#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 5: Security Updates & Patch Management
/

Episode 5: Security Updates & Patch Management

Nov 30, 2021 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose, and this is Episode Five: Security Updates and Patch management.

Last week, we took a deep dive into the world of identity access management, and discussed new ways of evaluating the unique needs for IAM services to simplify the access and productivity experience for end-users and administrators while maximizing the security of systems and data. To view episode five and catch up on all of our prior episodes, you can view those on demand on LinkedIn, Facebook, YouTube or Spotify. And for direct delivery to your inbox, sign up for our blog at TechOnPurpose.net/blog.

Today, we’re discussing security updates and patch management. What are the options? And how do you balance the urgency, timing and frequency of updates to mitigate security risk while minimizing possible productivity and impacts? Our cast of cyber experts today from ConnectWise, Cyber Trust Alliance and JumpCloud, will walk us through all things security updates and patch management and discuss their organization’s available solutions. 

Don’t forget we’ll be releasing a new episode every Tuesday, starting 10/20/21 through late spring of 2022 with brief time off for holidays with family & friends.  We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode.  We hope you’ll find this an immersive, hopefully simple, educational and enjoyable experience.  So how do you tune in?

To easily follow the journey ahead we’ve diversified your access options to all (23) of our coming episodes.  You can follow long here on our blog, or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered direct to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

Lauren Lev 
Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose, and this is Episode Five: Security Updates and Patch management. Last week, we took a deep dive into the world of identity access management, and discussed new ways of evaluating the unique needs for IAM services to simplify the access and productivity experience for end-users and administrators while maximizing the security of systems and data. To view episode five and catch up on all of our prior episodes, you can view those on demand on LinkedIn, Facebook, YouTube or Spotify. And for direct delivery to your inbox, sign up for our blog at TechOnPurpose.net/blog. Today, we’re discussing security updates and patch management. What are the options? And how do you balance the urgency, timing and frequency of updates to mitigate security risk while minimizing possible productivity and impacts? Let’s meet our cast of cyber experts today, who will walk us through all things security updates and patch management and discuss their organization’s available solutions. We actually have an all new cast joining us today. So first up, join me in welcoming Frank DePrisco, Director of Customer Success for ConnectWise. So Frank, we’ve actually had Tanya Omeragic and Jay Ryerse from ConnectWise join us in prior episodes. So, we’re happy to have another ConnectWise member join the cast.

Frank DePrisco
Thank you, Lauren. It’s good to be here.

Lauren Lev 
Yeah, of course. Next up, we have JumpCloud’s Implementation Engineering Manager, Dan Fay. Dan, we’ve also had Chase Doelling on the blog before, and hopefully he’s had nothing but good things to say about us for his time on our show.

Dan Fay
Awesome. Good to be here. Thank you.

Lauren Lev 
So, rounding out our first time cast is Jeremy Sadler, Senior Information Security Officer from Cyber Trust Alliance. This is not only your first time on the blog, Jeremy, but Cyber Trust as well. So, we’re glad to have you guys represented.

Jeremy Sadler
Thanks so much, Lauren. Glad to be here.

Lauren Lev 
And we have our very veteran cast member today, TechOnPurpose’s very own Founder and CEO, Matt Tankersley. So Matt, after this week, we’ll be approaching the third of the way mark in our Who’s In Your Cloud series. How does it feel?

Matt Tankersley
First off, are you saying I’m a veteran because I’m old, or I served in the military, or I’ve been in all the episodes? I want to make sure I know.

Lauren Lev 
D, all of the above.

