We recently highlighted our partnership with SP Partners. It is an important partnership that can make a huge difference in the security of your business from your IT partner. Read the article here.

The interview we had with Jason was longer than the few soundbites we grabbed from him in that article, and we thought we'd provide the full conversation here.


Jason Whitehurst: So what are we doing here, my friend.

David Grant: All right. Thanks Jason. I hope to explain what your relationship looks like with us and why it's valuable to our customers to have an MSSP over traditional MSP IT partners. Why is our commitment to security, and your partnership with CTSi important?

Jason Whitehurst: Okay. Good. Let's do it! We've been partnering with IT companies like yours because the cybersecurity insurers are telling IT companies, "Look, if you don't have vetted, qualified cybersecurity staff,  you don't have any business doing cybersecurity." For example, a CPA can't say "I understand money so I'm just going to be an investment advisor now." Right? That would be ludicrous to you, me, and anybody else who would think about investing. Our partnership with CTSi allows for that level of qualification for the customers you support, and it's not a bad thing that companies like yours partner with people like us. In fact, it's a great thing. Nobody can do everything. You have so many things to focus on. If it plugs into the wall it's the IT Partner's responsibility to deal with. Your technicians are fully vetted and fully leveraged in responding to infrastructure incidents, user needs, projects, upgrades, and and all of that. Focusing on securing the environment, focusing on risk, assessing the vendors that are chosen to be used in the environment; all of that stuff needs to be done, and we can work with you to make sure that is in place for your customers.

David Grant: Okay. You are offering a way to augment our team with vetted security resources so that we can help address the security needs of our customers while still being able to focus on providing great support from our team. With our partnership with you, we can provide knowledgeable cybersecurity services for the organizations we partner with.

Jason Whitehurst: Right. We provide the security platform - the toolsets and various applications that are used as you support your customers and we work with you to provide just the right fit for each customer. That's important. A specific customer may have a different set of solutions they need. We have a solution for each type of security need, even solutions for specific verticals, and your customers may not have the budget or need to do the highest level of protections, but they know they need some to be safe and operational. Whatever the customer need, as the security architect, I work with your team to determine what is best to protect the client and we will put together a solution that fits. For clients with different vertical needs, let's say we're supporting a client who is an attorney and in this case maybe email is most critical need to address. We make sure we address exactly the need that fits that vertical. Here's another example. You may have a manufacturing facility where the protection of the servers are more critical than than email. We have to prioritize  that architecture to address that need with one of a multitude of products that we offer and we have to be able to manage it completely. Additionally, we provide a security operation center that watches that environment 24/7 with a very tight response service level agreement.

We only focus on the cybersecurity initiatives while you focus on everything else. Our job is to provide cybersecurity oversight and report back to you with what we're seeing, what the risks are, what new ransomware variants are happening, and to respond when we see something malicious happening to the customer even if it's two o'clock in the morning. We jump into action to keep them safe.

We also work with you to provide risk assessments for your clients. We come in with CTSi and assess the cybersecurity risk  — looking for any vulnerabilities and any potential risk to the organization. As a side note, it's interesting that the more business-minded owner who maybe isn't super technical — those are the folks that get it first. They understand. They have invested all this time and energy and years into building their business, right? They know there are risks, but they don't think they are somehow more secure than everybody else or that they've got it figured out. They see the benefits. So what the customer of CTSI gets is a fully mature cybersecurity partner who is providing cybersecurity oversight who is watching their environment 24/7 while successfully maintaining the day to day service needs.

David Grant: Can you provide a bit of a "state of the union" related to cybersecurity for businesses we partner with?

Jason Whitehurst: Because of the way that ransomware and other business interrupting risks have matured, attacks are automated at this point. Threat agents are looking to extract user data and proprietary company data and to hold it for ransom. It's happening so frequently in every vertical. Companies have historically neglected security. Right now, securing an enterprise has to be the primary focus. What an MSP provides to a customer by way of traditional support is now commoditized. It's been operationalized. But without proper, fully-mature security systems in place, an organization is going to experience a cybersecurity incident — it's going to be sooner rather than later. Businesses are being attacked from all different areas through spear phishing emails, brute force attempts on their firewalls, or email compromises — and these attacks even target specific verticals. As an example, we protect a number of real estate attorneys. When they start communicating with a new person who is purchasing real estate, and the attorney in that local area is servicing that relationship, the attorney is then communicating with somebody who may be fully compromised already. When these threat agents see that this person is purchasing more real estate, they will then try to infiltrate the real estate attorney to effectuate a wire transfer  of some sort that neither person approved. It's like a teenager saying to a parent, "Hey, I'm going to stay at Tina's tonight." Tina tells her parents, "I'm going to stay at Jane's tonight" and neither one of those things happened.

A chemical company had a ransomware case not too long ago where almost all the proprietary formulas that this chemical company used, and the patented formulas they had to use to basically effectuate their existence had been stolen and held for ransom. The biggest mistake we hear organizations say is "I'm too small. They don't care about me." Size has nothing to do with it. And it's all automated. When they find they've gained access to the company, they will then add it to the list of human interaction that used to effectuate a ransom. 73% of companies who have a full ransomware case and are not in business just three years later. It is incredibly disruptive and incredibly expensive. Customers lose their trust in the business. The law requires notification. There are a number of different components, but these risks can be protected against.

We see companies of all sizes and all types in these ransomware cases from small manufacturers and small doctor's offices to large, enterprise nonprofits. It's irrelevant to these bad actors.

David Grant: Okay, I think one final question and I'll let you go. I appreciate this. I'm a small business. Why should I pay extra for cybersecurity protection as opposed to rolling the dice and hope to not be attacked?

Jason Whitehurst: I would assume then that that person doesn't carry insurance. It's no different, right? It is a protection against a business-ending scenario. What a business owner needs to understand is that it's not just an inconvenience. For example, CPAs are famous for not wanting to do cybersecurity. They know they perform a critical service for their customers,  but at the end of the day, when you get a call from a CPA who has all of their clients data stolen and they're trying to figure out how they're going to pay a $200,000 ransom because they don't want to have to deal with the fact that the law says it doesn't matter if you pay the ransom or not, you have to report AND you have to provide credit protection for three years. These guys don't survive.

Go and do the research. Check out the attacks happening in your vertical. It is happening quite aggressively in many verticals: government, contractors, manufacturing, healthcare, legal, you name it.

Check out CISA.GOV which is a government organization that helps small businesses understand the risk of ransomware in cybersecurity. Go look at that. Don't take the word of a salesperson or even CTSi's word. Look at the data then make an informed decision.

David Grant: Thanks, Jason. I appreciate it.

Jason Whitehurst: Yeah, thank you. Have a good one.