Episode 338

podcast photo thumbnail
1x
-15
+60

00:00

00:00

Time sheets. Taxes. Annual reviews. There are some things we don’t love as agency owners and leaders. Cybersecurity and compliance are absolutely on that list. But much like taxes, it’s a necessary evil today. The risks are too great, and the reality is – our clients are going to demand it. We’re far better off to get out ahead of it before we’re asked.

Even my guest, Nathan Maxwell, refers to cybersecurity and compliance as “necessary evils.” But, as the CEO of CCITeam, Nathan also knows better than anyone that in a world filled with data breaches, security risks, and unpredictable online attacks, avoidance simply isn’t an option.

Nathan isn’t one to sugarcoat the daunting realities of implementing solid defenses, navigating cyber insurance options, or tending to the growing list of compliance concerns we’re all getting from our clients. But during our conversation, he reminds us that those processes, while painstaking at times, are never insurmountable. In fact, when we take the time to do these things the right way, our efforts won’t just make our companies safer — they’ll make them better.

Founded in 1995, CCITeam (formerly Communication Concepts, Inc.) is a full-service cyber security, compliance, and IT firm, headquartered in the US heartland. President and CEO, Nathan Maxwell saw an important unmet need for a quality IT and cyber security provider that treated their clients more like family, rather than just a ‘number’. With over twenty years of experience in enterprise-level corporations, Nathan founded CCITeam with four core principles; care, ownership, sharing knowledge, and loyalty. Each of these principles is what makes CCI one of the most trusted managed IT and security providers in the region.

A big thank you to our podcast’s presenting sponsor, White Label IQ. They’re an amazing resource for agencies who want to outsource their design, dev, or PPC work at wholesale prices. Check out their special offer (10 free hours!) for podcast listeners here.

agency operations

What You Will Learn in This Episode:

  • What effective cybersecurity looks like for agency operations — and why you should care
  • The risks every business should be aware of (yes, small agencies too)
  • How cybersecurity and compliance are the same, and also very different
  • Why your policies need to match your practices and how to make sure they do
  • How your employees can either strengthen your cyber defense…or be its greatest weakness
  • What to do to protect your business from big risks — including the ones lurking in your inbox
  • When to start shopping for cyber insurance and how to know how much you need
  • The ROI for agencies who “do all of this right”
“Cybersecurity is kind of a necessary evil right now.” @CCI_team Click To Tweet “These conversations are good, helpful conversations — even just in helping businesses mature and do things the right way.” @CCI_team Click To Tweet “In all likelihood, a breach is caused when a policy is violated.” @CCI_team Click To Tweet “Write something down, make it readable, and be done with it. A policy is better than no policy.” @CCI_team Click To Tweet “Ultimately, this process makes you a better company.” @CCI_team Click To Tweet

Ways to contact Nathan Maxwell:

Resources:

Speaker 1:

If you’re going to take the risk of running an agency, shouldn’t you get the benefits too. Welcome to Agency Management Institute’s Build a Better Agency podcast presented by White Label IQ.

Tune in every week for insights on how small to mid-size agencies are surviving and thriving in today’s market. We’ll show you how to make more money and keep more of what you make. We want to help you build an agency that is sustainable, scalable. And if you want down the road sellable.

With 25 plus years of experience as both an agency owner and agency consultant, please welcome your host, Drew McClellan.

Drew McLellan:

Hey, everybody Drew McClellan here with another epic episode of Build a Better Agency.

You know, we’re going to cover a topic today that I think is super important, but I can’t decide if you’re going to love me or hate me by the end of the episode. So I’m a little leery, the guest is going to be awesome and I’ll tell you a little more about him in a minute, but the topic is a tough one. And so it’s tough because we don’t want to do it. And it’s tough because we kind of need to do it because it puts us at real risk.

I guess that’s enough teasing at that topic. So let me just tell you this. Nathan Maxwell is my guest name and he is an expert. He’s a consultant and he works with lots of agencies on helping them get cyber compliant. So a lot of times when you are pitching a big brand or you’re filing for cyber insurance, you get this checklist of things that you need to do.