Matt Tankersley
Oh, that’s awesome. Well thanks, Lauren. And thanks to all of our cast for taking valuable time to join us and help educate and equip our listeners and viewers on how to break down and simplify the complex journey to secure, reliable, trusted technology. It feels good to have come as far as we have, Lauren, and I’m excited to continue the journey with the help and wisdom of our VIP and cyber cast, cyber expert cast contributors that we have each week. And as you’ve said, each of our companies is regularly bringing new skills and new wisdom as we discuss new topics, so grateful to have everybody. So, patch management and updates. You know, this is something we’ve been helping our clients with for a long time. Interestingly enough, it’s not been in the context of cybersecurity until recent years, right? For decades, we’ve been patching and updating to fix bugs and add features and capabilities. But, as the cybercrime industry is literally blown up into a multi-billion dollar industry, the bad guys are constantly finding new and faster ways to get to you and your money and operating system patches. It seems to become a lucrative attack vector that is so far reaching that it can reach lots more users globally once that vulnerability is known and prior to releasing an application of those patches. So, consider having your password compromised, right? How far can a malicious actor go with that? It could be a ways, but it’s likely limited to you and your organization. Now, compare that and a vulnerability to a Windows or a Mac operating system, how many individuals organizations could that effect, a whole lot more, right? So, the bad news, it’s not just your computer, it’s your mobile devices, I mean Apple and Android and tablets that your firewalls, your switches, your Wi Fi access points, and even your office and email apps. The good news, it’s not too hard to ensure those patches and updates are happening, especially if you partner with MSPs like TechOnPurpose to automate and execute using partnerships like we have with all the folks that are represented here today. So Lauren, let’s ,let’s dive deeper in and meet a little bit more about each of our cast members here.

Lauren Lev 
Before we start our roundtable questions and get into the more fun part of today’s episode, let’s give all of you an opportunity to introduce yourself and tell us more about your company. So, we’ll have Jeremy go first. Tell us about Cyber Trust Alliance and what you do for them.

Jeremy Sadler
Thanks, Lauren. Yeah, so I am the Lead Information Security Officer, fancy title for saying I run all of our audits and our compliance practice. Cyber Trust Alliance specializes primarily in HIPAA and healthcare regulatory agencies, but we also branch out into every other industry and vertical that can benefit from our services. Our focus is delivering transparency and visibility into the risks and security issues within an organization. We do that through a combination of tools, including policy and procedure review, wireless network analysis, but also software vulnerability scanning and reviews, right. And fishing, of course, is always a big one that will be in a later episode, I’m sure. So, we bring all of this information together, right? But, you know, I run that practice, I run those audits, and I deliver that information to clients and help them develop remediation strategies and remediation plans to improve their security posture.

Lauren Lev 
Frank, introduce yourself to our audience and tell us what you do as their Director of Customer Success for ConnectWise.

Frank DePrisco
Sure, I’m Frank DePrisco. I’m with Connect wise, we’re a global software security company helping our partners like TechOnPurpose to be successful in their business adventures. And there’s, there’s lots of adventures out there these days. And we, I work on the IT Nation Secure Team. And so, what we’ve done is we’ve created. So, there’s frameworks across the board. There’s NIST, there’s ISO, you name it, there’s another framework, but we created what we call the MSP plus framework, which was designed to help MSPs have a security journey path forward. We’ve also created training classes. So, we created playbooks at the fundamentals, advanced and master level. So, I helped write the content and or the training in those programs, as well as we have our partner program that our customers can join to get additional security products. And then similar to what Jeremy said, I take the output of those products. So, the company I was with before ConnectWise, we created a product called Identifying, which is a risk assessment product that was one of the main contributors to the content of that risk assessment. So, we take the output of that as long as well as the Fortify Assessment Program Detail Report, and create an action plan for our partners based on critical and high vulnerabilities that we find. So, it’s not a one time fix. We’re not making people do things right away, but it’s creating a journey towards a more secure operation. So, that’s what my team on IT Nation’s Secure Team does.

Matt Tankersley
Those who have been falling along, right we, one of the values of our Who’s In Your Cloud? campaign for our viewing audience is that we are providing a free NIST cybersecurity survey. And it is in fact, with the platform that Frank and his team have equipped us through, through the Identify platform. So, be sure to take advantage and get signed up and get your FREE cybersecurity surveys while they last.

Lauren Lev 
Alright, Dan, introduce yourself and explain howJumpCloud fits into this conversation about security updates and patch management.

Dan Fay
So yeah, so JumpCloud is a directory as a service platform entirely cloud based, no need for on prem anything. And what we do is we consolidate, integrate, and work with hundreds of different applications. We’re vendor and operating system agnostic. So whether you’re using Mac, Windows, Linux, or a mix of all doesn’t matter. We work with all of those. And we secure pretty much most, if not all of your IT resources into a single directory structure that admins can manage. And we work very heavily with a- we have a partner team and a partner program that we work with different partners across the globe. And with that, basically, we want to ensure that all of your workers, regardless of where they are, especially in the current hybrid and remote work scenarios be entirely secure, point-to-point, MFA everywhere, strong passwords, all the good policies, and with software management, patch management, all that good stuff as well. So, we try to encapsulate everything as simple as best as possible.

