Podcast – Keys to MSP Security

John Pojeta: I’m John Pojeta here with PT Services Group. Hope you’re doing well and welcome to another episode of the PT Buzz. And today is the second episode in our series of episodes with Barracuda MSP and it’s conversation with Brian Babineaux, who is their senior VP and general manager. And it’s a dialogue around how specifically in the security space MSPs can succeed in the next 18 months.
And we take a look back as you can imagine it the last 18 months and dealing with the COVID reality and the different roles employees have in terms of where they work from. So the hybrid aspect fully working from home or third-party spaces or partial in the office reality. It’s a, it’s a great conversation around things to consider very specific topics to look at over the next 18 months, dealing with cyber-attacks, how to best detect and respond and prevent to the best of your ability, but keeping that mentality of when not, if there just aren’t going to happen.
And so the best approaches for MSPs and working with their clientele to manage them. So thank you again, as always for joining us and enjoy today’s episode. How are you doing today?

Brian Babineau: Um, well, John, thank you again for having us and really appreciate the hospitality.
John Pojeta: Of course. So, um, rather than me try and stumble through your background and what you do, could you give a, everybody listening in a sense of who you are and then specifically what you do about.

Brian Babineau: Sure. Uh, so I am the senior vice president general manager of Barracuda MSP, which is a dedicated division of selling, uh, cybersecurity solutions to managed service providers. Uh, I’ve been with Barracuda, uh, just over a, I believe seven years. Um, sometimes being in tech is like dive gear. So you lose count, uh, or you do some sort of multiplication.
And held various roles within the organization. And prior to that, uh, I was, uh, on the corporate development side for an organization called NetApp and born and raised, uh, outside of Boston. So I have an affinity towards Boston sports stands, but, uh, I did have a luxury of living in the bay area for 10 years.
Uh, Uh, so that was a quick stop. I don’t know if that counts as a quick stop in between my, uh, born and raised in the new England area and returned to the new England area because I couldn’t get enough of a weather.
John Pojeta: No, I get it. You don’t hold much of a new England accent. I’ll tell you that.

Brian Babineau: You know, uh, when you, when you head to school or you go out in the real world and people tend to point it out to you, and that’s the only thing they recognize you for you, auto-correct fairly quickly.
So, um, uh, it can, uh, it can shine through at a Dunkin donuts or after a cocktail or two where, uh, the Boston accent can and will, uh, will manifest itself. But. I’ve done a pretty good job of trying to navigate my way, uh, navigate my way to something that’s a little bit, a little bit less harsh. Sure.

John Pojeta: Sure. Well, being in Pittsburgh, PA we have a little bit of a love hate with your neck of the woods and Tom Brady.
And I know he’s moved on and obviously, but, uh, he was certainly the, uh, The wrong plus Bergen nemesis for many, many moons. So it

Brian Babineau: was my son’s name is Brady. Uh, we got, I can’t say he’s named after him, but, uh, we got the idea we needed to be named. So he was actually born in the bay area, but we needed to be name and the bay or so it came to us pretty quickly.
Yeah, I, uh, it, wasn’t going to make sense to name my daughter, crown Comiskey or anything like such. So we, uh, we decided to veer away from that pretty fast. And I don’t know any rough was burgers that, uh, but I’m sure there’s plenty of bangs in it or

John Pojeta: blending the beds. Yeah. So w when it comes to security and keys for MSPs, what we want to have the conversation around Brian is how to finish out the year strong, and then looking into 20, 22, going in really in good shape, not just for what’s happening in the now, but what the, the forward-thinking side of things.
And one of the things that always comes up here, PT is just the. The struggle with managing at the, at the speed of change. And we talk about it a lot of different ways and there’s the reality of the behavior itself. And then there’s also the emotional coping side. And one of the things we we’ve tied it to recently as a, as a new book by.
Gladwell. And he talks about the air force and how in the, in the thirties, they weren’t really, even the air force, they were part of the army, but, well, one of the things he talks about is that a motto and the motto was real progress is made when unhindered by. And the takeaway for us was really, it’s just hard to change when you bring, it’s not always baggage, but you bring your history with you and it tends to steer you in certain directions.
You make assumptions off of it at times. And I was, I was thinking a little bit about PT, where prior to COVID we had maybe, maybe one or two people that would work a handful of days a year from home. And now we have a full at-home workforce. Um, But when you think about some of the changes we’ve seen in the last 18 months and the struggles that are happening, what, what would you think about as far as MSPs their deliverables, how they’ve shifted, what they need to think about going forward, um, and how things are developing when they apply their service.