And a lot of agency owners look at that list and go, “I don’t even know what half of this is and I don’t know how to do it. And I don’t know how expensive it’s going to be.” And it can really be a deer in the headlights’ moment for a lot of agency owners and leaders.

And so I asked Nathan to come on the show and just kind of give us some 101 basics of what it is that we need to be thinking about and doing and all of that. I will also tell you that Nathan is going to be at the Build a Better Agency Summit in May, he’s going to be one of our breakout speakers. So if this is a topic that is important to you and you think after you listen to the episode, A. That guy knows what he’s talking about, which he does and B. He actually spoke in regular English for the most part, which he does. And C. I’d like to learn more from him, which I think you will, the summit may be the place to do that.

So it’s easy to do get to in terms of where you buy tickets just go to the AMI website, agencymanagementinstitute.com and up in the upper left corner is a BABA Summit navigation for Build a Better Agency Summit. Just click on that and you can register and you can learn more from Nathan, because I think after this episode you’re going to be a little freaked out. You’re going to be a little scared, but you’re also going to realize that this is not optional for us anymore.

I think a lot of us think it’s optional still and I think that that’s probably not the case. So if you want to learn more from Nathan beyond the episode, the Summit would be a great place to do that.

All right. I have so many questions for him. I know I could talk to him for three hours, so I want to get right to the show. No more chit chat from me. Let’s just get to it.

Nathan, welcome to the podcast. Thank you so much for coming on the show. I feel like this is a topic we have a lot to talk about.

Nathan Maxwell:

Drew, it’s a pleasure to be here. Thank you so much for having me.

Drew McLellan:

So give everybody a little bit of background on how you come to know all this stuff that I’m about to ask you and how you got into the position that you’re in. That would be great.

Nathan Maxwell:

Yeah, absolutely. So Nathan Maxwell, 20 years in the managed service provider cybersecurity compliance space, all that to say it is, I have spent a long time, many years helping businesses function from a technology standpoint, stay safe. And now with the pressure that compliance is putting on many of us and then just assisting with those pain points.

I have run CCITeam for those 20 years and located here in the Midwest, the Kansas City market.

Drew McLellan:

So let’s talk a little bit about how or why should agencies care about this? Like I have a lot of agency owners who, you and I were talking before we hit the record button. It’s not like everybody’s like, “You know what? I really want to get ahead of this. I want to invest a bunch of time and money and get my cyber house in order.” So what happens that makes someone call you?

Nathan Maxwell:

Absolutely. Yeah, so that can be a nice long answer here. So from a history standpoint, everybody remembers the target breach from however many years ago and that was a watershed event.

Drew McLellan:

Yep.

Nathan Maxwell:

And big business went, “You know we have some very significant risk. We have gaps. We have this black box of unknowns as a result of our subcontractors, our vendors, those that we are hiring and bringing into our environment.” And that just started this ball rolling. And the snowball just built and built and built. And that’s why Drew, you and I are having a conversation right now.

Because those of us, as I’ll just paint with a broad brush and say small business, small agency owners are now getting hit with, hey, I have a client. I provide good work for them. I’m doing a really job servicing them and they turn around and they send me this questionnaire with all of this technical policy based cybersecurity stuff that I’m supposed to fill out. And I can’t even hardly read it, let alone know how to answer it.

And so that’s really the impetus for this conversation. And sadly, like you said, right, it’d be really nice if all of us are forward leaning, forward thinking and like, “Hey, let’s get ahead of this.” But generally speaking we’re so busy running day to day ops and taking care of customers and all that. It’s just one of those things we don’t get the time for until it’s dropped into our inbox and somebody starts a clock and goes, “Hey, can I get this back from you in a week or two?” It’s not a fun thing.

So who’s likely to ask us that question, “Hey, I’m going to give you a checklist and I’d like to get your answers back or proof points that you’ve got all these things covered back in a week or two.” That’s a growing list right now we’re seeing larger businesses are doing this because they have a risk management department that is responsible for, you guessed it, managing risk.

Drew McLellan:

Right.

