Systems Plus and Trusted Internet - SPCI Podcast Episode #2

Hi there. This is Patrick with Systems Plus Computers. I'm joined today by two special guests, uh Mickey and Nate from TR Trusted Internet. Uh welcome guys. Thank you for joining us today. Uh I appreciate you coming coming by. Yeah, happy to. Um, I think we're going to be just talking about a little bit of a background of uh what bring us bring us what brings us here today. Um, a little bit about our origins as to why we're actually sitting in this industry and doing these things today. Um, and then we're also going to be talking about just business in general, different use cases and things like that. And I will try to stay in frame as well. Um, so I'll I'll just go ahead. I'll dive right in. So I'm Patrick again, your host. uh with Systems Plus. I'm president of uh Systems Plus Computers here. I purchased the company about one year ago and previous to that I ran an MSP in Portland, Maine. Um I've also been in the industry over 20 plus years now doing everything from servers to cloud to some security, not heavy, uh but also very heavy in the MSP or managed services department. So Mickey, would you like to introduce yourself? Yeah, absolutely. Thanks for having me. So, um, so one year ago, when's your anniversary? Um, it's going to be April. Okay. Yeah. Okay. Well, cool. Um, so I'm with Trusted Internet and I am the director of client success and partnerships, which is, um, exactly why we're we're here, right? So, I'm glad that we we met a little ways back so that we could have this type of partnership. That's awesome. And Nate, what brings you here today? Nate Paddock. I'm the director of cyber security services for a trusted internet. We are a cyber security company out of Amherst, New Hampshire. Yeah. Let's talk a little bit more about uh trusted internet. Um when uh when did that get started? Trusted internet started about several years ago. uh come a little closer and yeah sure trusted internet started about 7 years ago. The founder is Jeffrey Stzman, former Navy intelligence uh enlisted and then officer who uh was previously a chief information security officer was Northrep Grman and then worked for the organization that you now know as CISA, a fed federal organization dedicated to securing a department of defense supply chain and and uh federal contractors. Excellent. Yeah, I remember him uh talking about his bio before and it was very very impressive. Um, a little bit about Systems Plus. Systems Plus has been around for over 35 years now. Started in 1988 by a rag tag group of IT people and uh has grown from just a retail location to now managed services and uh and now we're expanding our capabilities into more on the cyber side as well. Um, let's see here. Let's uh let's transition into company origins and mission. I guess you kind of already did your origin, but do you want to expand on that at all? Just a little. Uh so when the company before the company started, it really started with the uh founder's daughter going to college and she found one of his old firewalls sitting at the house and repurposed it to be a VPN server. Uh from there she'd come home from school with a smile on her face and he asked her why she was smiling and she said, "Well, I just sold two more VPN cows." And he's like, "What are you talking about?" Well, the school that she was going to was apparently blocking Netflix from streaming and she was selling VPN accounts to the other students so they could watch Netflix. early on entrepreneur and there's nothing like uh the the you know hacking uh culture to really propel technology forward I would say absolutely yeah that sparked the idea of trusting internet that's a that's a fun story um you know unfortunately I really don't know the full origin story of systems plus uh I think it was lost in ethos uh from years ago but I know there was three partners originally and uh they got together um originally just PCs. They did a lot of build your own computers back in the early days as well. Um that's something we're trying to bring back now here as well. But uh and then ultimately as um I know they started doing Apple sales sometime in the 1999 to 2000 range and um been uh yeah just very very successful as a Lenovo partner at one point HP partner and uh and now of course Apple partner uh as well. So the the build your own computer I remember back in the day when um I I was married to a very geeky guy. He used to do that a lot and then I saw it kind of go out. You said you're trying to bring it back. So this is like uh Build-A-Bear for geeks. Right. Exactly. Why do you think it um why do you think it went away for a little bit? I I think it's similar to like you know in the old days or in the 80s or even before you used to tinker with your car and upgrade different components. I think it's that type of mentality where you want to be able to uh touch it, build it yourself, and then and customize it, and then it kind of connects you to the to your hobby in in a in a way that buying a pre-made car wouldn't wouldn't wouldn't um really speak to you in the same way. That customization. Yeah, that makes sense. If if I did not have to fly back with it, I would 100% build my own treetop computer if that sounds really fun. Yes. Uh, and actually our first class is August 23rd and um, it's $688. It's a budget gaming build. $200 for the class and um, we're going to have a lot of fun with it. I don't think it's going to be a big money maker, but that's how I started back in 96. I built my first computer and and it drove a lot of my passion for the industry. So, I I want to share that passion with other people. Well, that sounds fun. Yeah, we're excited to to hear how it how it goes. take take a lot of pics for me. Absolutely. Yeah, I was thinking about live streaming the event as well. Maybe we'll see. Got some pretty fancy cases out there. Yeah, I like I'll have to show you in the other room the setup as well. Um yo, so tell me a little bit about the services and value proposition uh part um for for you guys. So um I I'll let Nate get into like the the very technical portion of it. I think that um I would love for people to know how we work together as partners. So you know systems plus and tresa internet are not necessarily one and the same. We're partners where we have an extra consonant in our in our services. So you guys are an MSP which is a managed service provider and we're an MSSP. So we're a managed security services provider. So even though we're in the same sandbox and we do some of the same things, uh we have different priorities and different things that are our main um you know top on our list, right? Um so for us it is strictly cyber security. Uh so anything that deals with security is where we play and then um you know you guys do the actual um services and support, right? So, they helped us uh the actual repairs and things like that. And um one of the best ways that I love to explain it to people um because I love analogies. So, uh to to help people understand is our CEO likes to say, you know, it's like if you have a printer, if it runs out of ink or doesn't talk to your laptop, you're going to call an MSP. So, they're going to call a systems plus. But if your printer starts spitting out pages in Russian or Chinese, then you're going to call Mickey and Nate. I trust the internet. So, um, so that's just kind of like the highlevel overview. Um, Nate, that actually happens right here at Dartmouth College when I was working there. The Well, not it