Brian Babineau: It’s a very interesting reference to, well, I tend to spend a little bit more my own personal time as a world war two reader and, uh, Eisenhower, and some of the things that even went through and Roosevelt and Churchill’s communications in the persuasiveness of, uh, getting involved in that, uh, in, uh, in that skirmish that turned into insert into the second world war.
Uh, when I apply a change to MSPs. Uh, I tend to think about, uh, what I would, how I would answer the question 12, 15 months ago, which was MSP, better change, uh, really quickly, or their clients in themselves will go out of business. And now I would fast forward and say, MSP. I did something that they’re not notorious for, which is the ability to be agile and change because they brought, in my opinion, they brought many small businesses through a very tumultuous time.
Innovated as many of their clients and themselves worked from very different locations, couldn’t travel as much, uh, had to deal with the remote workforce, had to deal with. You know, cloud enablement and app enablement, mobile enablement and mobile payment enablement. So I think if I’m an MSP sitting here today and I looked back and I said, boy, I can do this.
I’ve done it before I did it 15 months ago, or whatever the timeframe you want to choose is, uh, and what they, what they probably need to realize is that they’re going to have to do it again. Uh, and they’re going to have to sustain change. And, uh, you know, those that made it through now are trying to figure out how they stay on top of the technology world and the cyber security threats that are posed to.
And, uh, we’ll welcome and embrace that change as a way to differentiate themselves and to make it to make money and more importantly, to make their clients safe and successful.

John Pojeta: So let’s talk through a little bit of some of the things you noted there and, and the obvious one is what everybody’s front and center with, which is the reality of a remote workforce.
Um, and many are now in sort of that hybrid role where maybe they’re spending two, three days in the office, again, two, three at home, et cetera. What are some of the biggest challenges there when it comes to the security side?

Brian Babineau: So one thing that we look at is, okay, you haven’t, let’s forget about what we call it.
It’s a distributed workforce that always isn’t in the same location. Uh, this isn’t necessarily a new concept, uh, in the overhang of security and a security risk is more of the oppressive concept that we have to deal with. Um, what you’re talking about a distributed workforce and that security overhead.
Uh, are things like bring your own device trends. So if you cannot get a computer to a new employee, they have to bring their own. How do you, uh, how do you configure that and manage that? Uh, even though it wasn’t a corporate issue to company issued device, and there can be some security challenges with that.
So it’s almost like moving to a zero-trust model where. Uh, employees, no matter where they are and have the option to bring your own phone, bring them on a laptop, bring their own iPad so they can be productive. And I would say the second thing and it’s important by serve, but, you know, research data that we had heading into, um, you know, the, the, uh, the throes of, of the pandemic here, which is where do you, uh, where do you access network resources?
So, uh, you know, we’re used to having employees VPN from an airport, right? That’s not a new concept, but when they’re bringing their own device, they’re probably accessing. Uh, a network over a home WIFI, uh, that is probably not as secure as a corporate wife. It’s not as secure as a, you know, a VPN connection and you can start to enforce corporate policies to an extent all the way down to a distributed network or own wife.
But that’s where the risk is. I think almost two thirds of our survey respondents. Um, You know, really highlighted the fact that the home network or a public WIFI connection is really a concern because that’s where, you know, somebody is on your computer and then they want to get access to corporate resources, or they want to, you know, get into the HR system, whatever the case may be as they can start right at the beginning, which is how do you connect to the.

