In this episode, Adam Pilton from Heimdal discusses his role in educating and supporting MSPs and small businesses on cybersecurity. He shares his unique perspective drawn from a 15-year career in law enforcement and as a Cyber Essentials auditor. The conversation covers the importance of storytelling, recognising and mitigating risks, maintaining cybersecurity standards like Cyber Essentials, and building trust-based client relationships. Practical strategies for engaging clients and the necessity of continued education on cybersecurity threats are also highlighted.
00:00 Introduction and Guest Welcome
00:25 Adam’s Background and Role at Heimdal
02:26 Challenges Faced by Small Businesses in Cybersecurity
06:52 Importance of Storytelling in Cybersecurity
12:18 Cyber Essentials and Frameworks
24:50 Client Relationships and Trust
31:55 Conclusion and Contact Information
Listen on Spotify or Apple Podcasts
Connect with Adam Pilton LinkedIn by clicking here – https://www.linkedin.com/in/adampilton
Read Adam Pilton’s newsletter at – https://www.linkedin.com/newsletters/the-cyber-detective%E2%80%99s-notebook-7389285479634075648/
Connect with Daniel Welling on LinkedIn by clicking here – https://www.linkedin.com/in/danielwelling/
Connect with Adam Morris on LinkedIn by clicking here – https://www.linkedin.com/in/adamcmorris/
Visit The MSP Finance Team website, simply click here –https://www.mspfinanceteam.com/
MSP Glossary: MSP Finance Glossary Explained | MSP Finance Team
We look forward to catching up with you on the next one. Stay tuned!
Transcript
Dan: Adam, welcome to the podcast.
Adam Pilton: Thank you really, really pleased to be here.
Dan: And Adam, we’ve already pointed out in our conversation in the green room that we are gonna have to refer to you and other Adam in order to know, who we’re addressing. So, so for the next 20 minutes or so, you will be Heindel Adam, versus finance team Adam. So, so Adam.
He, Adam, that is, you’ve got a really interesting role with Heimdall, uh, which is convenient given that’s your name. but tell us a little bit about how that came about and, and the sort of things that you get involved with day to day.
Adam Pilton: Yeah, certainly. So, as you know, my background is in law enforcement. I was a cyber detective and led the COVID operations management unit for the, for the police service police officer for 15 years. And then I moved into the private sector where I then went on to work as a consultant and helped multinational businesses.
Before they move into, we call it the largest certification body in the uk. I imagine most of the people on this, podcast will know who that is. but I work for them as an auditor for cyber essentials and cyber essentials Plus, and throughout all that time, throughout all those varying roles, it’s given me a completely unique perspective on cyber-crime.
So from dealing with victims, whether they be individuals, whether they be businesses, investigating the cyber-crime itself. Arresting cyber criminals, taking them to justice and then say moving forward into the businesses, helping businesses put up the controls that then stop these cyber criminals. Whether these businesses be well equipped with resource money to be able to implement controls or latter stages of my career where it’s smaller businesses that really don’t have the time, money, and to be fair, sometimes. The motivation to do too much because they’re too worried about focusing on generating income themselves.
And cybersecurity is really lower down the pecking order. So my role here at Heimdall is to bring all of that together, those experiences, that knowledge to the table, to essentially educate MSPs, small businesses. Anybody and everybody really, but ultimately MSPs, ’cause these are the guys and girls that are frontline and essentially gonna be helping small businesses implement cybersecurity. So I do that via webinars, blogs, talking on stage and things like this. Attending podcasts and speaking about it, how I can help cybersecurity be implemented across businesses and my belief, views and experiences with that.
Dan: Brilliant. And lot, lots of, lots of interesting questions already. on my mind. I guess the, the first one and where you finished was around the storytelling piece
because I think that’s one of the, one of the key, you know, you hear about large company. with a particularly challenging situation, and you’re like, well, they’re not gonna be interested in little old me or my business. And, is that your experience as well? Sort of the starting point there to have relevant stories?