wasn't printing out in another language. Hackers were were logging into the library computers and making it print out all of the paper until they secured them. Is that what got you started in security as well? Um, my start in security was with the Air Force. Okay. I started the Air Force network operations security center with a team of people uh in at Burksdale Air Force Base in Louisiana. And this was the first time we were setting up a command and control structure that would cover the entire Air Force. Until then, there were small units across the across the board that were trying to do cyber security on their own. Mhm. All in different ways. And so we set up standardized processes and a way to collect devices that have been hacked um and send them for forensics for example. Interesting. Huh. And Nikki, what brought you to security as well? Um, so, uh, Jeff, so our our CEO, he was actually a previous client of mine and then, uh, I had an opportunity to help trusted internet expand its reach within the community and also build out our partnership portfolio, which is, you know, where my heart is. So, I've been in a lot of different industries from healthcare, healthcare, IT, international investigations, and I've had an opportunity to um work on a a global um footprint. And so, with this um I started talking to Jeff uh who is very persuasive and you know, I I've been in different aspects of it for a while. And so, when he was telling me about cyber, I was like, absolutely, I want in. Cool. I mean, it's a big field. It's and it's getting bigger and more and more important every year. It seems like the threats just keep keep getting bigger and bigger. So, uh, no lack of work, that's for sure. Yeah. Right. Yeah. And I I like Jeff, too. He he I can see he can be very persuasive, can he? Yeah. Yeah. Um, let's see. Yeah. So, for me, you know, security's always been kind of one of those things that, um, I think a lot of companies have sort of added on after the fact. Yeah, but as we've gotten deeper and deeper as an MSP, we we like to try to bake it in on all our levels. So, you know, we we do do a lot of firewalls um and then just basic security hygiene and and basic security practices, making sure people aren't clicking on bad links and and if they are, then we're trying to stop them at the firewall. Uh it doesn't always work, but that's our that's our attempt. And I think that that's great from your end because you're kind of in the front line, right? So people are coming, they're probably trying to buy a new system or or something like that where they have something tangible. Um for me, I found some challenges with trying to provide something that's intal tangible or uh something that is like well that's going to happen to someone else, somebody else is going to get hacked. So, you know, you have to educate on the importance of being proactive. And I can tell you 99.9% of the people that have been hacked, I I bet that they would have wished that they would have signed up beforehand, right? So, um I I think that's great that you're in the front lines and kind of educating them on on that. And a lot of people don't even realize they've been hacked. That's the other thing is that, you know, they may have lost all this data, but they would never know, right? Yeah. So, lots of different levels there. I think for Yeah. I guess, you know, for tangibility, it might be easier for us because if someone's down and not operational at all and they call us and we get them up and running, that's a hugely uh tangible thing for their operation. And so preventing you're uh you're like more like a vaccine than a than a direct cure, right? And so, yeah, we do. It's hard to kind of explain that to some people. Yeah, we we do um we do like the incident response and things like that, too. But when they're coming, I was thinking more along the lines of when they're coming to you, they're like, I want this shiny new computer that or you know, this like super cool tool. Yeah. Um okay, so let's see here. Let's uh why don't we switch to local synergies referral opportunities. Um, I'm not sure how this will look exactly, but you know, most of what our operations are really centered here in the in the upper valley, uh, and then also across New Hampshire. That's sort of our footprint, although we're we're much stronger in this on the western side than we are on the eastern side at this point. Well, I'd say our our company's focus is is a small and medium-sized businesses, but along the way, we've been picking up high netw worth clients. These could be a celebrity, a politician, um just a seauite executive from a a major company that wants personal protection at their home. A lot of a lot of these folks will have um smart home equipment, including network video recorders and other vulnerable type equipment. M and that's where we partner with IT companies such as such as yourself where if you're managing that equipment, we might recommend an upgrade or we will put a firewall in to monitor and protect it and and also meter the access so that only the client can access his cameras or her cameras uh from a mobile mobile app for example. And and that's one of the things we see a lot of is when we go to a new site, there's a bunch of old computers sitting around. They're still using them, but you know, when they get to be four or five years old, they start becoming unreliable. It could lead to data loss in some situations if no one has a good backup on there. And and so those are the things that we take care of right away. We make recommendations on replacing that equipment, making sure that everything's backed up. And do you have a continuity plan? One of our first clients that in that field that's an executive was actually a sports coach. And unfortunately the camera feed for that coach and his family was being sold as a subscription service. Oh, he was a really interesting coach, I guess. Uh the his wife was the interesting Oh, I see. Okay. I'm guessing this is before Only Fans. Yes, it was she was the vacant she was the star attraction and um unfortunately they found out you know a little too late obvious so that's true we were able to come in and put in a firewall but also the whole system has to be replaced so that they would regain their privacy you know people put those ring cameras in all the time and you know um yeah they don't they don't realize how much they can actually collect and they're the first things that are hijacked but to to touch more on um on our clientele, it's usually high net worth, ultra high netw worth, or high-profile individuals. And you think, okay, these people already have cyber security at their job, right? They're a CEO, they're a CEO. Yeah, sure. However, you know, it gets blurry about who takes care of them with at the their residence. And so many MSSPs say, "Okay, I can take care of your office, but I do not want to touch the home." where that's you know that's our bread and butter that is something where we have a lot of experience and that's one of our niches and we have done it well and we do not um back away from that. So, we we take care of a lot of families and we understand the importance and we we want to make sure that they understand that even though they're protected at work, they need to be protected at home as well, right? Because imagine how many people are doing the hybrid, how many people are just doing remote and if you're accessing your company's information that needs to be protected. Yeah, we have an individual like