Lauren Lev 
So, now let’s get into the fun part of our blog series today. And we’ll have Matt introduce us to what security updates and patch management are and why they’re important. So Matt, take it away.

Matt Tankersley
Well, I think the rest of this team is probably better equipped to answer that question. But thanks, Lauren. And let me just remind everybody to stick with our format. Keep it sassy, keep it savvy, let’s have some fun, and we’ll pass the conversation around, around to the cast following our typical pattern, right? So, we’re gonna have a round one conversation where we focus on the topic, right? What’s the problem? How important is this issue? Do we have any data or statistics that are worthy of sharing with our viewers/audience about the very real and mandatory part that security updates and patch management should play in our cyber defense stack. Right? Round two, we’ll come back around, and we’ll discuss personal and organizational recommendations and best practices around updates and patch management. And in particular, I know that our folks would love to hear what you are specifically doing to solve the problem here. So Lauren, why don’t you take us away? And what order would you like to go in?

Lauren Lev 
Okay, Frank, we’ll turn it over to you first. Like Matt said, let’s focus on how important the issue is and any data and statistics you have to offer today to our audience. Take it away.

Frank DePrisco
So, I do a lot of- I’m a lot on the compliance side. So, I do stock to IDC, Jus and HIPAA attestations and audits with third party accounting companies, for our partners. And it’s part of every audit, right? So it’s, you have to have an auditing and monitoring policy that identifies patches, needed patches, you have to set a policy timeframe for remediating those patches. So, we like to say, you know, critical and high patches need to be applied within five days, medium and moderate, within 60 days, and then low priority patches as needed. So, there’s a lot of times when patches can’t be deployed right away. And so, we should have a test environment, it’s very important to test them, and to have a rollback plan. So if something does go wrong, we have a plan to roll back. So, that’s what we help companies develop. That’s kind of the priority that we set. That’s what we use in our stock too. And the auditors find that acceptable, and a good, good timeframe to follow up.

Matt Tankersley
So hey, Lauren. And before we move along, let me, let me just say something about that. This is a daily thing, right? Most if you’ve been listening, you’ve heard this, if you haven’t, it’s important to understand that one of the primary origins of this campaign was clients that we love and serve and have been serving for years just consistently refusing or not understanding how to adopt best security practices. And it’s really ironic to me that right now, what we’re seeing is, as their IT, their trusted IT teams, they’ve been telling us for a long time, they’re not doing it. Now all of a sudden, the insurance companies are sending them questionnaires every year when they go to renew their policies. And guess what questions are on there? Do you have these remediation plans? Do you do all of these things? And guess what one of those is, patching and updates and what’s the timeframe and everything? So, I’m glad you mentioned that, Frank. And try as we might, as those trusted advisors, to get you all to make the right choices. We’re glad to see that the industry is rallying around us, including the folks that are insuring your business to keep it up and running, they’re on the same wavelength with us. Right.

Lauren Lev 
Alright. So Jeremy, what do you think is important for our listeners to be aware of for security updates and patch management?

Jeremy Sadler
Well, so, I do have one fun statistic. Well, one number anyway, not really a statistic for you, but I’ll preface it with this, right? Matt hit the nail on the head when he intro’d the topic that, you know, it’s more than just operating system updates. It’s hardware updates, it’s firmware updates, right? And it’s, and take that a step further for your operating system updates. It’s keeping your operating systems up-to-date so that they’re supported and receiving updates. Right? And, and we’ve seen the results of that year over year with things like the Equifax breach, right? 2017, 143 million, there’s your number for you, 143 million breached records, financial records, credit background, preventable by an Apache web server patch that wasn’t applied. Right? Third party software, but that’s, that’s the thing, right? And WannaCry, 2017 again, right? Big one that nailed us, totally preventable. If we got rid of the legacy Windows operating systems when we should have when they were, end of life and we kept up to date and patched, that would have never been a blip on the radar. The, you know, the net to that is of course, patch management. The issue with it is it’s, it’s across our entire system. It’s not just our PCs, it’s our systems, our firmware, our routers, our switches, our printers, our everything. If it’s online, it’s got to be maintained. It’s got to be effectively patched and protected.