Adam Pilton: Yeah, exactly that. And unfortunately that is a case, a story that we’ve all seen many times, isn’t it? Small businesses just simply don’t believe that they’re worth targeting. Whereas in actual fact, and from my experience as a police officer, I can tell you on a daily basis, the cases that were coming across from a team’s desk were exactly that small businesses for being hit for. On the grand scheme of things, minimal amounts of money, like looking at 10,000 pounds or less. But that’s enough for a small business to cause potentially serious problems. but it’s enough to impact that business. And it’s also just under the threshold. To actually be of real interest to media and in terms of police investigations, we’re not gonna put all the resources into that, volume of crime because there’s so much of it. So yeah, the Marks and Spencer, the Jaguar Land Rovers, they get the headlines, they get the resources in terms of, uh, investigations. But the reality is cyber criminals make most of their money where they’re not being watched, which is small businesses.
Adam: And is there any data available anywhere to use as evidence for this? That MSPs can get hold of.
Adam Pilton: Yeah, certainly. So I would suggest looking at the action fraud website that they’ve actually got, a database there that you can manipulate to show the information you want. In term, I don’t mean manipulate, in the wrong way, but in terms of apply filters so that you can look at particular geographical region of the UK, for example, or industries, that kind of thing, not manipulate the data.
Don’t do that.
Adam: and so that information will actually reveal X number of small businesses that were hit with. Kind of financial ransomware, and the outcome of that as well, or it wouldn’t go into that detail.
Adam Pilton: Yeah, so categorized at a high level. So you can look at the types of, attacks. So for example, a category could be fraud. and then yes, you could look at the outcomes in terms of, investigated. No further action. I believe they’ve got an outcome as well for like the, going through court.
I can’t remember what the
technology is now, but yeah, so those are some of the filters you can apply.
Adam: Great.
Dan: And that perhaps, gives some statistical. Wait to, to a discussion that an MSP might be having with a, with an MSP. but as we know, uh, 87% of all statistics are made up. So, are there. More, more realistic stories or sources of reference available? maybe, um, Daniel’s Fish and Chip shop, had a, uh, had an incident and this is how it affected Daniel and, and all, all of Daniel’s suppliers and staff.
Yeah, so some, something like that. as a more, more relative, example.
Adam Pilton: Definitely. Yeah. So, and what you said there about the stats is pretty much exactly my point. If you think about the majority of cybersecurity presentations you’ve been to, whether it’s in person or webinars, et cetera, you get, hello, my name is X and here’s a load of stats for you. And the stats always paint the most horrific picture.
and like you say, I’m sure the majority of them are. Accurate to, to some degree, but you know the stats, they’re never gonna be telling you that everything’s good or they’re never gonna highlight an area. It’s good. It’s highlighting a problem which they then go on to talk about and there’s nothing wrong with that. However, it means that every single cybersecurity talk that you go to pretty much always is the same, that same thing. And that’s why I think storytelling’s really important.
Now you mentioned, are there any stories. There’s loads and unfortunately they keep cropping up. And, if we think about the same time that the Marks and Spencer, incident happened, we also heard about the haulage firm that was, I think it was like 150 8-year-old business. Then essentially they were hit by ransomware. It, encrypted critical financial data. They couldn’t recover it. There was no way out. And essentially the business folded. It had been round for say, over a hundred years, but it was no longer able to survive. That actually happened two years before Marks and Spencer’s, but nobody cared until Marks and Spencer came out and cybersecurity was top, top news, and everyone was interested in cybersecurity. And that’s exactly the point. 2-year-old story then becomes relevant because of a big name. And there’s so many stories out there like that. And obviously yes, that one being 150 8-year-old business going, going bus from cybersecurity, that is a good story for the media. But it happens day in, day out.
It’s not always interesting. It’s not always sexy to, to read and hear about or watch, but it very much is the truth.
Dan: And, in quotes, good story that you mentioned. You mentioned there in a recent, uh, event, we were discussing about how tricky this topic is to, to broach because, not everybody wants to be a doom. a doomsayer and, you know, how do you make this a positive? Yeah. So that it’s not volcano insurance and, and how do we, how do we a approach the SME that, that again. Wow, that’s a small business. and it happened to them, so it could happen to me. how do we, how do we then make it accessible? the challenge and then the solution.
