January 21, 2025

Bonus Episode: The Enemy Within

Listen to the Podcast

Read the Transcript

In this special bonus episode of MSP Chat, sponsored by Alchemi Data Management, Erick and Richtalk about the connection between data security and insider threat security, and why both are more important than ever right now, as well as three techniques MSPs can use to more closely align their IT services with a client’s business goals. Then they’re joined by Rob Sims, CTO and co-founder of Alchemi, for an eye-opening conversation about insider threats and how to protect against them. And finally, one last thing: disheartening evidence from the U.K. that Gen Z needs professional help screwing in light bulbs.

 

Discussed in this episode:

ShieldCRS website

By Rob Sims: Protecting Against Inevitable Insider Threats

Check Point Software’s 2025 Security Report Finds Alarming 44% Increase in Cyber-Attacks Amid Maturing Cyber Threat Ecosystem

Cybersecurity Insiders: Insider Threat Report – New Data Shows Spike in Insider Attacks in 2024

Many young adults ‘unable to do basic DIY tasks’ – including changing light bulbs

Transcript:

Rich: [00:00:00] This sponsored episode of the MSP Chat Podcast is brought to you by Alchemy Data Management’s ShieldCRS Insider Threat Protection Platform. Designed to address the clear fact that your customer’s greatest threat is no longer lurking outside their organization, ShieldCRS empowers M. S. S. P. S. To help detect and neutralize insider threats before they become catastrophic security teams.

You work with need one comprehensive platform to consistently investigate, neutralize insider threats at the file level. Help your clients prevent data loss, reach C. M. M. C. Compliance and maintain operational continuity by partnering with Shield C. R. S. Visit W. W. W. Shield C. R. S. com to join the shield CRS partner program and schedule a demo today.

And three, two, one blast off ladies and gentlemen, welcome to this bonus episode of the MSP chats podcast sponsored by alchemy. Data management. My name is Rich Freeman. I’m the chief analyst at Channelmaster, the organization responsible for this show, I am joined as I am on every episode of this program by our chief strategist at Channelmaster, Erick Simpson.

Erick, how goes it? It’s going well, Rich. And you know, I just want to say that we are very lucky here in Southern California, my family, we are. A safe distance away from the fires that are happening in Los Angeles County. And you know, our, our, you know, we’re thinking about all the folks that are struggling through this tough time and, and, you know, just sending positive energy their way.

It’s, it’s a Matt’s rich. It truly is. It truly is. And you and I were actually, so you are based in Orange County California, a few dozen kind of critical miles away from what’s been happening in Los Angeles. I grew up partly in, in Los Angeles. A lot of this kind of, you know, strikes close to home fairly literally for me.

So yeah, it’s been quite quite a thing to to see. And we, we hope this ordeal is, is behind that part of the world soon. And people are able to rebuild and, and return to a, a normal way of living down there as, as quickly as possible. In the meantime, Erick we are doing a bonus episode of the show right now, we’ll have a regular episode this coming Friday, but this is the bonus episode, it’s sponsored by Alchemy Data Management, we’re going to be joined later in the show by Rob Sims, he is the CTO and co founder of Alchemy Data Management, and he’ll explain more about what they do, and how it kind of plays into our story of the week, or story of the episode, let’s Put it but as regular listeners know, I’m, I’m into statistics.

I’m going to run through a few recent statistics here. Erick, that will sound, they may not sound entirely related to begin with, but they are for reasons I will discuss and that we will get into in detail with Rob Sims later in the show. So. Item number one, not too long ago, Canalys, the analyst organization we’re fond of on the show posted their 2025 cybersecurity spending projections and they’re looking at 97.

5 billion of money worldwide being spent on cybersecurity. They’re looking at an overall growth rate for security spending in 2025 of 11%. They look. Individually at six specific categories within security, one of which was data security, data security is projected to go up 9%. So below the average for security generally.

And in fact, you’re all of the other five categories. Canals tracks are expected to go up in double digits. Data security is the one category that isn’t. And it’s also easily by far the smallest category in the list. Mhm. Now, this gets to two things, and, and one is something that I know we’ve spoken about in the podcast before as everybody knows, I think, at this point in the tech industry, all anyone is talking about is generative is all about data.

Data is vulnerable to corruption, and specifically large language models, data used by generative AI tools. If you corrupt even just a small part of it you can render the responses generated by something like a ChatGPT, a chatbot. More OS useless. So data security has been important for a long time.

It is crucially important and getting more and more important now. And yet, relatively speaking, within the world of cyber security, you’re not seeing a lot of spending on that and by extension, I don’t think you’re seeing as much focus on that specialty within security as you probably should be. Among MSPs.

Now let me pivot to a seemingly [00:05:00] different topic Erick, which is insider security threats. Came across some research recently from a publication called Cybersecurity Insiders. That name will show up again later actually, because as it happens, Rob Sims published an article in that publication recently.

Kind of a coincidence, but I was looking up Some insider threat information came across this recently. This is 2024 data, but still relatively fresh. 83 percent of the organization’s cybersecurity insiders surveyed. Had at least one insider attack during the prior 12 months. The number of organizations that have had 11 to 20 insider attacks was up five X year over year.

52 percent of organizations said they don’t have the tools they need to confidently handle insider threats today. And 93 percent said that unified visibility and control across environments is an important part of handling insider threats. And here’s the connection. We won’t get into this in great detail right now, because again, we’re going to talk about this with Rob Sims in just a few minutes.