Nathan Maxwell:

And so they are taking a look at suppliers, vendors, subcontractors, and they’re saying, “Hey, we’re doing all of this stuff. You’re doing it too. Right?” And you know, a lot of us are like, well, right or maybe we’re doing it, but unofficially, like we can’t prove it.

Drew McLellan:

Right.

Nathan Maxwell:

Right. Maybe we’re following these best practices because some of them are just straight up logic and we can’t prove it. We don’t have the policies to match our practices. Like there’s all of that. So certainly it’s coming upstream from a client standpoint, the other area that’s really moving the needle is cyber insurance. And honestly Drew, five years ago, I would talk to a potential client, I would start talking about cyber security and risks and risk assessments and all this. And they would go, “Eh, no, hang on. We’ll just add a $50 rider to our policy and we’ll bolt cybersecurity on there.”

And we don’t really care because if something happens, they’ll just pay us. And that doesn’t work anymore because the insurance companies are really tired and we’re seeing denied claims as a result of negligence because it’s like, you’re not doing this and this. And maybe you told them you were, maybe you didn’t, like who knows? That’s off in the weeds, but cyber insurance is moving that as well because they’re really tired of just paying and paying and paying. And they’re starting to ask for their clients to follow some best practices in this realm.

Drew McLellan:

So when we start talking about checklists and best practices, what are they asking us for?

Nathan Maxwell:

All kinds of stuff. And this is the silver lining. Okay. And I am biased because this is the business I’m in. And this is a service that we provide. But cybersecurity is kind of a necessary evil right now.

Drew McLellan:

Right.

Nathan Maxwell:

You know, and again, that’s certainly tongue in cheek because ultimately cybersecurity done right is not a bad thing. And I’m lumping cybersecurity in with compliance and I’m using this towards synonymously because they really are. So somebody gets this, let’s say me as the example. I get this email from a client of mine and they say, “CCI Team, you’re doing all of blah, blah, blah, blah, blah.” And it could be anywhere from 50 to 250 of these different questions that they’re saying, “You’re doing this and you have a policy that covers this and you’re doing that.” And again, page after page after page.

There’s a… I won’t say the name of the company, but there’s a large company that, tongue in cheek, affectionately called their cybersecurity department, “The department of revenue prevention,” because it was seen as the department of No. And this whole compliance conversation has really morphed into what I see, again, admittedly biased, as being a good thing for companies to address.

You know a really great example is do you have a policy that says, “We terminate accounts for employees within four business hours of the time they leave the company,” that’s the policy. Then yes, you assess against it and all that. But how many times have we been in some system six months later and been like, “Hey, what’s this account still doing here? That person left eight months ago.”

Drew McLellan:

Right.

Nathan Maxwell:

So these conversations are good, helpful conversations for businesses just in helping them mature and doing things right because that like, “Oh wow, somebody had access to the system for six months after they left,” is really not a good thing to discover.

Drew McLellan:

Yeah. Right. So on both the compliance and the cybersecurity side, the cyber side, what are the two or three top things we can just bang out? Like here are some basic things you can do on each side of the ledger that just put you in a better position, safety wise, security wise. If somebody ever hands you the checklist, at least you got a little bit of a start.

Nathan Maxwell:

Yeah, so absolutely. There are different checklists that different businesses use, but there’s common ground on all of them, because it’s talking about best practice in running your business and your operations, your cybersecurity, your policies and things like that.

So to jump right in multifactor authentication is mandatory no matter what framework we’re talking and a framework is really a set of policies, of questions, of documents. And there’re tons of different frameworks, absolutely tons of them, but across all of them, low hanging fruit, multifactor authentication. And it’s something we’re all familiar with.

I’m going to log into this system so that’s a password and then I’m going to provide something else to authenticate myself. Authentication is proving who I am.

Drew McLellan:

Right.

Nathan Maxwell:

And there’s three ways that we authenticate. What we know, which is going to be like a password or something. Now I’m getting off in the weeds on there, but we can provide-

Drew McLellan:

No, no, no. Finish the other two. What we know-

Nathan Maxwell:

Okay. What we know, what we have and what we are. So what we are would be like, iris scan, fingerprint scan. I mean, it gets all into like voice and like there’s all kinds of ways to do it.

