MSP Voice Episode 39 – “Security First” with Anton Kioroglo

Guest: Anton Kioroglo

Company: Security First IT

Last week at the Sales and Marketing Bootcamp put on by Robin Robins I met J. David Sims in person. You may remember him from the HIPAA for MSPs webinar he did for us back in January. David introduced me to his MSP business partner, Anton Kioroglo, who agreed to be on this week’s episode. Anton and David formed Security First IT by actually combining their own 2 MSP businesses, essentially a merger. Security First IT is an MSSP mostly focusing on security (Anton) and compliance (David). Anton gives us some good advice on security and how to get started in the MSP/MSSP business.

Watch on YouTube

This is MSP Voice. Hello and welcome! This is episode #39. We have a great interview for you today with Anton Kioroglo from Security First IT. He’s a business partner of David Sims who you may recall did our HIPAA for MSPs webinar back in January so I look forward to that here after a brief introduction a couple of housekeeping items of course as we do every week.

First up, we have a guest post on MSP Steve Taylor talks about why you don’t need to change your RMM/PSA provider too often. Get some really good insights. You know, everyone always asks, “What’s the best RMM/PSA?”. It really depends but there is a really good article by Steve.

Also, coming up this week on March 14th is our webinar – number 6 with Managed Sales Pros. Carry Simpson of Managed Sales Pros is going to take us through what they have to offer for the MSP market. Again is your source for all things MSP. So keep track of what’s on there. Feel free to subscribe so that you’ll get a notice every time there’s a new post.

Best of Reddit

First, we have someone who won his first client but should have listened to advice here and elsewhere about charging per user instead of per computer. This poster signed his first client five thousand dollars as a monthly run-rate which is our MRR, which is great. That’s a lot for a first client so that is very good. But it’s a not-for-profit. And so he thought maybe charging per device would be better than charging per user since they might have a lot of volunteers which has led to an issue of the people saying this computer is owned by the employee, it doesn’t need to be managed, or not this one. So they’re crossing off all these computers and people off the list. So he’s kind of wondering did he make the wrong decision in going per computer instead of per user.

Lots of interesting advice here. One person says when you really figure out what you’re doing, you charge a flat fee. Then there is no crossing off items on an invoice. They don’t want you to think of it like McDonald’s. It’s not just placing an order which I think is an interesting perspective. But then others point this out in some of these comments. How do you adjust your rate when you know what happens with inflation? Is it going to be the same for a 20 user-office as it is for a hundred-user office? How do you gauge that? And so there’s a really interesting discussion going on here. We’re talking about flat rate but essentially, at the end of the day, I think we’re all trying to get to that all-you-can-eat way to see a model and then it’s just a question of do you do it per user or per computer and how do you price that out? Maybe it’s different for some than it is for others but there’s some really good advice here. Definitely take a look at the thread and follow the conversation.

Next up, we have a printer question – yes, someone actually asked a printer question in the MSP subreddit which is kind of funny because a lot of people hate printer support. So they are asking who are the best printer manufacturers? So he said,  “I thought I’d be an hour off-topic for a change compared to the usual RMM/PSA. So he’s saying we aren’t in the managed print game although they are possibly interested in looking into it for a few options that aren’t progressing fast”. So they used to use Samsung, HP is great, Epson brother. So that’s what he’s tried.

You know what other RMM MSPs are using or currently use and recommend. Of course, the discussion devolves into you don’t want to be in the managed print game. A lot of reasons why people point out once you’re in manage print game, you’ve got to keep track of all the supplies, whether it’s paper or toner ink cartridges, you have to fix stuff and it’s just a lot of work for very little profit. That’s kind of the theme on the managed print game and why you shouldn’t go into it. Not a lot of people actually say here are the best printers that we use. What we found really is a kind of discussion on management services, yes or no. And of course, if you don’t do management services and you contract someone out to do that for you, you have to be careful because a lot of times they want to get into the MSP games too.