But there is very much a connection between data security and insider threats. First and foremost, insider threats are about data, whether they’re malicious or inadvertent. You know, whether it’s an employee who’s leaving the company and tries to take a bunch of data, they don’t have the rights to or think they own, but don’t with them as they’re heading out the door, or it’s an attacker compromising an insider’s account and using that account to exfiltrate data insider threats are very, very much about.

Data and in order to get insider threats under control, which is clearly based on the cyber security insiders data, something that the vast majority of organizations need to do. You need to get your data security under control. And as 93 percent of the respondents to the cyber security insiders poll rightly said, you need unified visibility and control across environments.

So data security. Underappreciated, but very, very important need for multiple reasons. One of which is that insiders are a huge issue that are maybe not getting as much attention as they should be. Wow. Rich, really, really interesting data. And I, you know, just putting on my. I X, you know, MSP hat for a minute.

I remember, you know, back when we had our MSP, this was, you know, years ago now the, the things that we were protecting data against back then were like natural disasters, disgruntled employees, not exfiltrating data, but basically burning the place down, right? Deleting data, corrupting data. Things like that and, and man, the world has completely changed now as a result of, you know, the cyber criminals now we’re, we’re protecting data.

So, you know, in addition to like natural disaster, things like that, right. But now the bigger threat certainly is the threat of cyber criminal activity. And so I just kind of, as I’m listening, going, Boy, the data we were looking at, you know, 10, 15 years ago was more about you know, protecting the data and making sure that we had multiple copies stored you know, far enough away in case there was a natural disaster.

It was geographically businesses were geographically located in, in risky areas that were impacted by things like tornadoes and hurricanes and earthquakes and, and, and wildfires and things like that. We were trying to protect the data from those things. We’re trying to protect it from humans. That are bad people doing bad things to business data.

So I just wanted to, you know mention the parallel that struck me or, or the comparison you know listening to the data that you’re sharing and, and where this, this activity is, is accelerating. I mean, five times year over year. Folks that had what five to 20 insider, 11 20, we grew five times year over year.

That’s. Amazing. And I’ll, I’ll say, you know it’s not just the bad people. You know, as you were saying, Erick, I mean it’s, it’s quite often. Good people who make mistakes and, and allow somebody to to get at and, and exfiltrate data. And I, I didn’t cite this statistic before, but as we’re recording this hour, yesterday checkpoint, the well known.

Security company published its annual security threat report. And you know, you say the word ransomware to somebody and they think first and foremost of encryption, ransomware is about encrypting data and demanding money to to decrypt it. The number one technique that ransomware attackers use now, according to research from checkpoint is exfiltration.

That, that is what ransomware is [00:10:00] about for ransomware attackers. Now find good data, exfiltrate it, and then. Demand to be paid to either, you know, get it back or basically an agreement on the part of the attacker not to distribute your sensitive intellectual property to the world. And so to the degree that you know, inadvertent exfiltration of data perpetrated by ransomware attackers is part of the insider threat scene.

And it is, we’ll get into that with Rob Sims a little bit later. It’s just, you know, further illustration of how important. Data security is to insider threat security. Yeah. I’m wondering what percentage of all cyber attacks or encryption focused attacks or the exfiltration of data, what percentage of those incidents are either, you know, unresolved because maybe the ransom is paid and the keys don’t work or they don’t send you the keys or you pay the ransom and.

They release it to the world anyway, they publish the data because that’s becoming more and more prevalent nowadays, right, Rich? Yeah, well, and that’s a whole interesting and different topic, the whole honor among thieves topic. That they, the the people who perpetrate ransomware will actually honor an agreement more often than you might think.

But the thing certainly that’s been happening a lot and it’s become more and more common in the last few years is the, Double and triple extortion kind of attack where it’s, you know, pay me X Bitcoin and I won’t distribute your data. And then you make the payment. It’s like, okay, now here’s the next thing that I want from you before you’re, you’re rid of me.

So, yeah. Yeah. But it all kind of comes back one way or another to data. Speaking of which Erick, now I’m, I’m cheating a little bit because I happen to know what you’re going to be getting into on your tip of the week for this bonus episode of the show, and I know data does figure in there a little bit, but that’s not the main topic.

What is your main topic area? Well, Rich, we’ve talked a lot on the podcast about the need for MSPs to become much more strategic in their relationships with their clients as more and more of the traditional. Services that, you know, as MSPs, we have provided in the past have been based have been migrating from on premise, you know, hardware and remote help desk services, things like that.

These things now are moving more toward the cloud. We’re seeing less and less gear onsite. We’re seeing less and less necessity for onsite visits. We used to call them truck rolls, right? Back in the day, Rich. So so. It’s all about becoming much more strategic and and differentiating your organization from your competitors as an MSP rich by aligning your I.

T. Services against your clients business goals. So this is where we start talking about, you know, everybody, you know, every MSP out there does, you know, a handful of the same similar things, right? They’re doing projects are doing migrations. They’re doing help desk for users. They’re monitoring, patching and updating.

They’re delivering a suite of, of you know, enhanced cyber security services, solutions to try to protect their clients. But how often rich are the MSPs mapping the business outcomes that all of this, you know, challenging and difficult labor. Delivers to their clients. So three quick tips, number one, conduct strategic it reviews, reviewing the client’s growth potential, right?