John Pojeta: Yeah, it’s interesting in terms of what you’re describing there. I, I always try and put my, my own situation into play to some degree. So at home, my wife is there running her own business, and then I also have four kids and my four kids are bringing friends through and we occasionally have people over and Lord knows how many people are walking around with access to my WIFI in some way, shape or form.
And, uh, it’s just different. And then. Go to a Starbucks. And I go in, I go in up at the office itself. There’s lots of places we can do that. And the risk is vast, especially as you mentioned, the bring your own device. So I’ve got my phone, my iPad, and then my company issued computer. And, uh, so a lot of, a lot of examples in there where the risks can come into play.
And like you said,

Brian Babineau: It got orders of magnitude worse because of the security threatened that existed or that started to build up. Right. And you can go through the reasons why that security risk exists, but nobody was concerned about a personal hotspot per se. I’m sure it we’re worried about it. Nobody.
And then they, you know, people were for BYOB or not BYOB, um, you know, but they certainly weren’t for. Uh, bring your own device, have an open public home WIFI network, having other people connect to that, set up hotspots, and then people start accessing a VPN or not VPN, um, to corporate that, you know, resource, they weren’t that wasn’t part of the it security playbook, uh, originally.
And it’s certainly not one that’s recommended given the threat environment that we operate in.

John Pojeta: Sure. And as you, as you’re describing it, and you take a company of a hundred people who used to go in through one network and now you’ve got 101 networks and it compounds the struggle and the difficulty of some of those things.
So, um, one of the things you mentioned too, and you mentioned to me prior is, is the cloud side of things and are companies moving faster, better? What are some of the security risks? I know what our situation looks like, but there’s also a cost differential that comes into play. Talk a little bit about.
The, the increased activity on the cloud side and some of the challenges when it comes to security.

Brian Babineau: Look, I don’t, I think bottom line is our SM you know, small and mid-sized business economy. Does it survive and ultimately thrive if we don’t have cloud-based computing resources over the last 15, 18 months.
Uh, whether it be email, whether it be, uh, app development, so that you could put your menu online or buy into an app that allowed you to put your, you know, your restaurant menu online, or to connect into a food delivery service. So the, um, or onboard employees without. So cloud computing certainly afforded us the ability to scale, uh, you know, scale while we weren’t all physically located together.
However, with that, uh, there’s great responsibility because. Those devices that are accessing those cloud resources have to be secure. Um, the resources, no matter where they’re sitting, uh, whether using an app that’s running on some cloud or whether you’re using the cloud compute to build your own. Uh, those are, uh, those have to be protected and you don’t have to make sure that not everybody has access to your own act development, you know, instance, uh, wherever you might be building it.
So there’s a, a different perimeter. If you will, of network security, that has to be contemplated. When individuals have access to their own devices. And then they’re accessing resources that are not four to five by four walls. They are essentially scaling at the speed of your business inside somebody else’s four walls.
And we were just tending to either renting them or, you know, uh, or utilizing them to, uh, to grow. Uh, so you know, all of our research indicates. You know, the use of public cloud is the catalyst for businesses to expand and to get online faster and to take advantage of the opportunities. Um, but I always give the example of, you know, I’m a pizza fan, uh, and, uh, you know, I didn’t have pizza for three months.
The restaurant was figuring it out. Then you bought into an app that allowed me to look at a menu and order online, and I could then have it delivered by a food service company or by the restaurant itself. Um, and then I could go pick it up. You know, so it was buying into an app that had different employees cooking.
Right? You went through a three month pause. So how did that company go from? You have to show up an order and take it out yourself. Or maybe you had to call an order and have somebody that had worked for the company whose background had been clear to. I click an app. I had two buttons. It’s got my PayPal account, uh, or my Venmo account or whatever the case may be is, and somebody is delivering it.
It doesn’t even work. Yep. All of that, they didn’t connect because there were 14 meetings that covered since all of that got connected because there’s some compute resources available to them. And an app developed, you know, an app that was connected to, um, a lot of private information, changing hands employees coming and going third-party services, sharing information.
Uh, all of that creates a security risk, whether it be at the web app side, whether it be at the network side, whether it be the endpoint side, you never, you don’t know, but that’s a simple example of something that I enjoy, and it was great to see them survive, but how they do it and what information they have on me.
I’m still trying to figure that out and how