Adam Pilton: Yeah, certainly. So one of the things I always say is that cybersecurity is a journey. Yes, there’s gonna be different milestones along that journey, whether it be frameworks like Cyber Essentials or ISO 27,001, what, whatever it may be. But it’s very much a journey. You will never get to the end of it, but you have to start it. that is the only, um, positive thing, the definite thing that’s gonna happen within that journey. Now, along that journey, and this is something I speak to lots about MSPs and I’m part of numerous different groups that meet up and talk. And one of the things that MSPs. Say that they’re struggling with, and small businesses too, when I’ve worked with them is that they don’t have the money, they don’t have the resource, the budget for expensive flashy tools. So what quite often happens is MSPs will have different bundles or packages that’ll have the basic one, building all the way up to, let’s call it premium three. small businesses will go, oh, I’ll get basic one, because it’s the cheapest. And then that way, cybersecurity’s covered, and then they’ll sit on basic one, the budget one forever.
They won’t change it, but they will expect the premium service. If they are breached, well, then they’ll be turned into their NSP and go, what has happened? We are paying you for this service, and we’ve been breached. And every MSP. Has this problem where they want to offer security, they want to offer the premium package to everyone, but they know they have to offer that budget package, but people don’t budge.
So what I’m saying, and what I believe should be happening is, yeah, a hundred percent we need budget One that needs to be the starting point for everybody. But when you sign up to budget one, you are also signing up to sitting down and talking strategy as to how we’re gonna get ourselves to premium three in whatever timeframe. That may be suitable for that, small business. But when we get to premium three, we keep going. So we are constantly improving our security, but sensible and appropriate to us because yeah, you can spend all the money in the world on the best tools and just by getting to premium three or beyond, it doesn’t mean you are safe.
you’re never gonna be safe and secure a hundred percent because there’s always gonna be a way to get through for sure. But it’s just making sure that you are. I hate saying this because said all the time now, but it’s making sure you’re not the low hanging fruit. Ultimately, that’s the aim of the game.
Adam: and, do you have any particular framework or model? That you like to use or recommend using to help the MSP navigate that story and that journey? ’cause this, ’cause I mean, I was always a big fan of the house or the home model with the gate and the locks and the guard dogs and the razor wire and all the rest of it.
And that, all, that was all a metaphor for different components of security. and in that model you were protecting your children and your dog and your artwork. And that kind of stuff. and, but there’s lots of different standards out there, different models out there, different frameworks.
Is there any particular kind of approach you like around this?
Adam Pilton: Yeah. Yeah, certainly. So I’m a big fan as you probably guess of cyber essentials. I think that makes complete sense, particularly obviously here in the uk. It makes complete sense for a number of reasons. One, because we know it works, the stats support it, that it does work. one of my favourite stats is that 60% of people that complete cyber essentials learn something new and it’s not just the first time they do Cyber Centrals is every time they do something.
and that is a real key ingredient to cybersecurity. It’s actually learning as you are doing because then you start to realize. Oh, actually now I’ve thought about it. This, I don’t know, this piece, this part of our network or maybe the IOT we’re using is completely never been looked at before.
Completely not part for the cybersecurity setup we’ve got, it’s that realization. and as well as the people you’ve got in your, across your organisation. So for me, cyber essentials and unnaturally progresses to Cyber Essentials Plus. And then I personally like the NIST Cybersecurity Framework.
For me, it makes sense. It’s, It’s a nice balance, I think, of implementing both the technical along with the process, and then embracing the people element as well. And for me, one of the big things is, as you probably gathered with the whole storytelling approach, is the people. I genuinely believe that of course you need the tools.
I’m not saying you don’t need the tools by genuinely believe, you could have all the best tools in the world, but if you’ve got people that don’t care or aren’t interested in, or don’t follow the processes you’ve got in place, those tools are worthless.