So when we talk about, wow, we want to do strategic reviews with every one of our clients. Once you get to about, you know, 20 or 30 clients and above that becomes really, really difficult, rich. So we want to segment our clients into kind of the ABC, the pyramid that I talk about sometimes where you take a pyramid and, and you divide it into, you know, three sections, the tippy top or the A clients, the middle is the, are the B clients and the wider bottom base might be the C customers.

So you’re going to want to categorize your clients in, in a couple of different areas, you know, what makes sense for the MSP, but specifically in terms of how fast are they growing, what is the revenue potential for your services to add on to, to go wide and deep within those client relationships. And, and what does the budget look like?

So those folks that have the highest potential for those three or other categories would be those A clients. And these are the folks that we want to meet with most regularly. And I’m talking about, you know, VCIO type meetings, the B clients, the middle of the pyramid rich might be folks that may [00:15:00] be not growing as fast or have as much budget.

They still want to be strategic. So they’re not really see customers yet, but maybe we’re meeting with them twice a year or something like that, or maybe once a year for some of them depending on what the need is and then everybody else is kind of as needed. So we really want to focus our efforts on the clients that are the most strategic for us and we need to up our game as MSPs rich to be strategic and, and aligning their business objectives.

With our it strategy. So how do we empower that business’s growth and the vision that the leadership is, is implementing each year, how do we support that with. Technology, cybersecurity, AI, all the things that we talk about all the time. So that’s the first goal is meeting with them to ask them specifically.

It’s a business conversation, not a technology conversation yet, but it leads to the second tip of the week rich is demonstrating the business impact. So how can we gather metrics around the services that we deliver to reflect? That positive impact on the vision or the growth of the company. So uptime we can have a calculation that we create that says this is how much it costs you to operate your business.

And this is what downtime costs, right? From a labor perspective and downtime is a double edged sword rich, right? Because if the users are down or a user is down, not only are they not, uh, being productive and growing the company. But it’s also, we’re paying them to sit idle. Right. So it’s kind of a double edged sword there.

There’s two kinds of losses. If you look at it that way, and if you’ve got 20 folks and the entire company is down, that adds up really, really quickly. So it was a formula that says, Hey, we’re Matt, we’re managing and increasing or, or maintaining uptime. So that’s positive to the client. What about revenue?

Are we implementing services and solutions or workflows or swapping out platforms to make the organization more efficient? And then how are we helping that client because we’re delivering services, solutions, and maybe enhanced cybersecurity, how, what impact does that have on their customers satisfaction, right?

So think outside the box a little bit and figure out some of these KPIs that really relate to a business impact and then map services and solutions or reposition. Or help your clients visualize that with some interesting graphs or reports when you’re sitting down with them. And then the third one, Rich, is developing the IT roadmap.

Like, how do we get, how do we get there, right? So if we want to help the client increase their efficiency or improve the workflows of different business units, what does that roadmap look like? How do we leverage AI? You deliver a lot of that potential impact and how do we roll some of that stuff out?

How do we get folks off of legacy platforms and systems and get them into the cloud? How does that impact their ability to increase revenue, do more with less the things that MSPs talk about in their own businesses, how do we do more with less, how do we consolidate a bunch of different disparate platforms and make it easier for us to work?

And, you know, again, you know, the. The moniker or the, you know, the, the word that we’re always talking about rich is AI, how do we deliver or develop services to help clients get there faster with the promise of AI and do it in a, you know, in a very risk averse and efficient manner. So the, the data piece of what you were talking about there was the, the second of those three tips, the one in the middle, but I actually want to kind of focus on the first and the third because the first gets very much just something that we’ve talked about a number of times on this podcast here, which is just the idea that the basic blocking and tackling of IT management that MSPs have historically done is Already commoditized, growing more commoditized and you know, just to invoke AI one more time, it’s going to be even more of the case as we go down the road and AI is increasingly capable of doing, you know, a lot of the tier one, tier two kind of work on its own.

And so the way to, to earn margin, the way to build and maintain a future and manage services is going to be to be to be having those strategic conversations, those business oriented, outcome oriented conversations with your customers and what you’re talking with them about how you can apply.

Technology intelligently to make more and spend less. That’s what’s going to make you sticky and a strategic partner. And then the roadmap piece of what you’re talking is [00:20:00] where that kind of big picture strategic conversation gets specific. And you start talking about projects and spending commitments and actually kind of making things happen.

That generate revenue for you and results for the client. And so I like all three of the tips you provided there, but I particularly like the way the first and the third play together. Yeah, and like you said, Rich, I mean, a lot of the things that traditionally MSPs feel are their value proposition. Our table stakes nowadays, I mean, you know, we, we, we have, you know we deliver vendor management, we deliver end user support, we deliver patching up, updating, things like that.

I mean, those are just table stakes. Everybody does that stuff. We do infrastructure upgrades. What’s different about that? You know, MSPs to say, Hey, we have highly skilled technicians who doesn’t, right? I mean, at the end of the day, what we’re trying to do is offer that business partner value, right? Now we want to be seen as true business partners, not technology vendors, right?

At the end of the day and rich. I think we should come up with a drinking game. Every time, you know, we say A. I. or something, we’ve got to take a shot. So would we be trying to say A. I. more or less? I mean, the more we say A. I., the less capable we are of doing the podcast. On the other hand, it’s a party.