Lauren Lev 
Absolutely. And just to add my two very non-expert sense in, as you were talking, given the penalties that companies face if they have breaches and their customers’ private information gets out- I learned more recently, thanks to security awareness training, Matt, that the amount of money they’re penalized for isn’t like, it can be in the 100,000s and even million dollar range and most companies can’t survive something like that. So, if it’s something as simple as what you guys are talking about, it seems like a no brainer to me over here. So, Dan, we’ll take it over to you. How can you help simplify this topic for our audience?

Dan Fay
Yeah, I think it starts with, probably even starts with a mindset of philosophy. So, starting with the mindset and philosophy of securing everything and everything needing to be updated, and think about it holistically, like not just think of a point system or operating system, or I just need to do these devices, it’s, it’s across the entirety of your environment, your entire infrastructure and stack. So, taking a very holistic approach and the mentality of either a zero trust mentality where trust nothing and then verify everything or make sure audit. Again, audits are super huge monitoring, and having some type of framework with remediation processes or with how to update it, make sure you do regular updates, make sure you have a test group, make sure that you set up the framework. Setting up the foundation, the framework of a good security practice for any company, regardless of the tool that you use is probably absolutely paramount before even going down the road of doing patch management. There’s, I mean, there’s different statistics around. One of the ones I know, I like it quite a bit and is like with different password managers, is Keeper actually does a full, like they’ve done a bunch of statistics over years worth of interesting data that they’ve collected. And one of the points that they make is like, 71% of SMBs have experienced at least one cyber attack. Granted, that number is probably higher, it also depends on what market vertical that you’re in. And with that, you have to be prepared, always vigilant, always prepared to make sure that everything is up to date. And if something were to happen, that you have a really good remediation plan, notification set up, and then action plan of what happens during that. So that way, you can at least isolate the incident, instead of it having, being completely, you know, infrastructure or system wide.

Matt Tankersley
I was trying to try to consolidate all of the three amazing thoughts you guys brought to the table and hopefully everybody’s listening, right? And how does this apply to you? Right? And I think there are too many people to go, well, this doesn’t apply to me, I’m just a small organization. And make no mistake, we have large enterprise clients with 1000s of seats on five continents, right? But, we’ve got lots of guys that are down the street running a restaurant and they’ve got WiFi with two APs in that thing. And they’ve got five IP phones in there. And they’ve got a POS system, which by the way, is transactioning a whole bunch of PII, if I’m not mistaken. And they think, Well, this is, this doesn’t apply to me and you go in their back office, and you see what their restaurant management platform’s running on, it’s Windows XP. I, you know, I don’t mean to pick on anybody, but this is, this is the point that I think I’m hearing everybody say, updates and patch management are not an option. And Dan said it, and I love the way I get to watch Lauren learn as we go through this entire series as the person on the outside who’s just moderating for all of us geeks, right? She’s learning as she goes, and you’ll see that light bulb go off. And you see a lot of things that keep coming up again and again and again. And Dan, well, you just said, that I know Lauren picked up on is right, is that security is a cultural mindset. And that came up really quick in one of our earlier conversations, and it also came up very quickly that it has to be top down. So, business owners and CEOs and COOs and CIOs and CFOs, it hits the bottom line, you’ve got to adopt this culture from the top down. And if you’re following our top cyber 21 matrix that starts with training, right, which is where Lauren picked up a bunch of her stuff.

Lauren Lev 
Alright, so let’s go around and discuss how your company helps organizations and end users achieve secure, reliable, trusted technology through automated updates and patches provided by MSPs, like TechOnPurpose. So Dan, we’ll have you kick us off.