Dan: And, just to confirm for our, for our audience listening, the, the stat you gave was in the 13% of real stats, not the made up ones. in what you said. and, the second thing, I think Cyber Essentials does get a. A bad wrap, terms of the Nonplus version.
but I agree. I agree. with you that I think there is a benefit to the unaudited version because it does, um, bring a conversation to the surface. It raises information, it helps, that even if it’s subliminal, sublimed, Adam.
Adam Pilton: You kind of.
Dan: Finance. Finance. Adam can edit
Adam: If the AI editor is that good.
Dan: don’t. Started.
Adam: Asking for some significant capability here. I’m not sure.
Dan: even if you can’t say the word, it helps raise that, raise that topic in the mind. and it is, it’s part of that journey, isn’t it? It’s the first step. If, if you take some of the individual aspects of it, and if all you did was this, and if all we did with that, it is gonna, it is gonna help move people along and improve.
Improve the process. So it’s a step on the journey. So, so yeah, a hundred percent with you on cyber essentials and, and, and it does make sense to do it bit by bit and it is, is what you see most of the MSP community now. that into their sort of regular, road mapping Q-B-R-T-B-R type process.
Is that like one of the key agenda items? what are we gonna do next for security for you?
Adam Pilton: Definitely. and that’s exactly what it’s all about, isn’t it? It’s about having that roadmap that everyone’s clear on. And I think one of the things with cyber essentials that, I used to say quite a lot was that achieving cyber essentials is one thing. And then maintaining that standard throughout the rest of the year until you go to Cyber Essentials Plus, or even when you renew in 12 months’ time. That’s the important bit because anyone can achieve it on day one, but maintaining it, maintaining the fact that yeah, you are patching as you should be, that you’re running standard users and admin users, not just allowing everyone to run out all the time. That’s the important bit. but yeah, I totally agree.
For me, Cyber Essentials, it does get a bad rap. Why is that the case? I think probably. Because, yeah, some people do abuse it. they write down what they like, sign it off and they’re Cyber Central’s certified, so you have to, judge it by the organisation that’s got it. And I think it’s really Cyber Central is something for you as a business rather than necessarily wanting to show off to, to others. Obviously it does help, but that’s why Cyber Essentials is there because if you do want others to look at it. If you get Cyber Centrals plus, you know, a third party has come in and verified what you’ve said in your self-assessment in the cyber central self-assessment. So yeah, for me the go-to for UK businesses.
Adam: is is there any challenge around, where cyber essentials sort of fits in the journey and a client. it signs up to the MSP’s Cyber Essentials compliance Service. They get the tick in the box. they’ve bought some essential tools. and essential services to manage that. So now they’re thinking we’re good.
We don’t, you know what? We’re good. we’ve got the tick in the box. We don’t need anything else. So now there’s a resistance to further conversations about upgrades and there’s something new over here because there’s a new threat. so is there a level of complexity around kind of almost, just simplifying it too much?
You know, I’ve got the badge. I don’t need to worry anymore.
Adam Pilton: Yeah, and I think that ties back into that stat of the 60% of people learn something new because they are learning, because they are doing, they are seeing cybersecurity, rather than seeing that PowerPoint slide that says this many people are affected or hearing the stories of the things that have gotten wrong for other people. They’re actually seeing the truth for their own business, what the reality for their own business is, and in particular as well, their users and how they’re set up. Are they actually implementing MFA? Very few businesses successfully achieve MFA implementation across all their users. There’s always someone that, that turns it on because they’re told to do it.
And then when no one’s looking, they turn it off because it’s a pain, it’s a, they see it as a roadblock, for their day-to-day use of the, their machines. So having sight of that understanding that, you know what my team, people I work with, they don’t actually understand the importance of this.
They’re doing it because tick box compliance, they have to. But the reality is it’s so much more important than that. And it’s funny you should mention that, because that today I’ve released a, a blog, have said today. Should I’ll go back a bit. it’s, it’s funny you say that because a few months ago I released a, a blog. In relation to, the fact that cybersecurity has a motivation problem, and I genuinely believe that’s one of the biggest problems that we have motivation to do something because cybersecurity is seen as complex and don’t get me wrong, it is complex. It can be very technical. But at the level that the majority of us are working on a day-to-day basis, it doesn’t need to be hugely technical at all.