Yeah, it depends on how much day drinking we want to do. Well there will be no day drinking in this episode of the show. What we are actually going to do is take a quick break. Now, when we come back on the other side, we will be joined by Rob Sim, CTO and co founder of Alchemy Data Management, the company responsible for sponsoring the special bonus episode of the podcast.

And as I indicated before, we’re going to talk about insider threats. Well, we’re what they look like, why they’re dangerous, how to address them. That’s coming right up folks. So stick around. We are going to be right back.

And welcome back to part two of this episode of the MSP chat podcast, our spotlight interview segment. This episode of course is sponsored by Alchemy Data Management, and we are very pleased to be joined by the CTO and co founder of Alchemy, Rob Sims. Rob, welcome to the show. Thank you for having me.

Looking forward to it. Now, Erick and I know you, we know alchemy. I’m guessing there are some folks in the audience who don’t. So before we get into the topic we’re going to dive into, which is insider threats, tell folks a little bit about yourself and about alchemy. Oh, well normal dude but actually enjoy life.

I have nine children which is kind of something unique to have a conversation. I had the opportunity to adopt four sisters eight years ago, so that was pretty cool. So that keeps us pretty busy on the home front. But on the punishment side, I’ve kind of been a perpetual entrepreneur here the last decade or so.

And had the opportunity to work with my partner, Mike Jones, to create alchemy data build it from the ground up to focus on solving some specific things that have been out there for a long time that we don’t think have been addressed effectively. And build a solution to do that. So, very excited about all that.

So here I hear, I thought I I knew all about Europe. I had no idea you have nine kids. That was a really interesting thing to learn and it’s actually, it’s kind of a nice segue to what we’re talking about here. I’ve been looking forward to this conversation ’cause we are gonna be talking about insider threats and that is one of those topics that any of us in the IT world think we know about.

And the more I’ve gotten to know you and and alchemy, the more I’ve realized it’s a much more. complex topic than people realize. So from your perspective, from an alchemy perspective, how do you define insider threat? From a technical kind of perspective, I’d say it’s it’s about an insider threat comes from whenever somebody that has a legitimate access to the company’s data misuses it or has the opportunity to misuse it.

That could be deliberately or accidentally and, and so doing it jeopardizes the company or the organization’s security, compliance, combination, competitive standing, other things like that. Basically, it’s, it’s those people that we trust to have, get their jobs done, to make the company do what it does, but because of that, it gives them access to things that could actually be used for harm.

Rob, you know, it’s, you have a very unique and different perspective about insider threats than what we are hearing from, you know, others in the industry. So, it’s, you know, it, it’s, and we’ll get into it here in a minute, but I want to ask you this question, just keying off [00:25:00] of what you just defined. How prepared is the average organization to detect insider threats?

And respond to the full spectrum of insider threats. Yeah, it’s a good question. And, and, and the reality is it has morphed over these last years, right? Because it, it, it was back in the day, pretty much just focused on physical security, right? Badging into rooms, badging into different elements, logging into systems, those kinds of things.

And it hasn’t been until the data, you know, the just explosion data that the various methods and issues that an insider threat kind of brings up has come to the forefront, you know, and one of the things is, it’s just You know, companies are naturally not wanting to really look at that. They believe they hire really good people, and they probably do.

And for the most part, that’s the case. So sitting back and saying, Oh, I need to be suspicious of this. And then the other is not necessarily the conversation everybody just wants to have. So it’s it’s normal. I guess I would say that, yeah, there’s certain people that have thought of it in one way and Things have progressed really quickly to where the insider threat against the data layer is becoming a significant problem from a reputation perspective, from a cost perspective.

We’ve had intellectual property stolen from businesses to start other businesses and to foreign entities and everything else. This just isn’t a government problem. It’s it’s a corporate problem at this particular point. And so the challenge for a company is to. You know, the a step back and say, Hey, really, truly, you know, let’s take an honest, hard look at this problem and say, what are we doing to solve it?

But also, you know, in light of this whole concept of it could be deliberate or it could be accidental. A lot of people try to focus on the accidental part. But the deliberate part is just as, as critical as we go forward, you know, but part of the inspiration for this conversation, Rob is a very interesting article.

You contributed to cyber security insiders magazine and for the folks in the audience will link to that from the show notes. I encourage you to to take a look at that. A lot of interesting points in there, but one that was particularly intriguing. To me is that you said ransomware, which I think everybody thinks of immediately as an external threat as opposed to an internal threat is kind of an insider threat to explain why.

Yeah I’ve gotten that as well. It’s you’re, they’re right in that it comes from the outside. It also comes stems, I believe, from the fact of the types of threats that we are all attending to and that we’ve been. Kind of focusing on in the rearview mirror as we look back over the last decade of things we focused on like viruses, right?

We we get a virus into the network and and there’d be other these kind of forms from the attacks from the outside as they Try to drill in and in gain access to our systems and those kind of things Ransomware is a bit different, however, in that when you look at it from a data layer on the inside of the business and from a data perspective, ransomware takes over the account of a justified user with their access and their, their methodology from a data layer in a systems environment.

It looks nothing more than like another user accessing content and data. So it’s not like your traditional type of a virus. It is a different, I mean, you could, you could argue that it is in some ways in some shape form, but at the reality layer of the data, it looks like a client, the user is accessing content and therefore to solve for it, I would believe strongly that you need to treat it as, as such, thus we included in the insider threat because we’ll get into it.