John Pojeta: well it’s protected along the way. So

Brian Babineau: right now my PayPal account

John Pojeta: somewhere. Yep. Yeah. The volume of places we’ve entered credit card numbers and various things like that over the last 18 months has increased 20-fold down. And obviously that, that leads us to the people that want that information.
And we think about them as cyber criminals. Um, somebody last month when we were talking about ransomware mentioned sort of bad actors, um, talk a little bit about. The information that they’re trying to get to, how they sometimes use it. And just the reality of, of a constant need to protect. We all hear about the big ones.
We, uh, the most recent one I remember hearing about was T-Mobile and they talked about so many millions of passwords and usernames and social security numbers, all that information was garnered, but it certainly happens on a smaller scale too.

Brian Babineau: Yeah, I think the. The bad actors, criminals, uh, tend to cast wide nets to try to get as much information as possible so they can continue their investigations towards a treasure of you know, of money.
Um, you know, you’re and I’s credentials might not be worth. That much money, um, in and of themselves. But what we might have access to inside of our company could lead them to bank accounts or to offense, you know, expense report systems where there is money, or there is a bounce sheet. Um, or if you’re an individual consumer, you may, you know, you may end up with somebody who’s credentialed.
So that you can find your way into an serialized cryptocurrency, that if you get access to that, now you’re paying for other things, and you find yourself into a very different economy. So I think there’s plenty of money. Uh, that’s untraceable money and a lot of roads lead to it. Um, it’s where the big money is at, right?
So you cast a wide net and the information individualist individual information is it can be valuable in and of itself, but usually is trying to help somebody on a trail to a bigger trends. Um, in a hugely real dollars or crypto, um, which is, um, you know, in my, you know, you’re getting your opinion, but when you have uncivilized money in March, in large quantity sitting around the globe, that’s not necessarily traceable by governments.
You get a lot of people trying to go after it

John Pojeta: really changes the.

Brian Babineau: Correct. So we all feel that, you know, we all feel awful if something, somebody compromises something on their desktop or a laptop, and that may lead to something bad, but it also may just be a part of a compass in a picture that it’s somebody trying to put together for a broader outcome.

John Pojeta: Sure. Sure. All right. W when you, when you think maybe about the balance. W the joke inside of BT, oftentimes we’re talking about something that’s 90 or 120 days out. The reaction is always it’ll be here before, you know, it we’re almost to the end of the year, but, but how MSPs, um, want to look at the end of the year and going into 2022, what are the top recommendation or two when it comes to the security side that you think they really need to be paying attention to and adjusting for

Brian Babineau: bad people, follow the money.
Good people should follow the bad people and they’ll find money. I mean, that’s how I would put it is if, uh, if you’re not building a security practice that you can make profitable. Uh, and delivers it safely. I think you’re missing out on a major market trend that will set you up not only for the end of the year, but for the next few years to come.
And it’s not just about how do I keep things safe, but how do I constantly respond to people who think something bad has happened? Uh, but I investigate it thoroughly to ensure that it didn’t the dead. And I take the right actions. There’s too many government laws and notifications and other things. Um, that has to be followed through insurance policies that have to be completely investigated if you want to pay out.
Uh, so I think MSPs, if they haven’t started pivoting to a staff, Uh, and services portfolio that, uh, is in the prevention detection and remediation, uh, business for security. Uh, they’re going to fall further and further behind, um, you know, uh, in, in this marketplace there’s, if there was no money to be made the bad people, wouldn’t be here, uh, trying to disrupt the, you know, trying to disrupt business operations.
And it’s, I think the MSPs owe it to their small businesses. I have to repeat what they’ve done in the past change, evolve, and keep them safe.

John Pojeta: Yeah. Oh, it sounds like the old wild west commentary about why you’re a bank and where the money is sort of commentary,

Brian Babineau: correct? Yeah. I mean, I, you know, MSPs, MSPs, If they always prioritize security equals safe, is this safe business equals clients grow and that creates more business opportunity for me.
And that mindset will continue. Um, you know, we don’t the desktop and help that services are going to be marginalized. To an extent and more of the calls and the complaints and the disruptions are going to lead to security conversations. The MSPs has to be rid of that. Yeah,

John Pojeta: well, one of the things that always jumps out at me and, and I think about it again, a little close to home as a good starting point.
So we use Salesforce as our CRM and we have umpteen number of organizations that have, um, build out their approach. To supporting those people who use Salesforce as a third-party vendor or third party apply application, et cetera. And we use one for what we do with our, um, with our drip marketing and very specifically, so one of the things that always jumps out in these conversations is the needs of vets and choose vendors wisely and carefully.
And, um, it can be hard to do any recommendations around that side of it. And. Just how to go about that or things to think about when you’re, when you’re vetting vendors and choosing who you get in the sandbox.