What we have, what we possess would be a phone. It would be like a-

Drew McLellan:

Email address?

Nathan Maxwell:

Yeah. That goes over so that’s a little bit different, but we can get tokens that plug into our computer via USB, different things like that. Like only something that we possess and that would help with that authentication. So multifactor everything, your email, all of your accounts, everything needs to be multi-factored. There’s management challenges with that, there’s all kinds of things. But every framework out there from PCI to HIPAA, to NIST, CSF, like on and on and on, multifactor is a given on all of them.

Drew McLellan:

I can hear the agency owners now some of the challenges of that are now you’ve got it tied to people’s personal cell phones, and you’ve got the accountant trying to log into the credit card, but the credit card’s tied to the agency owner, la, la, la.

So what’s the fix to that because I think a lot of reasons why people don’t do this because they go, “Oh no, no, I don’t want to do that.”

Nathan Maxwell:

Yes. And nothing is pain free. Right. I absolutely get, or your examples were good, let’s continue that extreme. Right? How about the union employees where the contract specifically says the company has no access to the phone. Nothing happens on this phone and it is a contract, right. It’s not just like, “Oh, so and so’s uncomfortable with this.” Like it is a flat out contract-

Drew McLellan:

Right.

Nathan Maxwell:

There are absolutely ways to work through all of that. Absolutely ways. You can issue that key fob to the staff, that key fob that generates the codes that gets plugged in there’s different ways to do it. You can issue those if the cell phones are out of our scope for an engagement, there’s lots of ways. Password vaults, okay.

Password management is another thing that’s really, really critical, you know do we have good, solid randomized passwords across the board? None of us are smart enough to correctly practice good password hygiene. So we’re going to be having a password vault, right. It’s something that you need to provide to your employees. You need to audit to make sure they’re using. And to be specific, we’re talking like a LastPass or 1Password or something like that.

Drew McLellan:

Right.

Nathan Maxwell:

These tools have multifactor functionality then built into them. So without getting too technical, we multifactor into our password vault. Right? So that authenticates against me and then the password vault can even have some shared credentials that have multifactor tied to them in the vault.

Drew McLellan:

Okay.

Nathan Maxwell:

And it’s like, well, wait a minute, Nathan, you know are we defeating multifactor? Well, no, because I’m, multi-factored into my app. So there’s my two pieces for authentication. And then we have whatever the service account or use the example of a credit card processor with the count in and stuff like that.

Drew McLellan:

Right.

Nathan Maxwell:

There’s ways to do it. We don’t throw out the multifactor just because it’s a pain point.

Drew McLellan:

Yeah. So one of the other things I think agent centers think is they’re like, you know what, we don’t have client credit cards. We don’t have HIPAA level health data. We have their login to their Facebook account or we have the blah, blah, blah, blah, blah. Do I really need to do this? Like, do I have sensitive enough information that I’m at great risk?

Nathan Maxwell:

The answer is yes, because you still get that email, that special email still comes down and there will be screening questions in there. Do you have this? Do you have… It depends on the vendor and how detailed that screening is. But in general, you’re still going to get the email and yeah you know, there may be less questions if you’re like we’re not processing payroll for you, so this doesn’t matter.

Drew McLellan:

Right.

Nathan Maxwell:

But they still want to know that you are… you know the due diligence is in place in order to take care of their data. And here’s the challenge. I, and it may just be, you know what I see, visibility standpoint, because I’ve not seen, like… let’s say what Google’s parent company is Alphabet. I’ve not seen, hypothetical situation, the risk assessment and the audit that they do against their payroll processor where it is deliberate and large and specific.

Drew McLellan:

Right.

Nathan Maxwell:

But the questionnaires that I see that come down to those of us that are smaller businesses, I look at it and I go, “What? Like really all of this for my type of an engagement with you.” And it seems like an overkill. So it’s a tough thing. There’s no easy outs on this.