Passwords, MFA, the basics. If we’re doing those properly and having that awareness, then that’s gonna mean the majority of businesses are relatively safe, and that’s probably the level that majority of businesses need to be running at.
Dan: and that’s exactly the. the two sides of the argument, the in the cyber essentials, getting a bad rap is, oh, it’s too simple. It doesn’t go far enough. and, and it’s just a badge. and the other end of the argument is, well, you should have. All, all of these, other areas covered and you should be spending this and doing that. and it’s un unrealistic to expect, an, the SME business that, that has lots of other pressures to absolutely focus all their efforts on that, on achieving excellence in that one area. and, and I, yeah, it’s, it’s what, where do you, where, you know, you’ve just got to accept that there, there isn’t perfection in this. It’s a journey. if we, if the minimum outcome we get is that someone’s got a bit more awareness. Of the risk, then that’s as much of a win as, as someone spending a thousand pounds a user a month on security.
Adam: and just on that as well, the key light bulb for me years ago on this was recognizing I had a duty to educate the client on the fact that it was his risk, not my risk. ’cause they don’t think like that. They think you’ve got it covered. you look after everything, right? Well, no, we don’t actually.
And and so you need to understand what level of risk you are shouldering here, Mr. Klein. And I think that was a key, kind of a hard bit, turning it from a products solution discussion into a risk discussion. And that really moved things forward for me anyway. any thoughts around that, Adam?
Adam Pilton: Yeah, so it is funny you say that ’cause lots of the MSPs that I speak to have been saying exactly that and then going that one step further to get it written down and signed. So essentially a contract that says, this is your responsibility, this is my responsibility. And we both understand that to make it crystal clear, because like you say, and then like we sort of touched on earlier, really the whole idea of, having that budget cybersecurity package. The small businesses or businesses, they then assume, yeah, I’m cyber secure because I’m paying for that package. And that’s not the reality at all, far from it. So I 100%, agree that the contracts should be in place so people are explicitly, clearly, certainly signing something makes the, makes you focus your mind. But what, what I’ve also, seen happen and hear about is MSPs saying, well, do you know what? I don’t want you to be my client if you are not willing. To implement the controls that I’m telling you that you need to have, then that’s too much risk for me. So I do not want you to be my client. So thank you very much. Goodbye. And I think that is a good approach too. It’s certainly not the first thing you should turn to. That’s obviously after a lengthy process of trying to educate and implement the right controls. But certainly if someone’s not listening and they simply don’t care, then. That isn’t the client that you’re gonna be working with, they’re gonna cost you a lot more money in the long run and ultimately distract and take away your attention and resources when you’re trying to help them mop up, which means it’s gonna impact upon your other clients.
Dan: it’s a, it’s another example of that grey scale from something’s better than nothing to perfection.
And if all, all end user businesses were perfect and compliant, then actually that there’d be less opportunity for MSPs to, to help along on that journey.
So, it’s, yeah, it’s a, it’s a bit of a, a paradox in some ways, but absolutely agree. it’s a good, it’s a good level to have to, for an MSP, to be aware and protect their own. Business and commercial interests, but equally. not to go straight there with a, you know, an overly aggressive, and ultimately maybe detrimental to the MSP as much as the end user business, that just requires some education and some time and patience and, and can follow the breadcrumbs to, to get better over time.
So, uh, yeah, really, I mean, it’s a, it is a complex top topic, not just technically, but also from a risk and a commerciality perspective. Um, so, so what have we learned so far? s storytelling, having, having. A clear communication between MSP and clients. what are we missing?
Anything that we’ve not covered on this.
Adam Pilton: I guess, I mean, we have covered it. I was gonna say trust, but we have covered it because that Ms. P sits in that position of trust, which has been the sort of thread throughout the conversation we’ve having. So I think we’ve covered.