that, a CEO of a company and um you know certainly we protected their their main site, but um he needs protection all the time. He's very clicky and um he's very trusting individual. Yes. Um and it gets him in trouble often and so we geoence his emails. Uh but he you know there's still things that could get out. Yeah. Interesting. So, in terms of like operating areas though, where where do you guys primarily operate out of? Is it New Hampshire or other places as well? So, we're based in New Hampshire, but but we're global. We're Yeah, we're worldwide. Global. Yeah, that's even better. Uh, let's see here. Uh, trust building, combining inerson system support with roundthe-clock threat monitoring. Um, you guys want to talk about that at all? Sure. So, we have established a security operations center that's 247. They're bringing in all of the alerts. So, we have firewalls set up at all of these locations and as well as software uh to protect the computers and other devices, mobile devices. All of those alerts are going to our sock team. These are it's a team of two who uh will have you know a tier one and a tier two that will analyze the alerts make a decision on whether it's an incident or an advisory and provide advice back through um either the consultants assigned to those clients or directly to the clients depending on their preferences. Yeah. So um so for the nons super smart technical people like me um so basically we have we have eyes on what's going on when you are under our protection right so when we're doing your long-term monitoring we have a 247 sock um security operation center that is keeping an eye on um on what's going in and out of the firewall and things like that and you know checking your your end points and your devices devices uh to make sure that everything is is safe. Now, if you're sleeping and something comes through, the sock catches it and then you know we deal with it. Um and so you can rest assured that you know there's always eyes on it, right? So yeah, that's really great. That's peace of mind. That's what you're paying for. Exactly. That's that's what we sell. You know, you're selling peace of mind, right? Exactly. Well, uh, the next part is my favorite, which is talking about compliance and education. Your f not not heard that one yet. Um, so are you talking about like CMMC? Okay. Okay. Um, so I think I don't think that that we talked about our origin story, the the how we met story. Oh, right. Right. Okay. Let's back up. This is a great segue. Okay. Yeah. Yeah. So, speaking of CMMC, which I believe if I remember correctly, it stands for cyber security maturity maturity model certification. Yes, you're absolutely right. Gold star and a high-ch. Um but yeah, about a year ago, I think it was, you guys were uh hosting a class on that and then I believe it was kind of t um marketed as the NIST 800-171 compliance as well. And uh so I went to that class. It was a really excellent class. It's uh held by Apex. It was um so we partner, we love to partner with people like Apex, these organizations that are are helping businesses and the local communities uh because when we set up the workshops, we are giving you access to CISOs like Nate. Um we're giving you access to the tool that does all the tracking that platform and we're actually taking you through the baseline assessment. And so when we kind of mark the list of what you get and then tell you that the cost is free.99, then people get a little like uncomfortable. They're like, is this going to be like very salesy? Is this going to be a time share type situation? And so that's why we love to partner with, you know, the third party and say, "Hey, this is what we're doing." They can attest for us. Especially the New Hampshire um Apex are absolutely amazing. We've done multiple with them and so you know the first one was where we met and so they were able to sit through and say oh this is truly educational and this has been truly you know beneficial and what was cool was we kind of took a step back and we allowed the attendees to give them that feedback and so because of that we've been able to do so many more with them um like the one that we're doing tomorrow. Yes. Yes. So, we're doing another um CMMC workshop with a New Hampshire Apex tomorrow in Concord or how do you conquer Concord? Yes. Yes. There's another E in there somewhere. Yes. So, we're we're doing it again and again it's the same place that that we had first met. Okay. So, um, yeah, as far as the workshops and and what to expect and and who it's for goes, like that is, um, that's kind of the way that we run it. Now, for CMMC itself, that would be a nate, uh, topic. So CM CMC is basically using the compliance control criteria for from NIST 800 171 now and this the revision to uh of that of that that so those are fully merged together at this point would you say or are they still separate standards they are the same there are it's a program so think of CMMC as a way to enforce the standards and companies need to be applying those standards. Any company that wants to have a federal contract or a Department of Defense contract has to meet these criteria depending on what kind of information they process. So if the contract includes um transmitting formerly known as official use only type of data, federally contracted information, they have to protect that information at a level one of CMMC, which would be a subset of the NIST 800 171 uh controls, but also level one, right? Okay. And then level two um adds additional controls up to 110 of the controls that are listed in 81 171. And and are they both controlled by DoD? Yes. Okay. So it's it's both a standard from DoD. Okay. Right. And I think that's a little bit of the confusion I had when I first took the class about what was it a year ago now. And um yeah, I thought they were different and I was like, "Oh, great. We have HIPPA, we got PCI compliance, and now we have, you know, several several other new ones. Uh, but it was good to know that they kind of started merging those together. It will apply to other federal agencies, not just the Department of Defense. Oh, I see. It's going into the Federal Register. I think this law by October. I see. Okay. And Nate, what happens if uh they're working with the government or have contracts and they are not compliant? Um, a non-compliant organization will not be competitive to retain or obtain new new contracts. I see. So, they'll be disqualified from continuing, right? And so, it's important for businesses to know now that if you're just starting on a CNMC journey, um, you're very late to the party, but um, it's not too late to get started and at least get the level one. We we advise on how to get level one and we can get you there within uh a month maybe two depending on how active your team is in writing policies and ensuring that you have your system security plan ready to go. For me, I think that was the really the eye opening thing that I learned in the class was that um it it was a little it was deeper than I thought it was going to be for level one. um uh but that it was still pretty obtainable and so um for us you know we've been able to implement many of those security practices here and uh while we're not certified level one at this point um I think it wouldn't be that hard to continue and and actually finish that up and a lot of it I think really is common sense and good security practices anyway I feel like you know it's it's there is a cost with implementing it but it It's going to give us a lot