Dan Fay
Yeah, no worries. So, JumpCloud has a lot of different things. So, it’s kind of hard to kind of squeeze it all together, but we, we basically help manage the entirety of the environment. So, it could be anything from authentication to radius to SSO. So, but with patch management, we have, you know, we work with pretty much any operating system, Linux, Windows, Mac. We have, basically policies, think of these akin to your GPOs. If you’re using Mac or Apple, think of it as your mobile, like your MDM, or your, you know, your security configs that you push down through MDM, with that we can actually manage when you do updates. What revision you want to do updates or keep updates for, we’re also releasing a lot of new products and features come q1. So, probably early mid Q1, we’re going to release a lot specifically over patch management. We’re going to be releasing a dashboard to let you know like, where’s your systems at, what version are they at? Again, this is entirely you can automate this entire process inside of JumpCloud. So that way, it kicks off everything for you. You set your security baseline, what your patch baselines want to be for Mac, you can do a delay. So for example, Monterey, Monterey came out, you want to delay that, you want to set up a test group, let a couple people test it before you actually send it out to prod across the entirety of the environment. You can totally do that. You can delay the updates 30, 60, 90 days, however long you want to. You can set up the specific groups, have a test group, apply those policies to that specific test group of devices and then whenever, again, this is your company policy, is whenever that, you feel that the testers have evaluated, everything’s come back great, you can then roll it up to production. The same thing can be done by creating multiple versions of, say, for example, the Windows update policy, you want people to update to say, the brand new latest build of Windows 10, whatever release it’s going to be, you could actually set a specific device group or all the devices and say, we are going to require you have to be updated by you know, this time for this group, etc. So, you have a lot of flexibility on how you roll up patches, and also how you enforce them. With some of the new Mac stuff that we’re building out, with Mac you’re going to be basically going to be updating the Mac OS systems, the users have to approve it with Monterey due to some of the new security changes. So with that, they’re going to be getting alerts saying, Hey, your system needs to be updated. And to a specific point, basically, we’re going to force them to update because at a specific deadline, whatever deadline that you set, you’re going to have to update, like there’s no questions about it. Because of that attack vector, the device is the gateway to everything. If say, if the device gets compromised, pretty much anything on that device, and whatever that device connects to, again, think of applications think of, you know, networks, think of file shares, think of all the different resources and pieces that you get access to, if that device is compromised, that’s a bad day. So in order to mitigate that, you want to be super proactive. And with JumpCloud, you can do that in a very automated, very simple, very easy fashion compared to a lot of different ways you’re trying to do it manually, which, don’t do it manually.

Lauren Lev 
Thank you, Dan. Frank, what is ConnectWise’s approach to security updates and patch management? And how do you all make it a priority?

Frank DePrisco
So, we have a team that meets on a regular basis to review vulnerability scans, and tests, things like that, and have rolled out a plan to implement those changes. We have it documented on our trust site. We’ve also created hardening guides. So they’re like, like that XP system probably shouldn’t be around much longer. We also have a tool automate, which can inventory what devices you do have, right? So, one of the things I didn’t mention when I first started is having an inventory of devices and host systems and where they are, is critical. Because if you don’t know what version anything is on, if you don’t have that inventory, or you don’t know where your vulnerabilities can exist. And then to some point, investing in upgrades to those products. So, there’s going to come the end of life. It’s worth the investment, a lot of times to get new products, cheaper than having a breach or having those vulnerabilities, you know, access there. So, I think the inventory management is a big part of what we do. And then internally, we have a whole team that reviews these on a regular basis and makes sure everything’s patched and updated. And we- it gets pushed to us, we don’t have control over, we can’t stop it. We see it running. So, that’s what they do to take care of us.

Matt Tankersley
Yeah. And Lauren, let me add some value there to that conversation, and it sounds like maybe you had something. You want to go first?

Lauren Lev 
Oh, I was just gonna say at a different company that I worked for here before, which was not anything in the tech industry. But it was a big fortune 500 company, one of the top three consulting firms, and they did not make us automatically update anything, they would give us the option. And if you were like me before any of my security awareness training, I did that until the last possible second to where my stuff was about to explode. And I had no idea that I was putting, like everybody, at a potential risk. And look at me, like a very low man on the totem pole at this organization. And nobody was automating anything, nobody was checking in, like nobody cared that I didn’t update my computer for months and months and months on end. So, it’s just, it speaks to even more how important this is.