You have to be careful. So some printers seem to be just so much fun to deal with. Another person commented that it’s a physical device. People go up to it, they push buttons, they do things, and it breaks. It’s hard to manage all those types of things. Then, of course, one person brought up the fact that his favorite printers ever when he was managing (one of  the people in the computer lab in college) were the HP laser printers jumped 40-50 and he said those were tanksand we had page counts on those things and over a million students constantly printing and those things just did not break. I knew how to fix them if something did happen. I knew how to clean them. But in general, those things were a beast. Of course, you can’t buy those anymore. Everything’s gone to these cheaper ones. So. Are you in managed print, what do you do? Do you contract it out? It would be interesting to take your comments on that. So moving on from printers.

Let’s go to cyber security which is the focus of our guest today but cybersecurity insurance. Do you carry it? Does anyone use it? And this person really wants to know if you have ever filed a claim? There’s some stuff that’s been hitting the fan recently with some high-level hacks that have gone in and infected every customers and MSPs. What’s your exposure? And is cybersecurity insurance really going to help? So there’s a couple that talk about it so watch what they use. And some say this person said he got a million dollar coverage because he has some small doctors offices and HIPAA fines were not covered by his errors and omissions coverage. So that’s something else to think about if you have HIPAA customers, do you need extra insurance above your errors and omissions because it’s HIPAA? So that’s an interesting point. But others say they do have it and then they say here’s who I use.

I’ve read through pretty much all the comments. I did not see anyone saying that they’ve had to file a claim and that it worked. So a lot of people have it but they don’t necessarily use it or file a claim. So I guess take it as it will be. There are others that point out if you do get it that the insurance company may come and actually do an audit so always be prepared for an audit from an insurance company. If they’re covering you, they want to make sure that you’re following their guidelines. Read the fine print. All those fun things. But hey, if you are using it now or if you’ve ever filed a claim, feel free to jump in on this thread and let them know.

And finally, content filtering for education. So this MSP has. Who’s who. If you read the comments you’ll find out it is based in the UK. This really shouldn’t matter but they are recently new to the education market and they’re really only just looking at it this point. So we’d like some thoughts on what to use for content filtering for education, understanding education is probably going to be different than content filtering for business.

You know how these kids are; they’re going to find every way around it. They’ve got all these new apps that pop up all the time which is what a lot of you point out. So the one here has the most upvotes. Someone recommended if you do focus on education there’s a kid K12 sysadmin and I’ve read it. That would be very helpful.

He also recommends Guardian as it is probably the best Chromebook integration as they offer a reseller program. They are also a good classroom management product if you need it. But then he says to keep in mind a couple of caveats. You might need features like the usual business stuff but it doesn’t have suicide detection. Very important. Your customers will try to circumvent the technology all the friggin time. So the school can be liable if they succeed. So that’s something to think about. Emergent apps will mess up the school’s day. So some content code should be reported on. Even if they aren’t blocked, if there’s a student Wi-Fi network make sure you are reading the logs so you can inform the school of any new anonymous local bullying app. If you act on those types of things and if a teacher requests a site, it probably needs to be done yesterday because they’ll never notify you earlier than when they tell us to use the site in their lesson and the student tells them it is blocked. So basically, if the teacher says go to the site and the student sees that it’s blocked. You need to work with the teachers to make sure that they understand that they must check this stuff before you sign it so that it’s not blocked. Some really good advice on that. Is it good enough just to do proxy-based instead of device-based? Again it’s going to depend on the Wi-Fi network what is used how it is used. Do you really need that to put it on the actual endpoints? Is it just enough to do it DNS? So a lot of questions a lot of comments. Some really good advice here. If you focus on the education market and you do content filtering, jump on this thread. I’m sure the OPI would love to hear your thoughts and what you’re doing and how you find success.

With that being said, I am now going to turn it over to our interview again. This is Anton Kioroglo. I met him last week at the sales and marketing Bootcamp. Yes, I was in Nashville all week for that. I’m back home now. It was cold there.