of advantages that other companies don't have in terms of uh our resiliency with the company and our security systems internally. And then of course as an managed service provider, we're we're also a target. So that's one of the other things is that we need to make sure that we're we're um doing everything we can to make sure everything's secure. Exactly. And the final rule related to CMMC came out this year which pertains to companies like system plus and trusted internet as providers of services to these companies that have to uh meet CMMC level two. And it basically says that we as supporters if we're not handling the data that they're handling we need to be at at least level one. Mhm. Excellent. So if they're level two, then you have to be level one. Is that right? As long as we're not touching any of the controlled uncclassified information or federally contracted information, they are if they were clearly kooey. Yeah. UNC and classified information of KOIE is the criteria. Okay. I was going to mention that as well. So for those of you that are that are hear about CMMC that are being told that you have to have it or you should have it, you're going to hear a lot of acronyms. You're going to hear a lot of different words. So you're going to hear kouli, which means controlled unclassified information. Yeah. And so you're going to hear that. So it's it's it's going to be interchangeable and and you're going to hear that. So that's something that you should know. So I just joined recently the AAA aa which is the Americans against the abuse of acronyms. I was going to say architect series right now. I was like following along like oh my goodness. You guys want to take a break here or uh you want to keep going? I'm okay either way. I'm okay to present. You're all right. Okay. All right. Cool. Uh let's see here. So Patrick, yes. Can I ask you a question? Sure. Absolutely. So I would love to hear from you um your honest feedback about the workshop. No, I felt it was extremely valuable. Um obviously the best part about it was the hands-on piece. Uh I thought so as I was going through the questions and started answering them, I felt like uh there was a lot more things that I needed to think through um than I would have initially thought. I thought it was going to be a lot more of a shallower kind of assessment, right? And some of the questions were really really good. So I thought I thought it was really good the way you guys had it structured and I don't know if you've changed it all but you know doing that introduction. Yep. And you do like I think it was like an hour first and talking about what it is and then getting hands on and uh Exactly. And then having that tool I think it was 30 days or 60 days. Um Yep. I was able to Yeah. I downloaded all the results and I shared it with my team and we went through all the different uh ones. So I felt that was uh that was very cool. Yeah. Um I don't know how if I would change anything with the way your your format was. I I I enjoyed it. Um, yeah, that's very informative. Uh, one of the best things too I found was in speaking with some of the other participants there as well and then of course getting some time with Jeff and and the other guys um about their experiences. I thought that was valuable. No, that that that's so great to hear. Yeah, we wanted it to be um informative. So, you know, there's so many workshops and webinars and things right now like CMMC is a big buzzword, right? And so, there's all of these different things out there about the importance and like I feel like it's like hellfire and damnation, right? Like you don't need to go to CMMC church. What you need to do is sit down and do the work. Exactly. it. So, um I think that that's why our workshop is a lot different too because not only are, you know, we're going to do this together. We're giving you access to the tools as far as tracking platform and we're giving you access to the subject matter excerpts, you know, so it's all in one room, but then you have the report that you print out and do you want to explain to them a little bit more about what this report is to you? Yeah, for sure. I mean and the report was really around all of those controls. I think you said it was seven altogether initially. So level one or 17. And um as I was going through each of those, you know, some of it dealt with physical security, some of it was logging, some of it was passwords, but um what I like most about it was even though a lot of it was policy, I felt like it was directly something that I could implement. And so that was really the main thing for me like like I love learning for learning sake, right? But the fact that I could take this information back with me and start applying it right away with my team was the best part I think uh because it was actionable and even if you don't have to be a level one certified uh all the practices in there I think are applicable for any company that's wellrun and so um I would encourage any any manager IT manager director obviously and andor owners that are interested in uh making sure their operations for their for their company is going smoothly. Um I think you would benefit from it. It's a it's a little bit of a commitment because it's half a day but totally worth it in my opinion. I don't think you could learn it in less time, right? It's such a dense uh and and broad topic. Um and I think you need that four hours at a minimum. And uh I know for me it was probably going to take us probably an additional I was just estimating probably a good 80 70 80 hours to to implement all the things in there and probably even that's just an underestimate right and I think one of the main reasons for us bringing this up is because both systems plus and trusted internet have solutions that can help meet a lot of those compliance criteria. It's basically a checklist for how to run your network in in a way that is orderly. It doesn't give you the specifics, but it says you have to meet this criteria like a username has to be x number of characters, password changes should be within what is what is the schedule it 90 days, 120 days. So it takes out some of the randomness that may may incur with when you're building up a business from scratch. you start putting in what what feels right or what might be a good solution. But if you look at the Nest uh controls, you start to realize that well, we never did um have a policy for mobile devices and we never had a policy for changing passwords. Having an antivirus, what kind of antivirus would you choose? And and when you're sitting there making those decisions, this can really actually accelerate your your decision-making process. You don't really have to overthink how many characters do you need on your password. You just follow the standard and that'll save you, I don't know, countless number of hours of trying to figure it out yourself potentially opening yourself up to a security vulnerability issue, right? Which includes old software like we have some clients still that use Windows 2012 Server 2012. Oh yes. Yeah. Um yes. So, we're hopefully we'll be be getting rid of the rest of those this year uh for for clients. Um but yeah, some people still run those. It's amazing. Yeah, even though they're out of date. Obviously, the big one to mention too that we're focused on right now is Windows 10 being end of life. Yes. And Windows 11 rolling out. Um so, we we've been doing a lot of those uh lately. Um but yeah, so long story short, I definitely would would recommend it. I