Episode 246: Alex (@aebridgeman) is joined by Johnny Lieberman (@JohnnyLieberman) and Zack Miller (@ZackMiller).
In this episode I am joined by Johnny Lieberman and Zack Miller, co-founders of Worklyn Partners, about their approach to integrating cybersecurity and IT services for middle-market companies. We discuss their multi-acquisition strategy and the integration of these services under one platform, as well as the challenges and benefits of merging tech-driven service providers. Insights include aligning incentives, addressing people-related challenges, and restructuring sales strategies for different customer segments. The importance of AI in combating cyber threats, especially during mergers and acquisitions, and the necessity of employee training and robust incident response plans are also highlighted. Additional insights from cybersecurity expert John Flory emphasize the role of AI tools and the rising risk of third-party breaches.
Listen weekly and follow the show on Apple Podcasts, Spotify, Google Podcasts, Stitcher, Breaker, and TuneIn.
Learn more about Alex and Think Like an Owner at https://tlaopodcast.com/
Hood & Strong LLP – One of the nation’s premier full-service public accounting firms, Hood & Strong LLP provides buy- and sell-side quality of earnings, due diligence, assurance and tax services to search funds, private equity firms, and business owners and investors. The H&S Advisory team helps expedite a smooth, cost-effective transaction process that maximizes value and minimizes tax impacts for both buyers and sellers. To learn more about how Hood & Strong can support your M&A objectives, please contact Transaction Advisory Group Partner Jerry Zhou at [email protected].
Oberle Risk Strategies– Oberle is the leading specialty insurance brokerage catering to search funds and the broader ETA community, providing complimentary due diligence assessments of the target company’s commercial insurance and employee benefits programs. Over the past decade, August Felker and his team have engaged with hundreds of searchers to provide due diligence and ultimately place the most competitive insurance program at closing. Given August’s experience as a searcher himself, he and his team understand all that goes into buying a business and pride themselves on making the insurance portion of closing seamless and hassle-free.
If you are under LOI, please reach out to August to learn more about how Oberle can help with insurance due diligence at oberle-risk.com. Or reach out to August directly at [email protected].
(00:00:00) – Intro
(00:02:29) – Catching up
(00:05:02) – Advantages to separation or integration
(00:06:50) – Challenges in integrating MSP providers
(00:12:50) – Building a Sales org
(00:18:58) – The importance of pace
(00:20:51) – Learnings from investors and peers
(00:32:30) – AI, & First lines of defense to implement in cybersecurity
Alex Bridgeman: It’s good to see you guys. We haven’t had a podcast since 2022, right? That was a- it’s been a while, and you guys have done a lot since then. I enjoyed your industry write up you had. Kind of recapping all the different trends you were noticing was pretty interesting. I’d love to kind of get your take on the space, but also just like what you’ve been working on since. It’s been very productive. So, I’m curious to hear everything that’s happened.
Johnny Lieberman: First of all, really appreciate you having us on. Zack, why don’t you give Alex and others the quick recap of who we are and what we’re doing?
Zack Miller: Sure. Although, Alex, you just reminded me that I was holding myself to at least a blog a month this year, and I’m behind on my blog, so I’ve got to get one out by the end of the week. But no, anyways, you’ve got Johnny Lieberman and Zack Miller, we’re the co-founders of Worklyn Partners, which is an investment firm focused exclusively on cybersecurity and IT services. So, we raise some committed capital with the goal of building a one-stop shop focused exclusively on cybersecurity and IT services for middle market type end customers. So, think about the companies that don’t have their own security team in-house, they don’t have their own chief information security officer, but still need help securing their IT infrastructure and making all the latest and greatest apps work for them as well as securing those apps. So that’s the sort of audience or customer that we’re building for. And we’ve come a pretty long way since we last spoke. So, we acquired two businesses in 2022, a third in ’23, and now two more here in 2024, and are starting to integrate those businesses and really execute on the thesis that we started with, to become that one-stop shop. What’d I miss, Johnny?
Johnny Lieberman: We’ve deployed about 75% of the fund that we raised in ’22 and active in the M&A markets, continuing to look for specialized IT services and cyber services companies that can help us build this kind of mosaic of services we’re trying to fill in and be able to offer to the end customer. So, I think that’s the update.