MSP Voice Podcast

I’m happy to be home. But anyway Anton, Security First IT. Take a listen and I’ll talk to you next week. Hello and welcome. Today I’m excited to be joined by Anton Kioroglo. I think I got that right. I know we practiced it beforehand so get the last name right! Anton, you’re with Security First IT. MSP out of the Charlotte area and business partner with David Sims who is also part of HIPAA for MSPs who did a webinar a couple of months ago or a month or so ago. I met you last week at the Robin Roberts conference. So it’s great to have you on.

Anton: Yeah thanks. Thanks for having me and I love it. Love being here.

Doug: So tell us a little bit about your business. What Security First IT is up to?

Anton: Sure. So Security First IT is a little more on the MSSP side than on the MSP side. We focus more on security as the name suggests. We love the channel, we love Robin Robins.

Doug: Did you jump right into MSSP or did you guys do managed services before and then maybe you changed the name. How did you get that ball rolling?

Anton: So that was kind of an interesting development. When I started the business, I started it by myself and it was a Power Key IT Solutions. We went directly into MSP and then we also did custom software development for small businesses with database management needs. And then along the way, I became a customer of HIPAA for MSPs. And then I got to know David Sims and found out that he didn’t live too far from me. We hung out for a little bit and then as we started to get to know each other more, it just made sense that we would join forces. And David had an MSP at the time as well. So we put the two together and we very quickly figured out that we wanted to be more in the security space than anything. So that’s where Security First IT was born.

Doug: Okay that’s great. I mean it’s basically two MSPs saying you know we like each other and you decide to combine your businesses and then go off in that direction. That’s a great story. Definitely, you were one of the first that I talked to. What about you personally? Did you know before you started the MSP? Did you have a career in IT first? You know, technical background..

Anton: I did. I worked on the side. I worked for another VAR and we worked with servers primarily. I’ve been in the Charlotte area and then I decided I wanted to do more and have more customers.  I’m looking for the right words for it… but to be focused more on the relationship with the customer and really provide them more value than kind of patching a server here and there with no data.

Doug: So with that being said, what kind of customers do you work with? Do you like to focus on small businesses so that you targeted demographic?

Anton: So we focus primarily on medical. We have a wide range of clients but all of our marketing efforts go towards medical.

Doug: OK. That would make sense for the HIPAA for MSPs.

Anton: Right. Anybody with a strong need for security. We found them to be pretty good customers for us. But it didn’t have to be just medical. We have a strong background obviously with David’s expertise in HIPAA. So there you go that way.

Doug: A lot of security needs in medical specialty around HIPAA. So you know being the best in your market, that is definitely something good to be good at.

Anton: Absolutely.

Doug: So you know when you think about the software that you use to run your business, have you standardized a stack that all your customers have to use this stack of software or do you come in and SaaS what they have to work with but maybe transition them over time to a standardized set.

Anton: We don’t force anything on the client but we strongly encourage them towards the stack that we prefer. And Scott, some clients say we trust you completely so just tell us where to go as long as it makes financial sense and then others will say no, we are absolutely in love with our tape drives and we charge them extra.

Doug: As you should. So, for an MSSP,  what would you consider your standard stack? What does that look like if you don’t mind what software you’re using?

Anton: No, not at all. In my eyes, the thing that differentiates an MSP from an MSSP is a stronger focus on security not only as a provider. In other words, not only do we sell more security software but we also do more security as a company so we provide user training by our staff. I or David, for example, will train another company’s staff on an aspect of security for their company, maybe phishing or whatever.

Doug: Click this, don’t click that.

Anton: Yeah that’s right. So that’s a big one.

Anton: The other side of that is obviously the software stack. So everybody that focuses on security considers going towards the next generation antivirus or next-generation firewalls. And that’s a great start. What we do is we add a few other layers, for example, Huntress. We like Huntress. I find that a lot of people don’t understand exactly what Huntress does as a vendor but you understand them what they do. They’re great. A lot of them buy into it and seem to think that they do something different.