think you should you you would gain a lot of lot of insight from this information. That's great feedback. Thank you. Appreciate that. Absolutely. So, let's see here. World uh real world case studies. I know you had a great story uh that you were telling me earlier. Do you want to go through that one again? I thought that was a Are we going to bleep out the names? I don't get the names. Yeah. Yeah. Yeah. The names have been changed. circ. So, trusted internet really got its start with um a major oil and gas company that had been hit by a ransomware and Jeff at the time as the sole member of Trust Internet was able to bring in a few um a few partners and bring them into the company to help manage that anti-ransomware. I came into the company about a year after that and one of the first assignments was to um race down to Boston to help an architectural firm that had been alerted by the FBI that they were victims of a ransomware. Um, I was able to determine when I got there that their their systems did not have any antivirus unfortunately and their domain controller was being used kind of as a personal computer by the IT admin team who had and that was the source of the infection which was the cryptic ransomware. Um, after showing them how to view their their service panel, I showed them a randomly named process that was running every 20 minutes and spreading the code across their network, which was about 50 to 60 computers and it had not yet encrypted everything, but it was on a timer to start encrypting everything. So we we were able to fortunately we put in firewalls, we put in um software that diffused the ransomware, stopped stopped the spread, and we also had them change the uh password of their domain controller because we realized it had been hacked uh by a foreign entity. We also observed that week the foreign same foreign entity attempting to log back in and regain control of the network. Um but by then we had already taken care of the ransomware and secure the the server. That's a fun story. I it does remind me of a similar situation. uh I don't think it I think it was ransomware but it hadn't deployed yet and so it was for a a school and uh somehow it was able to spread from computer to computer but although they had a very good firewall in place so uh while it wasn't able to get back out and download the the the the malicious package uh it was able to jump from one computer to another so I think we spent about a day chasing down all the different computers that was it was spreading to um is ultimately because they did have a good firewall in place that made all the difference and it was able to block all those activities otherwise I just wonder what might have happened otherwise. Yeah. Was it a high school or an elementary school? It was a high school. Yeah. Yeah. Cuz you said there was the spread of crab files. Um yes, there was another incident where there was some crab files that were growing around. That was a different one. Yes. Yeah. But um it it does happen and it does happen often. Um so what we like to do uh as an MSP we like to kind of layer our defenses and the way I like to say it is that we've create this moat sort of around your company and everything outside of your firewall is is that moat and we're checking everything as it comes in. Of course once it gets to the computer the anti virus is there and then the other layer is that you have your backup. So if the computer definitely gets infected, you know, we can do a recovery from there. So really, you're thinking of it in terms of three layers of defense. Yes. Yeah. It's a combination of best practices with those active defenses. They've got that offline backup. It's definitely very helpful. Like layered layered defenses, I guess, is a good way to to think of it. Certainly. Yep. Um what about for actionable takeaways here? Um what are your thoughts on that? This is for SMBs here, current IT security posturing um combining local with manage security, like how does those things come together? So, as far as um any small businesses, anybody who has security concerns, you know, we do have a local office, so we have a global footprint. we're able to go wherever um the need arises, but we we are local. We have an office in Amherst. Um and I am wherever I need to be, but uh especially for the local community here, we do help a lot of businesses here. We do help a lot of individuals here and um they can reach out to to us either at the office in Amherst um or they can go to our website trustedin.io um or they can reach out to to me or Nate or anyone on our team and we're happy to help and figure out how we can make sure that people are secure. Um, I I think that from from my perspective, I I am partnerships and I am client success. So, when you're already a client, I want to make sure that uh you stay quiet and that you understand the importance of what we're doing because again, you can't you you know, you can't hold in your hand the ransomware attacks that didn't happen because we are um because we're protecting you, but uh we can educate you and we can give you some peace of mind knowing that when your child goes online that you know that they're going to be protected and secure in addition to the education that we provide. So when we do these installs, the CISOs go on site with the engineers and they educate the whole family as well, right? So the teens and tween, there's so many um new scams and bad actors out there and with like the the cleverness of social engineering, they're such an easy target. And you know, obviously teenagers know everything. So you can't tell them anything, right? So to have the subject matter expert be able to come in and say, "Hey, here's the case studies. Here's what we've seen. Here's what's going on." Not just because of what your parents are saying. And you do have those weakest links, right? So you definitely have to educate everyone otherwise they could bring something in inadvertently and and then compromise the whole situation. Exactly. Yeah. We should also recognize a lot of the small to medium-sized businesses cannot afford a full-time IT manager. Sure. Um, bringing in a company like Systems Plus gives you that on, you know, basically a partial or fractional basis. And it's the same with security consulting. like instead of having a CISO position or an IT security manager, you can hire a company like like us to be that consulting on demand. And because a lot of these scams happen very quickly, as Mickey mentioned, there's the use of generative AI makes people that are not English-speaking people become perfect English speakers. even if they're not in the country, they're still able to uh represent themselves as someone legitimate that could possibly um cause loss of money to your business. And and what's the term? It's a virtual CISO. Is that the term? That's what's so that is trademark. Oh, is it trademark trust acts? I think let's cross that out. Well, that says visa and said or fractional. That's okay. Oh, okay. U but it's basically for a way le for way less than the cost of the full-time equivalent. You can you can get consulting for it. You can get consulting for security. And that's with the CESO consulting services. But with our long-term monitoring services where we have a 24/7 stock, um, you know, watching your firewall and everything, I don't know. I'm sure you do. What would be the cost to a small business to build out their own sock or their security operation center? Oh, a full-time security operation center would