Brian Babineau: Yeah. I, you know, no matter who we transact business with, you know, we do a vendor assessment of what kind of security practices and policies they have in place.
Um, and you know, I would, uh, I would suggest that partners, uh, do the same thing. It doesn’t matter if you’re working with a large vendor mid-sized vendor or a small one, they should have some documentation of how they handle, you know, what their, uh, privacy. Uh, team looks like, what are they, uh, you know, how do they handle and mitigate certain risks, ask for that documentation, because ultimately if you’re building a service on top of their solution, their documentation becomes part of your search, whether it’s a service level again, whether it’s how they do business in other countries where they don’t do business.
So we don’t at Barracuda. We built a trust center and we point our clients, but before they make purchases with us, we point them to the trust center so they can see all of that information that’s available to them. And that they can, you know, if they’re building a service on Barracuda, they can then take that documentation and put it in front of their clients.
Uh, and I think that’s the. And we do the same thing. So anything that we, anything that we utilize internally or, um, we make sure that we either visit their trust center or we get the appropriate documentation then, uh, it’s a, it’s a, it’s a great way to that. Uh, has somebody thought about this? Uh, you know, if somebody thought about it, have they documented it and will they be there for you?
If you have a problem, they have a problem with one of their upstream vendors.

John Pojeta: Sure. Sure. Yeah. One of the things we talked about last month was you almost need to look at some of these behaviors as not if, but when and to what degree and how you respond because of the volume of things that are happening around you.
Um, so, so when you think about cyber-attacks and different behaviors that happen there, what are some of the things that you work with MSPs on now and going forward that you’d recommend they consider it. Spot or find cyber-attacks, prevent them as best they can. And when they do occur, how they respond.

Brian Babineau: Yeah. So you can’t just secure email, you just can’t secure your cloud app. You just can’t secure, you know, do multifactor authentication. You have to look at. How do you have multi-layered security, um, so that you can protect individuals, the devices, the data and the applications or whatever they’re doing on a daily basis.
Some people go, all right, I have multifactor authentication on top. Uh, or I, you know, I put in email security, so I don’t need any, you know, I, the firewall. You know, those were really good when we had a corporate data center. Uh, so we talked to our partners about first, get the prevention, right at the entry points that are most common because it’s not, if it’s when, uh, and then, uh, we made an acquisition, a company called scout cybersecurity that, um, response is getting, you know, a lot of the prevention solutions that we go through.
They create a lot of alarm. So the best, you know, this could be happening. Somebody reset their password four times in a month, the SOS is an up to date. So it can create a lot of alarm and activity in MSPs. You don’t necessarily have the ability to run through and fix all the alarms or print them off, or they turn all of them off.
And then you kind of have a pointless set up separately. So having a response plan and we made an acquisition. To allow MSPs to outsource their sock, which we handle all the alarms for them, whether we auto remediate them or whether we call them and say, this one’s real. You, you got to go do some investigation, or if you want to do it with us, uh, they have to have a, you know, have a remediation plan for how they’re going to deal with the amount of activity that will come off of, you know, the multi-layered security solutions that are in place.
So, uh, the, the best analogy that I’ve used. If you have an alarm system at your house and you have it across your doors and your windows and maybe your garage and all these other things, um, and you walk into the house every time and you don’t know which one’s going off as the carbon monoxide detector, is it a window open or is there a fire?
Um, you tend to pay the extra few dollars a month to have a service tech will call you and say alarm, two’s going up and that’s covered monoxide. You need to open a window. We MSPs have to start thinking about that. That’s every, what their clients should look like. They should be getting alerts on a regular basis to make sure that none of them and they should be able to sit through them.
We’ve just decided to help with the sifting and the remediation similar to that alarm service that you have in the consumer marketplace. Uh, if MSPs don’t have that, they’re just going to end up with good, layered security in a lot of older.