I know in a bit about how do we go about solving these particular problems, but yeah. You’re not going to solve it very well, in my humble opinion, with treating it like a virus. You’re going to need to treat it for what it’s doing, which is data access. To exfil it, or to confuse it, right, encrypt it, do those types of things.

It’s trying to do something to the data layer. And as I said, in order to do that, or the way it does it, it does it as if it’s the user themselves that’s, that, that is causing this to occur. Yeah, they clicked on a phishing email and now they’ve taken over that computer. But we can’t solve the ransomware problem holistically by treating it like an outside threat that we can stop at the door, right?

It’s not one of those things that we can put a wall up, you know, a firewall or this and say, okay, we’ve got 100 percent coverage. The statistics just plain out tell you that that’s not the case. People have invested tons of money and time into firewalls and virus scanners and everything else and ransomware is just still running rampant.

In our industry. So that’s the reason we believe it needs to be treated in a different way. [00:30:00] You know, Rob, I never thought of it that way. The impersonation of, you know, a privileged user inside the network, then, you know, that now is an insider threat once the bad actor is in the environment. That’s really, really interesting.

One other point that I’ve found. Kind of shocking in your article was just how often employees leaving a job, take data with them. How hard or easy is it to identify when that happens or prevent it? I mean, this was, you know, this was pretty surprising to me. The amount of percentage that that’s happening.

I had no idea. And it and it stems from the fact that the people, people believe it’s their data, right? They believe I created this. I worked on this project. So, you know, it’s part of my, you know, resume, if you will, right? I wrote, I wrote this kind of code or I did this kind of process. So it is somewhat, you know, a challenge from a From a pure positional and mentality state, right?

Says, Well, I’m loyal to this company until I’m not. And I take my bags and I and I walk out the door. The university system has seen this, you know, for a long, long time, visiting professors or professors come in and do all these projects. And then they just Pack everything up and go to the next to the next assignment.

And so it’s been prevalent for for a long time Not to say that, you know, it’s right or we shouldn’t do it But the the point that you’re making is well, how do you address it? Right? It’s You know, and I think there is the education, there is the communication, you know, try to minimize some of those things occurring, but at the end of the day, the only way to truly do this is you have to understand what users are doing not from a login and the network’s perspective, but from a data perspective.

So we’ve had the world of user behavior analytics for a long time, you know, and tracking users and social media and logins and applications and so on and so forth. But if we want to solve this problem, we’ve got to do it at the data layer again. I’m going to sound like a broken record. We’ve got to focus at that critical asset layer of the data to understand what particular users do on a regular basis because their behavior does change as people get ready to leave the business.

Their work cycles change, the data access changes, different things start to change. That if you’re doing the right thing and you’re tracking and understanding what’s going on, you can detect some of those types of activities from occurring. That would be step one. But step two is just as critical, and that is you gotta know what data you have.

The challenge for most businesses is they have no concept of what their data is or where it is, who has access to it. those types of things. So being able to detect if somebody’s pulling in, you know, a, a rock out of the rock pile is, is challenging, right? Because it looks just like every other rock. You don’t know what it is.

You don’t know how important that is. So the second step is you got to know and understand your data. Therefore, once you know and understand it, you can put priorities on the certain things that are critical. And those type of things you can then focus in to where these types of events can be identified quickly, accurately and addressed in that kind of manner.

I mean, they’re, I’m brushing over a whole lot of technology required to do that. But that is the point. You got to know what data you have. You got to know where it is. You got to know how it’s being used, and then you have to be able to understand the users and their activity in terms of accessing it and changing and modifying it.

So that that cybersecurity insiders article that you wrote lays out three sort of core elements to a complete insider threat strategy. The first of those is real time detection. What does that part of a an insider threat strategy entail beyond, you know, maybe the intuitive stuff like being able to see ransomware as it happens immediately?

Yeah, and not to to, you know, minimize that. I mean, the ability to to see these transactions in this activity in real time is critical to minimize the impact of whatever this particular attack threat, you know, is. So the closer you are to identifying it and identifying it correctly, the less the impact of whatever that may be.

In the case of ransomware, being able to know that Something is now trying to modify your content to the point where it’s unreadable. You know, encryption or what have you, doing that. And doing that in real time means that the ransomware is not going to have a very big or broad impact, if at all, you know, kind of a thing.

But when we get to the more challenges in terms of the Insider threats for [00:35:00] stealing intellectual property again. You, I get back to the discussion I just had with Erick. If you don’t know what data you have, that’s not going to work so well. So being able to detect in real time means you have to already know what this data is and what it’s being accessed or how it’s supposed to be used.

So it takes a reversal of what we’ve kind of done in the past, which is just to, you know, throw, you know, files used to be the kind of all I call the junk door, you know, everything the company ran was on a database and files were just there for, you know, somebody to create a PowerPoint and do this and then the other.

Well, that is completely changed, right? File content is by far the largest element of corporate data and assets now. But we still tend to treat it as a junk door, right? We just shove it over there. Well, to detect an insider threat, like we just talked about in real time, you got to know what it is that’s being accessed.

And you got to understand its value and its need and its purpose. So it takes a more proactive approach. It takes technology to be able to do all of that as well. But the company has to recognize and sit back, as we said before, and understand. That their data is the asset, and that asset requires some investment to, to be able to protect and secure it going forward.