Doug: Great. Now you mentioned that all your advertising goes to medical. So how do you know? How are you doing that? How do you advertise? Are you standing on the corner holding a sign or you get billboards? How does that work?

Anton: Well, my mascot days are over. I don’t walk out. You know.

Doug: You’re not spending the euro out on the street corner.

Anton: No street or street arrows. We try to be where our customers are. So if there’s a medical event in the Charlotte area, we try to go to that event. We tried it when we were a little bit smaller and maybe we didn’t have the funding to pay for an event like that. We would go to all the chamber events that we could. Groups like that are great for smaller companies so we focused a lot of effort there. But but I think as we expanded a little more, we needed more of a program – something like what Robin Robins provides. There are others out there that are pretty decent. This was just the one that we settled on that we like quite a bit and so we follow her setup as much as we can.

Doug: OK. Yeah. Like you said you know trade shows. Right. I mean we met at a trade show last week.

Anton: That’s right.

Doug: You know, I was there trying to get customers just like you go to the medical events in the Charlotte area to advertise your services as well.

Anton: Yeah. Yeah, it’s a grind. 

Doug: Yeah.

Anton: People don’t appreciate how difficult trade shows can be: long hours and a lot of grouchy people coming up to you.

Doug: Some people aren’t happy, some people are grouchy and I just take the good with the bad. Thinking about how you got into the business and what your journey has been thus far, for someone out there who are maybe looking to get started in this business whether it’s managed services or managed security services, what’s your advice? Is there anything you’ve learned along the way that if you could turn back the time you would have done this different or that different?

Anton: I think one thing that we did very well is that we very quickly niched down. We weren’t willing to be the provider for everybody. Even before David and I joined forces and it was just my first company, we focused on companies that needed strong database management. So it wasn’t necessarily a vertical like medical but anybody that needed a lot of database management, such as a lot of online retailers that carry a big inventory. So we went that way. And that really helped us because it allowed us to come in as an expert as opposed to doing everything. Yeah. And so I found that helped a lot. The other side of that is we invested in tools early on. So we know, for example, we use CloudBerry as we are big fans of the product. And we had to train our technicians on how to use it, how to encrypt the data locally, how to migrate it into whatever cloud that it is being stored on. I think that’s an area where I see newer companies or newer startups not being willing to do. They’re not willing to commit to a specific vendor and train on a specific toolset and they try to migrate from one to another. And that hurts in the long run.

Doug: The other thing is just getting into the business you know. I mean, we saw in the expo area last week that there are so many vendors out there.

Anton: Right.

Doug: Trying to make the right choice when you’re just starting out I think can be overwhelming for some folks because they think they know everything they need to know, but then they have a budget that plays into it. If you’re starting out, you may not have a lot of capital so you’ve got to invest in what you can afford.  I agree with you that you should definitely try to standardize this if you can. But I know it can be difficult for some of those business owners out there to not be able to do that.

Anton: Yes, standardization really brings your costs down because, if I know how to support that product title, I can support it in minutes instead of hours.

Doug: Yeah. Oh definitely.

Anton: If we come in and they have a backup service or a backup device that we’re not accustomed to, it is not included in our monthly pricing and it becomes a standalone product that we bill hourly for when we have to support it or they come over to our product which is included.

Doug: Okay, that makes sense.

Anton: So, that way they can keep the tape drives.

Doug: So you’ve been doing the services for it for a while now. What’s your favorite part? What do you really enjoy about this business and this industry?

Anton: Probably the thing I love most about the MSP community is the community itself. We’ve been through ASCII and we’ve been through Robin’s program. I think there’s another conference that I liked called MSP World. I think they have a couple of those or a Datto conference or something like that. The people that you meet there are just phenomenal techs and phenomenal people. Almost everybody I meet I want to get to know them on a personal level and I have no objections sharing as much information with them as I can. And I find the same with those people. They ask me a question and I answered. There’s no secret sauce to this to this industry. Nobody’s holding back.