Matt Tankersley
So, let me just follow up on what Frank said, we’ve long time been using the ConnectWise automate platform to keep track of inventory to do updates and patch management. By the way, the interface that you guys have for that is pretty amazing, because we’re not just able to do OS updates and scheduling that’s going to happen and do it by groups, much like JumpCloud does, which we’re a big fan of and using other environments as well. It’s a fabulous interface. And I’ll tell you what else I love, any kind of large scale automation, which is something that you know, JumpCloud does again as well, or you can do and you mentioned in particular upgrades. We had a client that came to us about three years ago that had 172 Windows 7 machines that they wanted to move into Windows 10. And they asked us to estimate what it would cost for our team to do that. And we came to them right away and said, Well, there’s about three ways we can approach that right. We can replace those devices and just give you new Windows 10 devices, which might be a whole lot cheaper than the time it would take us to, option B, manually touch and update all of those things, right? In the end, we were able to use the ConnectWise automate platform with a bit of fancy scripting, and basically with anywhere from 30 minutes to an hour and a half, depending on the CPU and processor on each device, completely an automatedly migrate machines from Windows 7 to Windows 10. So there’s, you know, there’s, there’s we talked early on about how you know, it’s not hard. Well, it really is hard. But, we’ve got these tools that simplify the process. And my guess is we probably saved them 40 to $70,000 in labor, by being able to automate that entire process across those machines.

Lauren Lev 
So Jeremy, what is your professional recommendation on the use of security updates and patch management technology? And how does JumpCloud fit into this conversation?

Matt Tankersley
You mean, Cyber Trust Alliance?

Lauren Lev 
I’m so sorry, Jeremy.

Jeremy Sadler
Oh, I got to talk for Dan now. All right, let me see.

– I think it was Dan, actually, in the first round, though, that I was gonna piggyback off of that mentioned, when you implement whatever settings or process or programming implement that auditing and validating and verifying is an important measure to that, right. That’s where Cyber Trust Alliance comes in. So, we partner with organizations MSPs, just like TechOnPurpose, that have customers that need audit services, security risk assessment services, sometimes it’s because the MSP doesn’t have that focus or that speciality that’s a really common challenge for MSPs. They are tech guys, they’re IT guys. They’re not necessarily security guys, other times they have those skills, but sometimes they’re sales barriers to having those skills when you’re also the MSP. You might audit your client and say you’re deficient in all these things, your clients’ first response might be, well, sure, you’re going to tell me that because you want me to buy all those solutions from you. Or the inverse is also true, your security is great. Well, of course it is, you’re running it. But, are you really being honest with yourself, right? So, we sell that, that objective third party analysis and objective third party audit and security review, right? That- we don’t sell services, we don’t even offer remediation, we sell transparency, we sell verification and auditing, right? Big component of that is the cybersecurity or the, excuse me, the software vulnerability scans, right, where we do internal and external scanning, we do asset specific scanning between servers and workstations and the rest of your land, inside and outside from the outside of your firewall, of course, you want to see your vulnerability as you’re exposed. But also, once an attacker potentially gets inside of your perimeter, what’s their opportunity to move laterally and spread throughout your organization as they’re going to do over time? And so that’s where we come in, right? We help to elevate that conversation and expose that. And again, as I mentioned, in round one about, you know, it’s not just about your OS patches, it’s not just about Windows updates, right? It’s your third party software, everything from your Adobe, they’re just as bad as Microsoft to your Chrome to your notepad plus, plus whatever, right? But it’s also your firmwares, your major OS upgrades going from Windows 7 to Windows 10. Now we’ve got windows 11, it’s out, it’s right around the corner, get ready for it, right, it’s going to need patches just as frequently, right. And then it’s your servers, how many organizations I scan, I don’t even want to count how many times I run scans and their windows patching is great. Their OSS are superb. And they’re running VMware ESXi, 5.5 or 6.0 still, and it’s like, guys, that’s your, that’s your entire core infrastructure exposed to vulnerability. In fact, if an attacker gets into your environment, or they’re running vulnerable iDRAC on the Dell server, everybody forgets about the iDRAC. And that’s walking right into console level access to your server. Right. So that’s, that’s what we do is we elevate the conversation to bring exposure and transparency to those kinds of issues to help the clients to understand just how important it is to again, and this goes full circle to the inventory piece, you got to know what you have, and you got to keep up with it and keep it all up to date.