be, I think, um, cost prohibitive and not practical. Yeah. for any one company to do SAS. Uh the next section I'd love to talk to you guys about is really highlighting some of the differences between what an MSP or managed service provider is and what an MSSP is or managed security service provider. And it's a little confusing or can be when you first kind of delve into this world. But um after this video or after this section here, you're going to be it's going to be very clear to you. U of course the 10 questions that follow up after that will also help as well. So really you know we talked a little bit about this before but an MSP uh the primary focus of an MSP is going to be around your your IT operations infrastructure and user support. And kind of like the way I like to think of it is trying to get everything working and everyone productive. That's sort of the main thing. um and productivity being the key thing that the NSP is going to be providing for you. Um how do you feel about that, Nate? I think that's a good that's a good analysis. You know, the the MSSP is going to be focused on providing consulting pertaining to security, not about like you mentioned earlier the printer ink or what brand of computer might be reliable. I do like that analogy, the printer ink versus the uh was it Russian? Um Russian or Chinese? Russian. Chinese. Yes. That came from old Hefe. Yeah. Um so core services uh for MSP then is going to be help desk and user support, network and device management, backup, disaster recovery, hardware life cycle uh management as well, older computers, those type of things. Those will all be covered under your MSP, right? And the MSSP is looking at 24-hour threat monitoring, consulting again, but also incident management, response, and and vulnerability management, taking a look at what what systems need to be keep kept up to date. it and it may be worth mentioning here is that there is a little bit of overlap uh there as well. Yeah. Uh particularly with you know once the incident has been detected the cleanup part of it right often times an MSP will definitely get involved with the with the cleanup um especially if it's a lot of machines that are involved in the in the incident. The recovery from a backup is a good example of that. That's a great example. And it um it might be worth mentioning too, sometimes we come into businesses or home offices that already have a lovely MSP like you guys and people get confused thinking that we're trying to take over, right? If they're not familiar, if they hadn't worked with an MSSP before where it's like we don't want your job, right? We are happy staying in our lane. And so, for example, we would work with you guys to um I if you're already in someone's home or home office, you can do the firewall installation. Mhm. Like absolutely. So, where we would play with that is yeah, you're already there. You already know that's something that's a service you provide. You install it. Once you've done that, that's when we take over and that's when we start monitoring, right? And if it goes offline or something like that, we might hit you up and say, "Hey, would you mind stopping by the office?" Sure. But that's kind of how I see it. Do you see it any differently in a No, I think the same next generation firewalls tend to have a DHCP server, for example. And that's where there can be confusion where just because the firewall can act as a router doesn't mean that the MSP is cut out from specifying what kind of networks the client needs to have at the home. Sure. Sure. And then I'm thinking about it on the firewall side even a little bit deeper and further. You guys will often uh review the logs on a continuous basis where an MSP uh we're really contracted to update the firmware on the device. Exactly. And we'll review the uh logs probably periodically, maybe, you know, bi-weekly or monthly. Uh but that's not often enough if you're under active attack or there's a threat that's emerging. Um and that's where you guys come in. So the next thing is really about the tool stack here as well. This is less important but worth mentioning. uh an MSP will be using things like an RMM which is a remote management uh console uh professional uh services um like a ticketing system different types of backup tools and then endpoint management platforms uh for example on the Apple side someone might be using like ade or n central one of those type of platforms right and in contrast the MSSP is focusing on a next generation firewall. Um possibly agents like software agents on computers that were are implementing cyber security or providing logs back to us about certain events happening on the computer. Under the security capabilities here, uh really we're looking at um basic AV. This is again for MSP uh patching um doing basic password resets and then um basic uh firewall configuration as well. Yes. And add to that for us the uh we're looking at anti-ransomware the consulting again comes into effect as far as preventing people from clicking those links and downloading those attachments in their email. Mhm. Um but also um the sock team here will do threat hunting and prevention of like they identify certain trends that are going on with the network and can inform the client of those problems. And when I mentioned like basic firewall configuration, I was thinking of it more basic from a security standpoint. Uh it may not be exactly basic from an from a network topology standpoint. For example, if you have a void phone, you may have different VLANs and things set up. So, the configuration could still be fairly sophisticated, but fairly basic on the on the security side in terms of threat management. And we fine-tune our security files to include, you know, the intrusion prevention engine, the antivirus. There's application filtering, DNS filtering, sure, SSL. And we rarely put application filtering on. That's definitely an area that we we leave off unless it's specifically requested by someone and they understand which applications they really want to filter. Right. Yep. So I want to ask for the security capabilities for the people that are not super technical. Right. So, say I own a business and you're my MSP and I all I hear from you is, "Oh, yeah, you do provide some security." Now, how would we be able to make it clear and understandable um what exactly you provide as an MSP versus what is needed as a small business? You know what I mean? Some people would hear that and think, "Oh, no. Why am I going to pay extra?" But trust the internet and you know systems plus is already providing security and then that would be my own assumption not that he he's lying to me right so how would we help them better understand that like the degrees of the security that you might need right like how what level of security not necessarily not just what's needed but say it's my home office you're my MSP and all I hear is you know that you provide security. What exactly is systems plus providing? And then as a small business owner, what would trusted internet, why would I need a trusted internet? Sure. Sure. That's a great question. Yeah. So, we will provide sort of the basics, right? The three tiers that we talked about before. Uh creating that initial moat around your around your office. um the which will be that firewall configuration, the anti virus that is on your machine and then the backups uh for you to be able to recover uh if there is an incident of some sort. Um I would say where really where you need that next