Doug: From a community perspective especially in the Facebook groups and on Reddit. If you ask a question you may get one or two smart-ass answers. But most people are going to be genuinely helpful and try to point you in the right direction.

Anton: Well everybody has a bad day against the one guy that’s being a grouch. That’s pissing in everybody’s cereal.

Doug: So that’s one of the things you love. What’s one of the things you don’t like about the managed services?

Anton: The one thing I wish this industry had was standardization of services. I wish that there was a way where we can say we are a level one provider or a level 2 provider –  something along those lines where you could more easily go into a marketplace and if you’re looking for level 2 MSP providers, here we are. But no such thing exists and I don’t know if it can and I’m not a huge fan of government regulation, but then government regulation might help. You might say that today you might say we’re soft and too compliant. Well, that helps a little bit.

Doug: But then you talk about the government that could control it which has its own issues. But what about if there were private industry groups that said we’re going to become the governing body for certifications for MSPs or MSSPs. And you’d have to pass tests or do whatever. I mean it’s no different than getting your Cisco certification or different certifications. I can see where companies that provide that and having a governing body over the managed services or managed security services, it might be a little bit more difficult.

Anton: Yeah. Schools might be a way to do that but they have a disadvantage in that schools tend to be behind the times. Exactly. So if you go into a university and you come out with a  B.S. in computer science, it’s not worth much at the time that you come out. If you haven’t studied in the area while you were studying and they haven’t really learned where the tech is now. We see that when we hire technicians all the time. They come in with: oh I have my CCNA. Well, you still don’t know how to configure a router. You learned on Cisco version 12 we’re on 97.

Doug: Yeah. It’s like you know I did computer science major in college. You know what I know Pascal was the main language that we were using and now get out of college and I ended up being a Lotus Notes guy which didn’t follow any programming logic whatsoever. But you know you at least you know you get the basics so I understand you know programming basics but since college, I haven’t written a line of code so just review your career takes it.

Anton: Yeah. School is great if you don’t have a goal to achieve and you don’t know what you can do with your life, then go to school. You know if you have a goal and then decide if that goal is better served with more education or if you just need hands-on experience. We have technicians who don’t have a college degree who are I would say the best in the industry. And then we have technicians who have a college degree and we can’t wait to get rid of them.

Doug: Some of the best people I hired have a college degree. One guy I hired had his degree in music but he was one of the best technically. He would dive deep and just ended up being a tremendously great employee. Even though he knew music wasn’t going to take him far in his career, he understood Tech and he was really good at it.

Anton: My degree is in real estate so it had nothing to do with computers. I just fixed computers for pizza and beer for so long. It made sense for me to be able to do it for some money.

Doug: A lot of pizza and beer is good too.

Anton: Yeah. Now it is just becoming harder to pay a bill with pizza.

Doug: Yeah.

Anton: That’s all. Duke Energy didn’t accept the pizza part.

Doug: Thinking about technology, I understand you guys were early on the security side. So I could talk about. What technology – whether it’s consumer or business related – are you most excited about?

Anton: I really love security… cybersecurity. That’s the thing that I’m most passionate about. The thing that excites me more than anything is the next generation of antivirus systems. I think as a marketplace, we finally got through needing to train the users because 10 years ago, there was really no good phishing training and it was sort of unheard of. Now we’re saturated with user training, which is good. And then we’re finally getting past that stage and getting into now that the user knows what to do, we still need to secure the endpoint. And so you have you know products like Central One, Silence… There are many others but both of those are great. Both those are expensive but great. And so those technologies develop. I’m excited to see what they can do to better secure the platforms because those run both on Windows and Mac servers I think they run on Linux too, but I don’t know.

Doug: Even from the expense, I’m going to ASCII and you know there’s something about the vendors called master MSPs that pool the resources and you can get it from them a lot cheaper than if you’re going to one of those vendors directly. So it’s always something to look at from a price perspective.

