to mitigate this. And often it is a real simple thing is that we can't stop people from opening up emails. We can try and stop those type of emails coming through as much as possible. But if one does leak through, and there's a really sophisticated attack or an approach, how do we make your staff aware? That's through education, that's through awareness training. We do proactive scanning to try and mitigate those things as much as possible. But that's the benefit of outsource IT, I think we touched on earlier, is that you have a whole team, you don't just have that one person. And you know, we have to build that level of trust with our clients, that they understand if something does go wrong, Premier has that back.

CP: I think what you're doing at Premier is incredibly important. And those small businesses are incredibly vulnerable. And you know, as we discussed, they don't necessarily have the expertise within their business and they want to be selling their product and being the expert in their field and letting you guys do your work. And I love the idea that security has been put forward as part of your core offering. And so I think, you know, keep doing what you're doing. I think it's brilliant. And thank you so much for joining me on The Security Collective today.

JH: I appreciate it Claire. Thanks for having me and I look forward to chatting with you again.