Adam: Yeah, I think one of the, one of the challenges as well around, around this sort of journey conversation is, this kind of, from a focus perspective for the client that they’re trying to build and run their own business, right? and buying security services is just a distraction for them.
It’s something they don’t wanna do. It’s it, but they know they’ve gotta do it. and so it’s not really a conversation they want to have. Probably, they kind of want it to just go away and work. And so again, there’s a bit of resistance there for the MSP to keep introducing this subject. Keep keeping the client on top of it.
you know, maybe this is on a quarterly basis or twice a year. so it’s almost like the MSP’s gotta get more creative, come up with more interesting stories, package it in different ways to keep it interesting, to keep it alive. Otherwise, you know what, Adam, I’ve just heard enough. can we not talk about that this time?
I’m buying everything You tell me. I need, you know, can we move on please? I’ve got cyber essentials. We do it every year. so, any sort of thoughts in general around, I mean, what are you hearing? What are your, what are the best MSPs that you are seeing doing to kind of keep this alive, as a topic, along that journey?
Really, because it’s kind of, it’s that necessary reminder. Don’t get complacent. There’s always something new coming around. That kind of arms race discussion.
Adam Pilton: Yeah, certainly. And I think this all comes down to relationships for me. So you have that relationship and you have it outside of the QBR as well? Yes. The QBR is where you’re gonna sit down and talk about the nitty gritty and the sort of tactically how you’re gonna achieve it. But between QBR s. That’s when trust comes into play. So you should be speaking to, your clients throughout those three months and sharing snippets of information, whether it’s to people like myself, obviously I put out. A weekly cyber snapshot where I share the latest cybersecurity news. The whole purpose of that is to educate MSP.
So when they’re speaking to their clients, they come across as informed. They know what’s going on, and it builds that authority and builds that trust. And for me, sharing those pieces of information, sharing those little snippets, not to cause fud, fear, uncertainty, and doubt, but to simply inform and make sure that it stays on their radar.
It’s not just something we speak about every three months. The s the client agrees to everything and says, yeah, you are right. You’re right. Then forgets about it because that’s not what that QB R’s for. That QBR for me is is for the client to come to knowing, right, I’ve got these concerns.
How can you MSP help me address these concerns and equally the Ms. P to bring concerns they may have about their clients. Network estate to say, right, these are the issues that I see. This is the plan going forward to, to address those. So it’s an ongoing conversation. It’s not just about cybersecurity, it’s about the whole service, the MSP offers, but it’s a relationship built on trust and in and roundabout way, the business element will take care of itself if that relationship based on trust is there.
Adam: Yeah, and I like the kind of heartbeat idea of sending out some information. It’s kind of optional to read. You don’t have to read it, but you know what, it’s there. Keeps you in the loop. you know, and, it just shows, as an MSP you’re active, right? And you’re staying on top of this. so I’ll make sure that link is in the notes, for all the listeners so they can follow up, and get hold of your content.
Adam Pilton: Perfect. Thank you. And I think it’s a really valid point as well, the whole marketing for MSPs. We see that as almost like a subindustry now, don’t we? Because. Looking backwards, maybe traditionally haven’t been the sharpest on that. They’ve been sharp, they’ve been focusing on the tech and ultimately what they do best. But now we’re seeing this, yeah, this sub-industry rise up of MSP marketing and if you go on LinkedIn, there’s loads of people out there telling you, or giving advice on how best to do it because it’s very much needed. Because that communication piece, which is crucial, not just for instant response, but for the day-to-day is needed.
So, so yeah. For MSPs, that marketing angle is vital.
Dan: So, to draw this to a conclusion with some, perhaps some specific actions that, that any of our listeners should be reflecting on takeaways from this. the absolute must haves that they should be doing. Perhaps we start with that regular drip of information that’s educational, easy to consume, step one.
Adam Pilton: A hundred percent. Yeah. Have that regulatory of information that you, that entertain as well as educate your clients and make sure that it all forms part of a larger planner strategy. So you need to have your strategy from day one. Yes, it’s gonna change over the years and as the threat changes, but you need a strategy to determine where you are going with this journey.