Rob, continuing you know, with the second core element of a Complete Insider Threat security strategy, as you wrote in your article the, the second element is isolating these threats. And you make the case that preventing false positives is a huge, very important part of that. Obviously you know, that’s, that’s important to MSPs.

What can MSPs and their clients do to detect these false positives so that they’re not spending a lot of time just kind of. slogging through stuff that you know, it was just taking up their day and costing them money. Yeah. This, you know, it’s kind of alert fatigue that they kind of call it in the industry, right?

You get so many of these tools that are sitting there sending you alerts and notifications all the time that it’s kind of the boy who cried wolf syndrome, you know in real time in the technology world, whereas there’s just so many alerts that we can’t address them all. We don’t have the staff to do it.

Becomes challenging and so challenge back to the technology providers like ourselves is how do you do this detection isolation kind of a concept and do it in a manner that minimizes those false positives. And the traditional method of doing that is that you, you need to be looking at multiple variables and multiple elements.

That allow you to be more sure, if you will, or more accurate with what you’re looking at. So if you’re looking at one thing, we’ll just kind of use an example. If you’re looking at logins to a particular application, that’s great. It might be indicative of something that’s changed and going on, but it also might be a person that got a new job and they got a new project need and they’re off.

Doing what they’re supposed to be doing, right? So that kind of single point, you know, we always say a single point doesn’t make a line. The more points that you can do to draw that line that says we’ve gone over the line. Now this is a real threat. This is a real issue. We can then isolate that from the rest of the corporation and be relatively sure that this is a problem that requires the security people in our company to take a look at it.

And so it’s on the company itself again, but it’s also on the technology provided. Is this technology just doing things to do things, generating alerts and neat charts, or is it really focused on solving a specific problem and alerting to a specific need? And unfortunately, in saying that, the thing I will then point out too as well is, Be wary of any technology that says they do it all.

They don’t then because it’s kind of like, you know, your paper thin. So you’re you’re not going to be able to do everything you need to be doing. And unfortunately, what it means to the OSP is we need to pick our technology and our solutions properly to solve for the specific problems we’re looking for.

And don’t just walk in with the guy that says, I’ve got the golden ticket that covers everything for you. It just doesn’t exist because the world we live in, that’s not, not the way it works.

So the, the third element of a complete insider threat strategy that you outline in your Article is seamless recovery, which on the surface sounds like something that backup software does. I’ve got backup software in place or BDR. I’m prepared for seamless recovery of it. Your article [00:40:00] explicitly says, and I’ll quote traditional backup systems offer protection only up to a specific point in time, often leaving vast gaps in recoverability.

So talk a little bit about those gaps and the risks they pose. Yeah. So back up, you know, spent a lot of my history in the world of storage and data elements and the whole concept of, well, pretty much any engineering effort of building technology is built for a purpose. And then over time, it’s attempted to morph into solving other problems.

And backup is the prime example of this. Backup, the whole word was brought forward from, I need to bring my system back up. My server is died. I need to bring it back up, bring it back online. And so everything about it was, okay, let’s take this snapshot in this element of this point in time. That I can bring the system back over.

Well then files will come along and they don’t operate anything like that, right? A file is a self included, self defined kind of entity that can be opened and operated on by any system because it contains all the information it needs to know. And therefore it’s changing on a relatively quick basis.

People are updating and multiple people are sharing the same content. And so you got updates happening all the time. Well, back again to the world of where backup came from. It was kind of this point in time concept, right? I need to back up at this point in time. And then we built snapshots and we built some other methods to try to do this to deal with files.

But always it’s after the change has occurred. So as systems get modified or updates occur, a backup schedule happens. Now, the closer it is, the better, right? If I’m going to say, I’m doing this every five minutes, and I’m doing a delta difference every five minutes, that’s great. But unfortunately for most companies, that’s just not the case.

They’re not, they, they, that, that’s costly, that’s expensive because it takes people to manage it and operate it. Recovery takes potentially longer depending on the complexity of what those kind of things are. So people have set up their back, it’s again originally to a systems kind of perspective, and we’re now trying to apply that to files.

Well, the argument that I make to that is that files are not systems, files are versions. They’re not even point in time, right? I change a file, what I’m looking for is the version that I saved last week, right? Or the version three before this. And it’s more of a concept of this one versus the ones that are before, as opposed to kind of a peanut butter last Thursday at five o’clock.

And so when I talk about recoverability, the challenges are that window, how big of a window that is from when the change occurs to when the backup system is Protecting it to another location in that window is exposure. If it hasn’t been done in the ransomware were to come in, for instance, you don’t have that file from that particular moment.

And now you’re going to have to go and find out what do I have now? I might have a version that’s a month ago. Okay, well, great. Well, now you’re still down a month. Right? You know, from what might have been critical data. At a minimum, you might be two, three, four days behind. And so it’s up to a business on how critical that information that might be lost is.

So, our approach, and we can get into that even more detailed if you like, but our approach is what we call before change protection. Before the change is allowed to go through to the back end file, the current version is protected. So that means there is no gap. As long as the you, your point was, okay, well, Thursday at 7 p.

m. ransomware came in and started doing all these changes to this particular account. Okay, then let’s roll back that users. Files to the state that they were into the versions that they were out at seven p. m. And there’s no gap between, you know, what was protected or not, because every change was protected before that change was allowed to percolate through to the back end system.