Alex Bridgeman: So, the integration between the IT, I think MSP and cyber, you mentioned before, those are kind of typically sold separately. Are there advantages to either keeping them separate versus integrating them together like you were trying to do? Like historically, why are they separate, and why together are they more effective?
Johnny Lieberman: Yeah, it’s a great question.
Zack Miller: Yeah, sure. This was core to the thesis, core to how we started out. We wanted to start by acquiring a cybersecurity business, and we actually wanted to keep these businesses separate. So what we’ve created is two platforms. So there is integration. Every company integrates into one platform or the other, but they are two separate platforms, two separate management teams. We want the cybersecurity business, security needs to be their DNA. They’re very much a sibling company to the IT services business we own, but they are both very much separate companies. You get that because there are some customers who want some cybersecurity services but not all, or they proverbially don’t want the fox guarding the henhouse. And there are other customers who are quite the opposite, who say, we want you to do everything, just figure it all out for us under one umbrella. So we want to have that flexibility to serve either type of customer. We wanted to keep that security DNA core to the security business. And then there’s also just sort of financial reasons, business model reasons why you want to keep those two platforms separate. I don’t know if you want to comment on those. Yeah. So, it’s nuanced. We are doing a lot of integration, especially on the IT side where we’re now combining ultimately four businesses and there will be many more. And there’s integration on the cyber side as well. But we are keeping those two platforms separate.
Alex Bridgeman: What are some challenges, or what are the top challenges with integrating MSP providers together? Is it more of a tech platform side or something else?
Johnny Lieberman: Roll up is like the flavor of the year I feel like. Every- Zack, I really wanted to get into this a little bit with you because we know you have an interesting kind of purview speaking to a lot of folks doing multi-acquisition strategies. But what we’re doing is a little bit different. So, we’re looking for companies that do different things. For our thesis to work, which our thesis is really about cross-selling different services in order to be a one-stop shop, we have to target IT and cyber providers that are different, meaning they have their own specialization, they don’t try to do everything, they do one or two or three things really well. In some ways, that makes integration a lot easier because it’s not a cost-cutting exercise or headcount reduction exercise. We’re putting teams together that benefit from having sister companies under the same platform that can help them own more IT wallet share per customer, but there are other challenges in that we’re educating the employee bases of one of the companies that we acquire on all the other services that the other companies offer, in order to be able to have them speak in an educated manner when they’re speaking to their own customers about what else we offer. So I think it’s kind of a unique set of challenges because we’re really not doing a roll-up. It’s here are the 10 critical services we want to offer. Let’s go out and use M&A as a tool to find service providers that do those really well. And then can we have integration get this company, this one company we’re trying to build to a place where you have different practices under an umbrella, but it really is one company with one management team, one brand, one vision, one service delivery motion, just different specializations on the technical side.
Zack Miller: Yeah, I agree with Johnny 100%. I will say, in any roll-up, multi-acquisition, business combination strategy, people is always a challenge. Like you’re bringing together different people who haven’t worked together. A lot of times you’re bringing together folks who have been running their own ship, and you’re saying, all right, everyone get on the ship with us and let’s figure out who’s going to be captain, who’s going to be first mate as we start to pilot the ship. So, there’s just sort of inherent challenges there and these are very much people businesses. They’re technology businesses, but at the end of the day, they’re people businesses. That’s what the customers pay for, that’s like the services wrapped around the technology or on top of the technology. So of course, people is a, I don’t want to say it’s a challenge, but it’s something you have to navigate – different folks, different backgrounds, different egos. I think the way we tend to- like the best solution to that is have sellers roll equity. It’s not going to be the right thing for every deal, but for most deals, it is preferable because we want that incentive alignment. We want to be all running towards the same goal. And if suddenly the seller who rolls equity has a little piece of every company being bought and has an interest in the shared work on platform, it just makes it that much easier, puts us all on the same team.