level of protection and bringing in trusted internet is where is when you are um higher when you have a higher stakes um situation. So, say you're working with DoD or you have um larger contracts that you're trying to protect or if you're under active threat obviously or if you receive the threat that would be an excellent time to bring in um a security provider. Um and then just in general like if the nature of your business is uh say health care or you're working with more types of sensitive information where perhaps a breach would would be extremely costly. Uh those are the type of things that you want to protect. Um if you're a hair salon uh then may yeah maybe maybe not right. unless you're a hair salon to the ultra, you know, high ultra wealthy and you're in Dartmouth and you're paying hair in Dartmouth. Yes. Then maybe maybe you should consider it. Um but yeah, if it's, you know, if you're working on multi-million dollar contracts, um you have a lot to protect there, right? And so I would say that that's an automatic um that's a very thing you should consider. That's a really good point. The uh data breaches happen every day. So many companies have um they acrew people's personally identifiable information and they need to keep it from being stolen or accessed. This year, for example, Coinbase announced 60,000 of their clients had not just their email stolen, but their physical address, their phone number, their name, the account, account number. Sure. The last four of their social security number. almost everything that you know a growing criminal needs their favorite color. So that that leads that opens the door to not just physical stalking but what's been happening is been done spear fishing emails saying we need to fix your Coinbase account click here and the actual person sending that is not Coinbase is the key and what people don't realize about that is that once the bag actors have received that information and gotten a hold of it that information never changes in your life right like how often do you move only maybe once every five, seven, 10 years or something, right? The cat is not going back into the bag. Exactly. Yeah. And so your social doesn't change. Your name doesn't typically change unless you get married or something. So um you know that so that so that's information is always available for them to leverage and try to uh hack into right one of your accounts. Other targets would be industrial espionage and theft of intellectual property. Sure. Yeah. Yeah. So, we've helped some of our clients are musicians that have they don't want their music to be stolen by things like that. I mean, I know no one wants anything really stolen. Um, but music in particular can be extremely valuable. Yeah. Yeah. So, under let's see, we're under client contact here. Um, so for MSPs, uh, it it really helps when we're closer to the business. So physically we're located uh locally in the area. We have texts that can go out. Um troubleshooting a bad access point or internet connection remotely is is a very difficult thing and it can be done. Uh but often times if something's failed onsite inside of the um inside of the company, it requires something to be changed out like a new access point. So oftent times MSPs will will have a local presence. And we start we start with remote support first. Um but we can always send someone out when there's an emergency if something needs to be escalated. Right. Yep. One example might be um stolen phone that leads to identity theft and then we'll we'll we'll be there to them. Right. Right. Absolutely. Yeah. We can. Yeah. Do you have any examples of that where someone may have lost their phone and then that also includes their multiffactor, right? Yes. That the problem is that if if you are um basically um the subject of phone theft, the thief, unless it's a just a moment of opportunity where they steal the phone, a lot of times the thief will actually wait until they've been able to see you enter your PIN to get in. Oh, I see. and then they take the phone while I'm there. uh they could create a new face to match the face ID and things like that if the So we train our clients or especially our um private individuals to know how to lock their phone remotely, how to wipe it because like you said that phone most times is the the way everyone gets their codes to log into a different accounts financial everything else. Absolutely. Yeah. And we think about these things on the computer side as well, especially with laptops and tablets and things like that. How do we get back into it? Do a remote wipe. Um, but even better yet, do you have encryption keys uh that you're setting up through uh Bit Locker and uh managing those keys? So, those are things that we we also offer to customers as preventative. So, even if you do lose the device, at least your data is still uh safe. This year, we've even started. Sorry, I think we're going to say the same thing. Go ahead. But we've even started telling clients not to use iPhone owners not to use their um the Apple keychain to store passwords because if the phone is stolen and they do have your your code, they can get into your passwords and just copy all the passwords out of the keychain. Oh yeah. Yeah. No, what I was going to say is right now we also have a tool that is um that works on iOS that we can remotely wipe your phone. So say you are an artist or a CEO or CFO where you have access to all of this information on your phone and you're in Spain and the the bad actor saw you put in your password. Mhm. They grab and they go. What are you going to do? Right. Especially in Spain where they don't care. The police are like, "It's another one." No jurisdiction. Yeah. So, you call us at trusted internet. You say, "Hey, I got got and then we can wipe it remotely." But right now, we're working on some R&D for the Android capability. But I think that that's something so major that if you are storing this information on your phone, even if you have the multifactor authentification, you should have a tool kind of like what we're using for our clients. Absolutely. Yep. And do you guys is this a good case for biometrics in this case? Uh because there is no pin unless someone steals your thumb or Yes. So yeah, I agreeing. Yes, definitely. Um it'd be it'd be good to have multiple biometrics, I'd say. Yeah. As options. Yeah. U staffing profile here for us. We we have several different levels. We have a senior engineer, uh intermediate engineer, uh and then also uh junior engineers. Um and then occasionally we on staff we'll also have network administrators um as well. Um kind of varies a little bit, but right now we're staffed with uh just those three levels. Similarly, with our security operations center, we have the tier one technician and a level two or tier 2 analysts supervisor. Mhm. And our engineering team runs in a similar vein. I think that where we really set ourselves apart is with our CISOs. If you want to explain everyone's background there because I think that I've seen some other companies where they have these virtual CISOs or these consultants come in that um are kind of getting their feet wet as a CISO. So, they're taking on these roles where we're kind of the opposite, right? We hire people who are experienced as a CISO in some way or an IT security manager in some way and also have the specific certifications to match CISM or CISSP and we vet them. Some have military backgrounds, some have executive previous executive background. They come in and they are here to