So we can get into the technology that, but that’s my point is that there’s no gap between what was there and what, what you have available in your protection systems. Okay, Rob, you opened the door. You said, you know, you talked about the technology behind it. So how does alchemy’s technology help its partners address insider threats?

You have a very unique perspective and a very unique technology. With some patents. How does it work? Yeah. One of the first critical elements is where we do what we do. So a lot of the systems that I think people are familiar [00:45:00] with are what we would call agent based. They run on the clients. We run at the kernel level, meaning they run deep into the operating system level, and they kind of operate independently, some of them with a little bit more central control.

But, you know, that that’s kind of an operating point where they are. And so when there’s a problem, you have percolation issues, you have notification issues, all sorts of things that come with having such a distributed kind of environment. Well, we’ve chosen a unique position, in fact, I believe we’re the only ones in this role and that is at the network level.

Think of us as a router that is between the clients and the file system. And so what we’re doing is pretty basic in that we are simply watching in real time what is going on between clients, users and the files themselves. So this is how we’re able to understand. What is the normal behavior of rich versus Erick?

Right? In terms of access to content. It is how we’re able to isolate so cleanly, because if we detect multiple variables now looking at riches rich your access, you know what we would call normal, normal times of the day, normal days of the week, the types of files that you’re accessing the age of those types of files, you’re accessing multiple variables.

That define what is rich as normal world to say, suddenly you’re behaving a lot different. And since you’re behaving a lot different, because we’re at the network label, we’re network level, we’re able to isolate your system without changing any of the other environment variables. We don’t have to change your domain, we don’t have to change Active Directory, we don’t have to go mess with the applications.

We don’t have to shut anything down for the rest of the users. Everybody still gains access to everything. It’s just your particular system that is now been isolated. So because of the multiple variables that we looked at, we can reduce those false positives. And secondly, because we can isolate surgically, right, we’re not affecting the whole business.

So yes, maybe Rich, in this case, you’re the bad guy here. You’re you’re affected to some degree. Like the rest of the businesses. No, things could continue on. And as I mentioned, we do this what we call before change protection. It’s one of those unique things that we do. And it’s unique because of where we sit as well.

As we see a destructive command come in, like a file, save or delete even renames and moves. We have the ability to protect that file on the file system. In other words, we have the version of the file immediately before that change because then we let the change go through. So we protect that file and then let the change go through.

And therefore there’s no gap between what the file was before to what the file is now. And it’s a single click kind of action. 7 p. m. Thursday. Boom. All files that have been changed and modified are rolled back to that particular version that they were at, at Thursday at 7 p. m. You don’t have to leave the system, you don’t have to go to the backups and load tapes or do anything else that you do in your backup world.

And you don’t have to bring anybody else in, it’s completely recovered back to the state that it was in. As I said, with kind of a single click and it all stems from the power of where we sit it allows us to see all of the content and allows us to see all the clients without needing to be on all of the clients because I think as you’ve seen, there’s been a few indications, a few cases, one just last week of your security software being used or having issues and creating issues.

That same challenge for the business is if somebody outside has gone in and did it themselves. So I kind of call it, what are you doing to protect yourself from your security software? So, so that’s kind of a very high level. Obviously, there’s a lot of technology underneath that. The other thing I would kind of finish with.

Is that we also then analyze the content itself and provide a vehicle using even AI is as desired to identify content to tag content and then to control the access to that content, regardless of where it’s at. And that gets back to some of the conversations we were having before. You got to know what you’ve got before you can protect what you’ve got.

And so one of the critical elements is what we do both from a content indexing for the text. But we’ve got some exciting things coming road map wise that are dealing with images as well. So being able to protect pure image kind of data as well as content data and being able to protect that data from being exported.

You know, so the challenge is what about that critical insider that has access to everything? The crown jewels of the business. Right. And [00:50:00] they gotta have access to it. How do you protect from that? And the way again is critical content and our ability then to control where that content can be sent can be accessed from those types of things.

But it starts with knowing what the content is to begin with. So we just broke a little news here on MSP chat. There is image protection coming to Alchemy’s solution. I will be keeping in touch with you about that, Rob, when it comes out for reporting in my blog, Channel Hall. Like I said, we will include a link to your Cybersecurity Insiders article in the show notes for folks who want to read that.

For folks who want to get in touch with you, learn more about you, learn more about Alchemy, where should they go? Well, shield C. R. S. Is there technology product name of the best way to do that would be go to shield CRS dot com. And we have contact forms and everything else there that you can gain access to us.

Or I’m up on LinkedIn is most of our team is as well. If you want to want to kind of find us there and reach out a little more personally, that’s fine as well. But those are a couple of the ways that I would suggest would be easy to get to get ahold of us. Okay. Rob Sims from Alchemy Data Management.

Thank you very much for joining us. Thank you guys. Those are great questions. Appreciate the opportunity. Thanks, Rob. We are going to take a quick break here. When we come back on the other side, Erick and I will share a few final thoughts about that very interesting conversation with Rob. Have a little fun.

Wrap up the show. Stick around. We We’ll be right back

and welcome back to part three of this episode of the MSP Chat Podcast, a special bonus edition of the show sponsored by Alchemy Data Management. We thank once again Robson, NCTO and co founder of Alchemy for joining us in that interview segment. Three quick thoughts about that. And there’s obviously a lot that we could say there, but I, I want to kind of go all the way back to the beginning of the show when I was drawing a line in between insider threats and, and data security, I think you can see based on the conversation we just had, why I was doing that there.