Johnny Lieberman: Yeah, I think Zack alluded to this, but our model is a little bit different than other roll-ups. In other roll-ups or typically, a seller will roll equity into their own company, so to speak, and they might benefit from a multiple that the platform gets at exit, but that multiple is applied to their own production. In our model, sellers are rolling equity into Worklyn overall, like the fund, so they’re sitting pari passu with our LPs that come in on day zero, and the idea there is that they’re really incentivized to care about each company that we acquire or the highest ROI investment opportunities as we continue to build. I think, to get back to your question really quick, some of the interesting things that we’ve noticed that we didn’t expect are just the pace at which different managers that end up working with us through acquisition or from the outside, just the different pace at which folks move that have been in different businesses for a long period of time. You could have two sellers that each owned their business for the past 30 years. And the pace at which small, privately held businesses operate, just in a given week, like the level of urgency can be completely different. That doesn’t mean one’s more successful than another. It’s just something very interesting to observe. I think another little thing is just the technical owner versus the business owner and trying to get everyone to kind of think in a business framework, that’s challenging. Like sometimes these companies were really successful because they had a technical owner leading technical service delivery teams, and the financials were great and the operations were great as an output of that, not because they were focused on that. So, yeah, just a couple of things.
Alex Bridgeman: So, with a huge part of your strategy being not necessarily acquiring for additional customers or market share in any one particular place, it’s more for ability, it sounds like the sales motion behind that is really key, like being able to efficiently cross-sell. And then once you have this suite of capabilities, you need to now organically acquire customers. What does a sales org look like that can do that and function effectively in that kind of structure? Sales is kind of a fun area for me. I enjoy studying sales orgs, so I’m curious what you’ve kind of decided on structure-wise so far.
Zack Miller: I think it’d be fair to say we haven’t totally decided on anything because we’re in the process of building out a centralized go to market motion. But you hit the nail on the head. It’s huge. And from an integration perspective, it’s sort of the leading, the pointy end of the sphere. You figure that out, you kind of build around your customers, build the sales motion that way, and then the service delivery follows that.
Johnny Lieberman: Yeah, we’re lucky in that sense. We went out and found a great CRO from another larger scaled MSP. And this guy has gotten way out in front in terms of integration. And that wasn’t our intent to say, hey, kind of go break things and the rest of us will have to keep up. But that’s kind of what’s playing out, and it’s been a blessing because I think in integration, it’s never perfect. You need a forcing function. And if you get sales out in front and the sales teams from the different organizations are coming together and really working through in real time all the little nuances and complications that come up and trying to cross sell or bundle solutions and sell it all at the same time, your service delivery motion is forced to follow. And I think to this degree, this is a thing, it’s a more organic approach to integration than management or Holdco management kind of projecting down these long documents that are out of touch with reality. So that’s been a blessing for us. What I was saying earlier is the challenging part. You have sales folks that were specialized in what they sold previously. So, they might really know Microsoft. They might really know unified communication solutions, so voice and video. They might really know network engineering. And now those folks are really excited because they have all these other in-house services that they can sell because we’ve acquired these other companies. So, their commissioned playbook or possibilities open up. So, they can sell all these other things and get paid for it, but they don’t have any experience doing it. I think a huge part of it is early education on how do you position these solutions? What is the pain point you’re solving for? It’s re-educating the sales teams on all these other things that we all of a sudden offer. It’s not always smooth, but they need to feel comfortable being able to talk about the full suite or else we won’t be successful.
Zack Miller: Yeah. If I had to sort of summarize the process at a highest level, it’s taking sales folks, some but not all of whom have been used to kind of selling a capability, a single service or a single suite of services in one area and saying, hey, no, look, you have more arrows in the quiver than you ever did before. So, point one is education, educating them on what else to be selling and how to sell it and what have you and kind of using sales folks from different teams to teach each other. And then two is is building around, not around a capability anymore, but building the sales org around a segmentation of customers. So, building around, essentially the way we look at it is there’s verticals and then, for us, there’s two broad sub-segments, which is SMB versus mid-market. Those two end customers need different things. The SMB typically outsources their IT entirely. They don’t have an IT person in-house. They say one of our MSP customers just sort of handles all things, whole stack. And then as you get up to the mid-market, what we call the mid-market, even into the large enterprise, you have a co-managed model where there is an IT person or an IT team, and we’re just doing some functions and others are continuing to be in-house. And those are two fundamentally different models and always will be. So there’s that double layer of segmentation by industry vertical and then segmentation by SMB versus mid-market and small enterprise.