share here to um of their wealth of knowledge be able to share what they can with clients to keep them from falling into these pits these pitfalls of sure crime and and being scammed. Wow. It's a lot of experience coming in right through the door. Yeah. We we don't always uh for MSPs we we like to do it where we kind of have all three levels and what we find is definitely the seniors are able to educate the intermediates and the intermediates are able to to teach the the juniors and so um but the task that come in are also separated based on level as well. So if it's something simple like a password reset, you know, that'll be a level one thing. And if it's a internet site down, then it'll most likely be a senior engineer. And uh so we just kind of spread the work based on them. Great. Um let's talk a little bit about SLAs's. Our typical SLAs's run uh 4 hours. Uh usually that's usually sufficient for for most companies. Um and um yeah so for for emails we'll respond within that period. And for us urgent requests we need to respond within 15 minutes. I say routine is also four hours a fully routine request from a client. I see. Okay. We do offer an after hours uh call number though and email address if they need something urgently. Yeah. We're currently not doing anything after hours or or weekends at this point but um I'm hoping to grow into that one day soon. Cool. And uh from a billing standpoint, yeah, we we will build things per user is what we like to do. Um I think traditionally a lot of MSPs will will build per device, but we find that a lot of people have more than one device. So people will have a phone, they'll have a tablet, they'll have a computer, and so we like supporting the user fully. Yeah. Yeah. Um and so we charge um 150 per user per month and uh and it's a flat model and um you know any any incidences to we do charge extra for incidences uh but that 150 will get you um fully operational in terms of backups and uh and protected on your system and fully support it. Sure. Our prices vary, but we sell bundles. Um, we call that managed detection and response or MDR, which includes the firewall monitoring, but also an initial package of of the um our antivirus and our the remote management tool as well that we include with that. Yeah. And the mobile protection. Right. Exactly. For for up to um I I think that we're doing a dozen devices now. So, we kind of have the same approach, right? So, we're taking a look at we are handling the the long-term monitoring of the firewall itself and then that's in your home. So, it's like complete home protection and within that home it's usually about a dozen. If you're above a dozen, we'll still take care of you, but then we're going to, you know, have a little add-on. So, you license for that entire home. Correct. Gotcha. And of course, for businesses, there are bulk discounts. No, I said each uh endpoint license would cover three devices. Okay. Oh, excellent. Uh customer types uh SMBs, mid-market, um seeking operational stability. That's really our our bread and butter. I would say we do work a little bit with some enterpriseiz companies, but the majority are SMBs. Similarly, we've got a lot of SMBs and a few enterprise clients right now. Mhm. But um bringing in the high net worth individuals has been an interesting interesting branch for us. Kind of like Mickey said, a niche market. Sure. The uh defense contractors are where we're targeting for helping with consulting for the CMMC compliance. And I think for us as we get more involved uh working with you guys and doing more security, I think that's the area that we'd like to cover more of in this area, particularly manufacturing and and those type of companies. Um there's such a big need for it. We do work with a few small manufacturing companies, but looking to branch out on them even further and get more heavily involved on the security side. There's a lot to that. Uh there's the um ISO standards, there's the CIS standard, uh there are standards for financial companies. Yeah. Um of course um healthcare. Sure. Sure. Major. Yeah. We do do uh some HIPPA certifications for existing companies as well as PCI compliance for a lot of credit card terminals in the in the local area. Um, for us, you know, being able to go into the CMMC, um, is kind of a natural extension of what we're already doing. So, we would we would just kind of continue branching out into that area. Great. Yep. Um, and then we have example providers, but I don't think we're going to talk about that um because we don't talk about competitors, but um, I think that's it. That's all I thought. That was pretty solid for our first joint episode. How about uh would you want to wrap up with some comments? Um yeah, but I want Nate to go first. So, I appreciate everyone listening in. If you've gotten this far, you're a trooper. Thanks so much. Uh the I think one of the main takeaways from a meeting like this uh is that yeah there are companies where you can get a very specific service and there are companies where you can get um you know security service versus IT service. But if you need a solution where you need both of these um sometimes the solution could be to bring in two companies to specialize and provide um custom and catered service to you. I think Nate, you summed it up perfectly. Yeah, I totally agree. It's really I would say it's two sides to the same coin, right? And and while there's some similarities, they're just different enough where and they're specialized enough to that you want to definitely consider both uh when when you're making a decision. And obviously, we can help you walk walk through that and see exactly if those needs fit uh and and kind of go from there. Um, any other thoughts, Mickey? Yeah. Um, I think so I spot on both of you guys, but I think that for uh systems plus and trusted internet specifically from like, you know, I'm the fields, right? I'm I'm the relationships and partnerships from that standpoint. I think that um us as partners, it just goes to show how important relationships are, right? we wouldn't be here if you didn't attend the workshop and we start talking try to figure out a way to work with each other right so I think that whenever we go out anywhere we're trying to figure out what this other person does and how can we work together if we can't work together like this I still want to know what you're doing so that I can maybe refer to you right so we could be a great referral partner so um I I'm so glad that you invited this out here. I'm really excited to continue our partnership. Me too. Me too. And and for me, I think the best part is, you know, not only are we able to collaborate together now, which is really great, but for me, I I've never been a security specialist. And so looking at other professionals um doing uh more advanced things is is a very cool thing for me just just to learn um you know what what's new, what's happening and and how are you guys kind of handling uh these different situations. Um you know I graduated um back in 2000 with uh with my bachelor's degree and and then later on with my masters and things have changed over the years quite a bit. So, um, you know, there's new threats and there's new techniques on how we manage those. So, uh, thank you guys both for for being here and making the trek all the way up to Lebanon, New Hampshire. And, uh, thank you very much. Appreciate it. And thank you guys for watching. Um, it was a longer video. Um, but I hope you enjoyed and we'll see you next time. Yeah.