Matt Tankersley
So you know, I think the moral of the story here is kind of usual, right? Cybersecurity in general, guys, it’s not an option to, it is a very complex conversation that hopefully we are simplifying for you by breaking down the pieces and parts and helping you to prioritize. Arguably, we’ve got steps one through 21. Anybody on this call could argue that number one should be number five, and number five should be number three. The point is, is we’re going to help you get started in that conversation and that journey and all paths are going to lead you here. We want to automate and secure so that your environment is as a rule secure, reliable and trusted. So you’re protecting your business, your staff, your employees, your partners, your livelihood, your clients, and we could not do it without all the amazing partners that we work with. I did think of one of the things Jeremy you talked about an A and a B, and maybe a C scenario of how you work with MSPs. And you talked about a lack of, a gap in skills, you talked about the third party validation component was sort of two faces on it. And then the reality that it’s oftentimes, you know, our case, right, is just bandwidth, it’s probably don’t have the capacity. It’s not that we don’t have the capability, it’s that we don’t have the bandwidth. And we really rely on folks like Jeremy and Cyber Trust Alliance to, to fill those gaps. And so, ConnectWise man, we founded our business on ConnectWise, we’d be lost without these guys. We submit to you that our clients are more secure because of that platform and their ability to use that more and more and more and more, we’re relying on JumpCloud to simplify the IAM side of things with their cloud based directory services. And now, we’ve got a secondary layer of patch management. If you happen to be one of our automated, automation subscribed clients, right, we’ve got both of those tools at your asset. Both of those tools are doing inventory, right. And thank God, we’ve got folks like Jeremy and Cyber Trust in the background, helping us with penetration testing, and those kinds of reports and audits and analytics. So, Lauren, unless you’ve got something else before you close this out, let’s just send it around the room one time for any closing thoughts on, you know, the role of TechOnPurpose, Who’s In Your Cloud, the value of this program, and more importantly, just final thoughts that you guys have on the topic.

Lauren Lev 
Yeah, I’ll go Hollywood Squares or feel free to chime in whenever. But Dan, I guess we’ll, we’ll have you go first.

Dan Fay
Sure. Yeah, so yeah, it’s cybersecurity when you first, you know, approach it could be daunting. But yeah, I think when you take a look at it, think of usually I say like, think of two major pieces. The business, of course, your business that you’re running, or the business that you’re a part of. And the second piece is the actual humans that work in your company, your colleagues. You want to make sure that both are protected, make sure that company assets are protected. And also make sure that the personal identity, you know, the personal, sorry, the personal information, the identification information of your employees is also secure. Keep that in mind, HR systems, devices that have information like that, they give it holistically, so approach it with just the mindset of don’t trust anything, and verify everything. If you know that something’s not up to date, update it, or put in a policy to add it to your mitigation or your updation policies. It’s super key to make sure that not only you yourself as a person, your colleagues as people, as well as your business. So that’s, that’s my, my main thing is keep, keep the whole picture in mind.

Jeremy Sadler
Dan, I got to jump on that real quick. I love what you said there. One of the things I wanted to, I wanted to add to that, right is that you maybe think about, you talked about protecting your people. And that makes me think about, you know, patch management, patching your OS’s is important patching your software, you also got to patch your flesh ware, right? We do that through security awareness and training, right, but you got to you got to patch your people, you got to improve their security posture on a regular basis to and then, you know, the other the other comment I was gonna make before I, before you made me think of that was just, you know, don’t put it online, unless you’re gonna have to accept the responsibility of managing and maintaining it and patching it over time. Right? It goes hand in hand with your inventory management, you know, you got to figure out what you have. You got to manage what you have. And as you’re doing all of that, and you start to realize that yeah, that can be a little bit cumbersome sometimes. You also have to start thinking about, you know, this rush to IoT, this tech implementation race that everybody seems to be into, and making smart decisions about everything you put online. It might be easy to plug into your network today. That’s a responsibility you’re plugging in to manage and maintain long term. Make sure you’re tracking that inventory and tracking that software.