Johnny Lieberman: And if you want to make it even more complicated, Alex, we have these specialized SWAT teams for niches that are big growth areas for us. And one of those are doing cyber and IT diligence for private equity firms, roll-ups, and holding companies that are acquiring and then doing the post-close remediation. So, after we diligence cyber and IT gaps pre-close, our teams will go in and actually fix the gaps that they notice and then manage the cyber and IT in a portfolio of companies environment on an ongoing basis. So, we have a team of specialists kind of across our different businesses that will participate in that service delivery team that just focuses on lower market or mid-market private equity portcos or roll-ups or holdcos. So, I guess that’s a two by two by two, vertical by segmentation by niche.
Alex Bridgeman: So, you mentioned the pace of each company is very different and the sales, kind of the sales motion like pulls things along in a more rapid pace. What kind of dynamics does that create for each company? Does that help kind of get people excited, or is there some kind of push and pull as well?
Zack Miller: I think the majority of folks are excited by it. I think what we hear often in these companies is you’ll have engineers and technical talent who are like, yeah, we sort of do one thing really well, and even if I’m not motivated by money and career advancement, maybe I’m motivated by learning new technologies. So, new customers with new demands means having to learn new technologies, that’s exciting for them. Other folks, it’s career advancement. But in general, the folks who are like, hey, this is a new challenge that’s exciting, that’s a signal of, all right, this person is meant to be along with us for the ride and it’s a great signal. And then I think some folks self-select out, who say, all right, this is getting too hard. It’s getting too complicated. I like the simplicity of being a very small, or not very small, but a small regional service provider with one niche focus. And for those folks, that’s fine. That’s a way of life. And I think that’s a win-win for if they feel like, hey, we want to go to a firm where things are simpler and things move slower. So, I think it causes a self-selection that’s actually a positive self-selection because it causes the sort of ambitious, intellectually curious people to get excited and to jump on board.
Alex Bridgeman: And then one thing I’m curious about too is I find either like multi-acquisition or consolidation strategies really interesting. Are there any tidbits or pieces of advice from your investors or things you’ve learned from peers in the last two years that stand out to you as concepts and ideas you think about a lot on a daily or weekly basis?
Johnny Lieberman: As it relates to multi-acquisition, I think early on, the tendency is to look at the businesses and the numbers and the operations way more than the impact the owner or seller has on the DNA of the organization. And I think if you want to acquire a lot of companies and have a chance, like even a chance of making them work together, you need to buy businesses that have at least certain kind of core values or pillars in place. And those are- examples of those could be service quality outcomes, like customer and service delivery outcomes come first, like we’ll bend over backwards, answer the phone at three in the morning. Those sorts of similar traits across companies give you at least a chance of integrating. Like, it’s not guaranteed. You could still mess it up, like probably a pretty good chance that you could still mess it up, but at least it gives you something to work with. I think the businesses we’ve struggled to transition have been those that the owners had approached running the business so incredibly different than we look at running a business, and it takes a long time to transition. So, I think that’s one thing we learned. And I think folks told us that, but I think the tendency is to focus a lot more on looking at the business instead of looking at the people or the owners early on. And that’s a mistake. I think starting with the owner and then looking at everything else is important.
Zack Miller: Yeah, I mean, this is overly simplistic or overly simple and such an obvious one, but this experience only reinforces it, which is incentives drive behavior. So that plays in from the top where we talked about making sure that in almost all cases, sellers roll some equity and that the equity they get is pari passu with LPs and that they have exposure to all, to both platforms and care about the success of both platforms versus their own company. But then also it goes to talking about this unified sales and marketing motion, designing the commission plants. That’s a huge piece of it is making sure that…
Johnny Lieberman: It’s complicated, messy, but you’ve got to grind through it.
Zack Miller: Yeah, exactly.
Johnny Lieberman: It’s like table stakes. Alex, what do you think about calling one of our managers in like five minutes out of the blue and asking them that same question? Like I would be so curious on what they would say.
Alex Bridgeman: Yeah, sure, go for it.
John Flory: Zack! John! What’s going on?
Zack Miller: You’ve got Zack, Johnny, and a special guest, Alex.
Johnny Lieberman: Hey, where are you, Flory?
John Flory: Johnny!
Johnny Lieberman: How are you? Where are you?