Something that both sides commit to the MSPI commit to being able to help you achieve this strategy and the client I commit to. Give my time, resources, et cetera, to achieve it. And then once you’ve got that strategy. You both work at it. And as I say, cyber essentials is the basics. And that’s why I always point to it.
For some people, they may be on that already, so it may not be relevant. But once you’ve got the basics in place, strong passwords, MFA, antivirus, patching, and not many businesses to be fair, even if they’re big, have that in place properly. But effective vulnerability management, once you have those basics in place, that’s when you can start to really grow. But for me, it’s all about awareness. If people are aware of the actual genuine threats they face, that will give them the motivation they need to get stuck into it. And if they’ve got that trusting relationship there with their MSP, they know that’s the people they’re gonna turn to, to ask those questions and not feel stupid by asking those questions.
Dan: And the final takeaway, I think for me is the, the start of that, awareness educational journey with, with confirming. Adam’s point exactly that this is your risk, not our risk. as the route into, helping to prioritize the topic in the client’s mind, and that therefore be receptive to that education and the continual process.
Adam: and. Thing I was just gonna mention actually, just kind of tie into this evidence piece and this risk sharing piece and it, and it’s just, I’m looking at the GTIA tabletop exercises. I dunno if you’ve seen this or not. I haven’t read. Well, there we go. We’ve both got our own copies on our desk here.
So how good is that? and for me, this is like the next level on, this is where you’re actually. Showing, or, you know, demonstrating directly or the client’s direct, demonstrating to themselves where their gaps are in their process, and starting to bring this thing to life.
So, I think there’s so many different layers here. it’s a huge area. but I think if an MSP goes about stacking and coordinating all these different layers, then they are going to naturally, create a great business essentially and make their clients safer at the same time.
Adam Pilton: A hundred percent and I absolutely love a tabletop exercise. I think that’s exactly where lots of business should be heading towards. I think doing them too early. Isn’t
right, it won’t help. but once you’ve got that understanding. Once you’ve got the foundations as we spoke about a moment ago in place, that is when you start doing tabletop exercises, firstly to make you realize that these beautiful policies that you’ve written, they actually don’t work because you’ll go through the instant response procedure. You’ll get to the point where it says, this person here is responsible for doing that. And in the, the tape trip exercise. They’re away. The classic scenario or another scenario. you said, no, our policy is we will never pay any ransom. But when you have that difficult situation of, well, you’re either gonna lose the business or you’re gonna pay the ransom, well, you ultimately have no real choice there. And then it’s the question of, okay, who in the business knows how to obtain cryptocurrency, bitcoin, and then transfer it to the cyber criminals? Well, the answer. Nobody, because you haven’t considered those things. and that’s why tabletop exercises are so good because they make you think outside of the box. And it gives you that practice for having those conversations. ’cause making decisions in stressful situations is hard enough. And then when you make those decisions about cyber security and technical matters that most business owners. don’t know about or have no real interest to learn more about and they don’t need to if they’ve got an MSP, but it’s making sure they can communicate at a level where they can understand and make an informed decision, and that’s crucial.
Dan: Very good. And somehow we’ve, we’ve run out of time, as is often the case, fascinating topic in particular, this one. And, I think we’ve, I think we’ve, we’ve covered lots of ground, which is, which is really good. Good news. undoubtedly some of our listeners will be interested in carrying on the conversation, how best to get hold of you.
Al Adam.
Adam Pilton: Perfect. Yeah, so for me it’s. Follow me on LinkedIn. I’m always talking about what I’m doing and share my insights on LinkedIn. I run monthly webinars as well, talking about threat intelligence, the news, the stories that you need to know about. I mentioned the cybersecurity snapshot, which I push out on, on LinkedIn every Thursday, so look out for that. And of course, my, my newsletter, which, which I mentioned as well, again, that gets pushed out through LinkedIn. So the main thing to do is follow me on LinkedIn and then you’ll see more information about what I’m doing and what I’m talking about.
Dan: Thank. Thank you very much.