John Pojeta: And as you’re mentioning that and kind of talking through the example, one of the things that I think about as MSPs apply their services and they have a, we all have limited time people, all the different things.
So you decide what you want to be an expert in, great at and where you want to partner with some others to bring everything along, sort of what you’re describing there. Um, yeah, it’s interesting when it goes back to that partner in that venue. Uh, side of things is just a very simple example. If you have a home security system, you link to somebody that’s going to call you like a ring or whoever it is that you’re utilizing.
And we all see the commercials of something’s happening and they call and, and, you know, immediately it’s something I really need to put an effort into, or is it something that I can laugh about and hanging up the phone?

Brian Babineau: Yeah, fire alarms. We’ve gotten a lot more sophisticated, you know, over the past 15 to 20 years of what they can detect, how quickly they can detect it.
Um, you’re, you’re not going to choose to avoid putting in a fire alarm because it might pick up a balloon helium balloon. Every now you’re going to choose to have, you’re going to choose to put that in there because the ounce of prevention is worth a pound of, you know, on of a cure. What you’re going to do is I would let you know, I don’t think.
Disconnect it, because it goes off a little too frequently. What I want is somebody to calm me down. No fire just a blockage, go do this. This is how you handle it in a way go, you know, get the balloons out of the way of a fire alarm and you won’t have any issues.

John Pojeta: Yeah. And they’re there 24 7 they’re there.
And you can worry about other things that are more important to you in terms of your. Your macro and micro behaviors.

Brian Babineau: We see too many MSPs of weighing the prevention, the multi-player security, because it adds to the level of alarms that they have to deal with. So they would rather not install a fire alarm because they don’t have the manpower to deal with what comes at it.
And so we just tried to eliminate that barrier, which is why as much as you can, and we’ll handle we’ll handle the alarms and the response with you, as opposed to you avoiding putting it in the first.

John Pojeta: Yeah, no, it’s a manpower reality and, and helps them overcome that and deliver more and better engagement and services now.
So as we wind down here, Brian, is there any, uh, last words of wisdom or thoughts you have going forward that you’d want to share with the MSP?

Brian Babineau: No. I think what you’re doing is a great service education wise goes to the marketplace. Uh, and, uh, I would just highlight that the MSP, the MSP marketplace in general is very resilient.
They’ve proved their resiliency and they approve their commitments to their clients, especially over the last 15 months. And we don’t want to see that Wayne just because. You know, secure, you know, because the security overhand can continue, you know, visibly looking more oppressive, but certainly overcomeable and manageable by the right set of folks, uh, in the industry.
So thank you for the education and keeping them and keeping the market motivated.

John Pojeta: Yeah. The, those hurdles can look pretty daunting at times when you’re, when you’re staring up at the hill, you got to climb. Right. Yeah, no doubt. Um, leaving everybody with a one last thought here, knowing your son is named Brady.
Do you now follow the Buccaneers, or do you still follow the Patriots?

Brian Babineau: So I follow a players. So as long as they’re not playing with Patriots, I will refer the Buccaneers including last year’s super bowl. Uh, however, if they are playing a Patriots or I have a choice, I, the Boston roots go deeper than it be individually.

John Pojeta: There you go. There you go. Well, I understand Brady comes to town this year, so you’ll have a, an interesting conflict of interest, I’m sure at times, so

Brian Babineau: his fire alarm might go off at his hotel a little,

John Pojeta: many times, many times your team will call in and tell him what to do. There we go. All right, Brian. Hey, thank you so much for the time.
And, uh, we’ll be sure to get this out to everybody and greatly appreciate you taking the time to listen in. Please go to theptservicesgroup.com/buzz. You can see the conversation we have with Barracuda last month around ransomware. You can comment on that session, our session today with Brian and by all means we love the feedback.
And if you have something you’d like us to talk about going forward, please let us know. Thanks so much. Everybody take care.