Because when you hear insider threat security, you kind of think about. Monitoring and preventing and reacting to, to action, something that somebody is doing. And what is always crystal clear whenever we get a chance to talk to Rob is that the foundation for insider threat security is data security.

You must know where the data is, who has access to it, who is authorized to use it, what kinds of activities are normal or abnormal. That’s where it begins. And then from there, you can get into watching what people do and what’s happening across the network and so on. The other thing is that really kind of came out of that conversation for me is that.

In order to do a lot of the stuff that I was just talking about there, you need a purpose built tool. So you have a backup tool. You may have even like a DSPM, a data security tool, but you really kind of need something that was built, designed from the ground up to protect data from the kinds of threats that we were talking about there.

And last but not least, Erick, this is kind of a confession where, were you aware that the origin of the word backup is. Getting stuff back up. I always thought of it as like making a backup copy, but according to Rob, I looped it around. Backup derives from we got to get everything back up, so we better make a copy.

Yeah, that was a, that was a new one on me, but totally makes sense. Right. Get it back up. And then we kind of borrowed that term for backing the data. So that was very interesting. You know, a couple of things jumped out at me as well. I love the parallel of, you know insider threat. You know, we think of.

You know, fishing and things like that as well. That’s kind of an external threat. And I like the way that Rob looks at it and says, well, it’s really an insider threat because at the end of the day, you’re basically, you know, taking control through another user’s account to do all these things as kind of the bad actor.

So that was pretty interesting. And then, you know one of the things that Rob really didn’t get too deep into was just, you know, the, the, the architecture behind. Alchemy solution that basically, you know, allows you to restore. In so many different, versatile ways that today’s, you know, typical backup solutions just don’t.

So their technology is, you know, we’ve talked to Rob and his team quite a bit, Rich, and it’s very impressive. Very much so, very much so. And off the air after that interview, Rob was kind of letting us in on some enhancements and updates and innovations they’re working on right now. And we will not spill the beans on that, but it’s an interesting platform today that.

is set to get more interesting this year and I’m sure I will be writing about that in my blog, Channelholic. Well [00:55:00] folks, that leaves us with time for just one last thing on this episode of the show, and I promise for the Gen Zers in our audience here, this is not about bashing on Gen Z, mostly.

However what we’re going to be talking about here is a survey that was done in the U. K. recently by Halfords. Halfords I gather is a a retailer for all things wheeled, like bicycles and cars principally. And they went out and interviewed, or excuse me, surveyed a bunch of people In various age groups and discovered that one out of five of the people they surveyed between the ages of 18 and 27 Don’t know what a spanner is a spanner is just a wrench basically here in the u.

s One in five. I don’t know what you’re talking about when you say spanner and nearly a quarter Confessed that they don’t know how to change a light bulb now Erick, And, you know, write your own joke here about how many Gen Zers does it take to change a lightbulb, etc. But I mean, this adds up. According to the estimates at Halfords folks in that 18 to 27 price range are spending 1, 300 pounds a year.

Calling in professionals to do things like turn a wrench or install a light bulb. And that compares the average across age groups in the UK is 622 pounds. So like less than half. And the average for people between the ages of 60 and 78 is 253 pounds, which is like less than a, A fourth. So I guess it’s a good, if, if you are somebody who sells, you know, white bulb installation services, this is good news because there’s a generation coming in that’s going to need you to come by and do that work for them.

But wow. I was a little surprised by this. You know, the handy person industry is going to be kept very busy with these Gen Zers, you know, it’s, it’s interesting. I have, you know, one of my sons is a Gen Zer and It’s the opposite, I mean, he takes more after me, like we work on cars together, we restore cars, and he gets into it, but yeah, that, that that report is kind of sobering.

Yeah, well, it’s like father like son in your household, but not every household is is like that. Well, folks, that is all the time we’ve got for you on this bonus episode of the MSP chat podcast sponsored by alchemy data management. We thank you for joining us. We will be back on Friday with a regular edition of the show.

Our, our regular editions come out on Fridays. Until then, I will remind you that MSP chat is both an audio and a video podcast, which means that if you are listening to us right now, that you’d like to check us out on video, go to YouTube, look up MSP chat. You’re going to find us there. If you’re watching us on YouTube, you’re into audio podcasts as well.

Go to Spotify, Google, Apple, you name it, wherever you get your podcasts, you’re going to find us there too. And however you find this, please subscribe, rate, review. It’s going to help other people find and enjoy the show. Just as much as you do. This show is produced by the great Russ Johns. It is edited by the great Riley Simpson, who is great at editing podcasts as well as turning ranches.

They are part of the team with us at Channel Mastered and they are ready, willing, and able to create a podcast for you too. And podcasts are just the tiniest, tiniest part of what we do for our clients at Channel Mastered. If you want to learn about the big picture, go to www. channelmastered. com.

Dot com channel mastered has a sister business called MSP master. That is Erick working one to one with MSPs and growing and optimize. Optimizing their business. You can learn more about that organization at www.

mspmastered. com. So once again, we thank you for joining us. We’ll see in a few days on Friday for this week’s regular edition of the show. Until then, I will just remind you as we always do, you cannot spell channel. Without M. S. P.