Drew McLellan:

So when a client presents you with, sorry, sorry. I have so many questions. So on the compliance side, we’ve got the multi verification. What’s another easy one that we can do that just checks it off the list.

Nathan Maxwell:

Just some real basic policies. There are a number of frameworks, I mean, we’re talking like government that audits against it and stuff like that, where they will hit you harder for a policy violation than they will for a breach. And all likelihood a breach was caused by a policy violation.

Drew McLellan:

Got it.

Nathan Maxwell:

But the goal is follow your policies and so usually my engagement with a client in this realm is also helping them draft policies. And so a policy is better than no policy. Right. And we can like, well let’s have this reviewed by attorneys and let’s have it cover every scenario and situation. It’s like, no, write something, make it readable and be done with it. Right? A policy is better than no policy.

And so going back to the employee termination. A paragraph, two sentences that says, “All employee accounts are terminated within four hours of the employee’s departure.” That’s a policy and then yeah, you need to be able to prove that you’re doing it and prove that you’re following it.

Drew McLellan:

Right.

Nathan Maxwell:

But that’s really pretty easy, all right. I’m a simple, short sentence kind of person. So let’s create something because in an engagement when you’re having this cyber insurance questionnaire, when you’re having one of your customers or clients push this down on you, they’re going to ask for these policies, right. Like, put them up, send them up and if they don’t like them, let them push them back to you. And we’ll rework them. We’ll tweak them. We’ll enhance them based on the gaps. But that happens very, very rarely.

Drew McLellan:

Yeah. They just want to see that you have something.

Nathan Maxwell:

Absolutely. Right. Something is better than nothing. And then the question is, are you following those? Are they sitting in a binder collecting dust or is it a living document that you’re actually following.

Drew McLellan:

So in an agency let’s say of 25 people who owns this responsibility, you don’t have a CTO, right? So and typically you have somebody in the office who’s sort of computer savvy. And they’re the one that gets called when somebody’s computer fries, or they have to set up a new computer for an employee, or maybe they’re even the HR person, but most agencies don’t have someone that has like a sophisticated level of knowledge. So typically in a small business, who do you see owning this.

Nathan Maxwell:

Great question. These questionnaires, birth page, they’re going to ask you to identify a compliance officer. We’re small business people we know how that works. What do we do? We just point at somebody and we add a hat on top of the stack.

Drew McLellan:

Right.

Nathan Maxwell:

And usually it’s an operations person. You know, usually it is that person that has to order the computers or that when the internet connection goes down as the first person to walk to the back of house to figure out what’s going on. Most of us don’t have a Chief Compliance Officer.

We have that operations’ person, we have that office manager, we have somebody that’s kind of detail oriented and can kind of help move the needle on this.

Drew McLellan:

Yeah. Okay. And how would they even know where to start? If you’re not sent the checklist, if somebody’s actually listening and going, I’d kind of like to get out of this, where do I go to even know what that means.

Nathan Maxwell:

Absolutely and that is a really good thing, because the first time you work through this, it’s the heavy lift.

Drew McLellan:

Yeah. Right.

Nathan Maxwell:

Okay. Every time after that, you know I would love for my industry to be so mature that we’re like, “You know we’re assessing against CIS, but you’ve gone through this over here. And really there’s a lot of crossover.” I will just happily accept everything from over here and it doesn’t work like that.

Drew McLellan:

Right.

Nathan Maxwell:

You still fill out all the checklists, you still make sure that your policies line up and are titled correctly. You’re like, “No, it’s still a challenge,” but it’s so much easier if you are that agency owner and you are like, “Okay, it’s a matter of time.” Then you start working. You know, we talked about the low hanging fruit, start doing… like that’s the sort of thing, I would love to have that conversation.

If the person is wanting to be independent, work on their own, then you know, start plugging into some cybersecurity circles, start going, okay you know, I’m going to educate myself on cybersecurity best practices. Google’s your friend on that, take a look and go, “Oh, here’s the checklist of 20 things that we should be looking at.”

And so you’re going to work down through of them. 15 of them are going to resonate, go like, “Yeah my business came up with this.” The one that says