Matt Tankersley
I’ll tell you what’s interesting as we get ready to give Frank closing comments, again, aligning some conversations from our prior topics. I love what Ivan Paynter from Intelisys said last week, about the current environment that we have where it’s not just BYOD, but it’s BYON: bring your own network. And so, when you think about it, you’ve distributed this workforce out of the home office, and you’ve given them this protected device with protected information. What are they plugging that into? Or plugging it into their network? And you said IoT, and it didn’t dawn on me the other day. The reality is, that 60 inch big screen TV and the other room is a smart TV. Right? And it’s got vulnerabilities, it’s got patches, and my guess is that none of us even on the IT MSP side of things, as a rule, are we thinking about patching someone’s home TV, right? I promise you we’re not. Should we be? I got a feeling we’re heading in that direction, right? So that if you’re going to be part of a remote, bring your own network, how are we segmenting those company devices from the rest of your environment and doing that cost effectively, that’s secure? But, I love how we each are able to feed off of each other in the conversation and hopefully add some value for you folks that are listening out there. Frank, any final thoughts on the topic?

Frank DePrisco
Yeah, I’ll just go back to what you said about it being a journey. So, security it’s not, it’s a point in time, yes. But it’s a journey to keep it updated. You know, we created our advanced training courses last December. We’ve done 12 months of them, we’re gonna do it another 12 months, but we have to go back and rewrite the content in the training materials, because things have changed over the last year. Every time you bring a new person into your organization, that’s change in your organization that can hopefully positively only affect you, but can definitely be a negative there. So, it’s a journey to find. So, you have 21 of these sessions. Once you get through 21, you could probably go back and redo them all, have new content, learn new things. So, we call it the security journey we talk about all the time at ConnectWise, and it’s just what we do as our culture.

Matt Tankersley
Yeah, man, we’re grateful for that. And you know, another Lauren, you remember from our last week episode, right? That, or maybe that’s next week’s episode because of our recording schedule. But, you know, we talked about it, it was a lightbulb I had when someone said something similar, Frank, we look at attorneys and engineers and people that have to do this annual continuing education thing, they got to do an X number of hours to keep their licenses. And if you think about it in the cybersecurity world, this is an hour by hour, minute by minute, day by day thing. Continuing education is non stop. It really is. And we’re grateful to have partners like you, that are, that are orchestrating that conversation, Frank. Thank you for all you do.

Frank DePrisco
I can just add one more thing real quick. There’s, there’s a podcast called the DarkWeb Diaries or DarkNet Diaries, and they talk about zero day vulnerabilities and how these large companies’ employees are finding the vulnerabilities. But it’s more beneficial for them to take these to nation states and sell them and their own companies are going to pay them to fix those. It’s really an interesting topic. If you get a chance. It’s DarkNet Diaries. It’s really an amazing podcast, just I don’t know who he is, I’m just kind of hooked on it.

Matt Tankersley
Well, each of you has been here in the past, for the most part, I mean, your organization’s. And, Jeremy, I’m confident we’re gonna have you back as well, because we got a long way to go and compliance is coming up, you know, down down the list there for sure. Not because of, by the way, for clarity, not because of lack of importance. But because of complexity, right. And the number of people that are bound by compliance factors, right. There are fewer people that are but we’re excited to have you there for that. Teams, thank you each. Thanks to the folks that helped us put this thing together, that they’ve been showing up for all these other episodes. And Lauren, why don’t I let you close this out?

Lauren Lev 
Well, Frank, Dan, Jeremy, Matt, we could not have done it without you. And a big thank you to our audience for joining us today as we’ve uncovered the importance of security updates and patch management. So, if you would like a free trial from any of our solution partners, send an email to . And like we mentioned earlier, you can sign up for our free cybersecurity assessment by visiting whosinyour.cloud today. So, join us next week as our incredible cast take a deep dive into EDR and endpoint security and its increasing importance in today’s changing workforce. Sending us off once again, I’m Lauren Lev, Marketing Manager for TechOnPurpose. And remember, you can catch every episode of Who’s In Your Cloud by following TechOnPurpose on LinkedIn, Facebook, YouTube, and Spotify. Or to make it easy on yourself, sign up for our blog to have episodes delivered to your inbox weekly at techonpurpose.net/blog. And it’s Thanksgiving in a few days and I know a lot of us will be traveling, so there’s no better way to spend your commute than catching up on all five episodes of our series. I know I’m full of great ideas. So, thanks for joining us, and we’ll see you all next week!

Matt Tankersley
Thanks everybody!

 

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology! Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.
Claim Your Free Cybersecurity Sruvey