Anton: Yeah. Think about who’s there The 20 I think is one of those organizations that help with that or if you’re a CompTIA member. Yeah. Get some better pricing there. Then there are vendors that will go out and buy 50,000 licenses and then they’ll resell them to you at a better price because they bought them at an amazing price.

Doug: Yeah.

Anton: You just have to gotta do your homework and figure out where you want to be. But that’s the tech that excites me.

Doug: What worries you? What keeps you up at night? Technology?

Anton: IoT. I think I’m worried that a reckoning is coming.

Doug: Wait my refrigerator is calling, hang on.

Anton: Yeah that’s right! My bathroom says I didn’t eat enough spinach today. I think it’s going to get to a point where the firewall configuration and VLANs are gonna be. Well, they’re already essential for security but they’re going to be absolutely required by any standard. Everybody’s going to require separation of VLANs and you keep your IoT in one area.

Doug: No, I agree and I’m looking at rebuilding a house over the next year and looking at you know how do I want to do it and can I start it from the ground up? I can actually do something to better protect myself with all these devices that I have connected just in a home.

Anton: When in doubt run cat cable.

Doug: Oh yeah, I’m definitely doing that. So cat six all over. So…

Anton: That’s right. Every wall should have two cat six cables.

Doug: Great. So we are now on the fun part –  I guess some people find it fun and some people don’t. But it’s the rapid fire round.

Anton: Awesome.

Doug: I’ve got six questions here for you. Are you ready?

Anton: Bring it on!

Doug: OK. Apple or Android?

Anton: Android.

Doug: Mac, Linux or Windows?

Anton: I used to be a Mac guy but I’ve come over to Windows again and I’ve got Windows now.

Doug: Amazon, Azure or something else?

Anton: Google Cloud.

Doug: OK great. So backups: local, cloud, or both?

Anton: Both and CloudBerry.

Doug: Thank you. Should you always virtualize? Yes or no.

Anton: No, I don’t.

Doug: Yes.

Anton: Virtualization is great, but it has consequences and yet I understand those consequences, especially from a security standpoint. It can be very hard to manage encrypted virtualize machines.

Doug: Yes. And finally. Which is worse – printer support or vendor cold calls?

Anton: Oh printers by far. I can hang up on the vendor.

Doug: You need to secure those printers too right. And that’s just another device connected and another attack vector.

Anton: Nobody ever changes the admin password that you want into an organization you just type in admin.

Doug: Yeah. I’ve seen too there are hacks involved you because they’re connected to the phone line. Someone with fax machines too and then that’s another attack vector. They didn’t think about it that they can get into the fax and then they get into the network.

Anton: Did you see last year (I don’t remember when)  the casino in Vegas that was hacked. I can remember it was in a casino. They were hacked because of an IoT attack where the fish tank had a pump that was installed by one of the vendors and he connected it to the Wi-Fi.

Doug: I do recall something about that. Yes.

Anton: And that’s how the attacker got into the casino.

Doug: Yeah.

Anton: Through a pump in a fish tank! Who needs Wi-Fi on a pump in a fish tank?

Doug:  Well if the pump stops running you want to get notified so the fish don’t die.

Anton: I guess I’ve never kept a lot of fish around long enough to find out if the pump stops running.

Doug: Well, I guess that is because you’ve never had an IoT pump, so maybe that’s why…

Anton: That’s why my fish don’t last. Absolutely.

Doug: Great time. It’s been fun. Anything before we go? Any other bits of wisdom to impart to our listeners or anything else you like to let me know about?

Anton: You know I’ll leave you with this — wisdom comes with old age and sometimes old age comes along.

Doug: OK. Very very insightful. It’s been great chatting with you. I really appreciate you being on. As I said, it was great meeting you last week in Nashville even though it was bitterly cold. We survived and we’re back in the warmth now. So thank you very much.

Anton: Thanks, Doug.