John Flory: Special guest, Alex, huh? Oh, I’m just, I’m in the dungeon. I’m helping a couple of podcasters out, find the root cause to go after some of these criminals. What are you guys doing?
Johnny Lieberman: I have no idea what that means, but I’m excited that you’re excited.
John Flory: Oh yeah, yeah.
Johnny Lieberman: What are we doing? We’re calling to check in with you. Hey, John, say hi to the listeners.
John Flory: To the listeners?
Johnny Lieberman: Yeah, you’re on a podcast. You’re on a podcast. No, I’m serious, you’re on a podcast. Say hi to everyone.
John Flory: Let me tell you something, how you [inaudible 25:01], I wouldn’t doubt it. Well, hello everyone.
Johnny Lieberman: John, introduce yourself. Tell them who you are and what you do.
John Flory: Well, I’m John Flory, and I help with cyber security. We create programs, we defend people, we protect brands, et cetera.
Johnny Lieberman: That’s the best non-technical explanation I’ve ever heard anyone in cyber give.
John Flory: No doubt.
Johnny Lieberman: So, you’re on a podcast. Zack and I were speaking to Alex, and Alex asked us the question, which is, what’s it like to be part of a multi kind of acquisition strategy where there are different companies coming together? And you’ve only been working with us for a little bit of time, but like, what have you- what’s it been like? Give us the managerial perspective.
John Flory: Yeah, I will. Hello, Alex.
Alex Bridgeman: Hey, good to see you.
John Flory: How’s your podcast been so far?
Alex Bridgeman: It’s been good, ton of fun. We’re halfway through a pretty good conversation.
John Flory: Oh, man, when it first happened, I questioned it. And the reality is this particular podcast, I recognize Alex’s name, is something where I listened to it, I understood the vision, and when I thought about it, it’s amazing. Think of what it does for A, our customers, and B, our employer. The employees have growth potential, they can go to different segments, and not only can we service the customer end to end, but we’re experts in every area. That’s the value of this. We’re not some generalists that have one specialty, and we’re saying we do everything. We have the best in the world at protection, at helping with IT, at strategy. And those all are multi-pronged, but that’s what’s awesome about it. I’ve been able to leverage resources that’s just not feasible outside of this, not since I’ve been around anyway.
Johnny Lieberman: I feel like you knew my call was coming. It was like an infomercial.
John Flory: No, no it’s great, Johnny. And when I think about it for the staff, think about what they get to gravitate towards, what they really love. When I built HarborShield, it was great because we were able to put people in seats that were their passion and they loved it. And it was one of the… It really drove me because we were really able to do that. Now, man, it just takes that and really just… The multiplication factor is enormous. It’s great. So the employees are grasping it. It’s exciting. Everybody wants to- it’s like a family. You want to do good. You want to help out your family members. And when we’ve had that opportunity, it’s benefited the customer. And if you research anything with me, that’s what I’m about. How can we make the customer experience better? How can we provide value? Not a product or service. So we have that ability.
Johnny Lieberman: That’s great. That’s great. John, do you want to, while we have you on, just because I think a lot of folks are investors. Every day, I pick up the newspaper, there’s another attack, another attack. You guys picked the right industry. I think Zack and I, the amount we know compared to the amount you know about what’s going on out there with the threat actors and what you’re seeing. Like this is a non-technical audience on this podcast, but if you could just give folks just like a quick taste of what you’re seeing day in and day out in terms of some of the crazy stuff that’s going on.
John Flory: Yeah, man, I mean, I’m in it right now, to be straight. And non-technical would be all hell is breaking loose. So, what I do is I help people through cyber incidents. We help protect them, and then we help them when they’re going through an incident. And I talked about passion before. That’s my passion. So, I always get involved, and it’s bad, but the thing about it is it gives you good visibility to what’s going on. And really what’s happening is AI is a weapon that’s being leveraged by organizations that have amazing funding that are in areas of the world that we cannot touch. That’s what I do, we go after them, because a digital footprint, there is no hearsay. That evidence is there forever. It’s how much time, effort, and is it worth it to go after them. So, we go after them. But they’re, straight up, in parts of the world where we cannot do anything. So really what I want the listeners to take out of this podcast is, man, we have to look out for ourselves because these criminals are ruthless, they’re well-funded, they’re huge organizations, board of directors, and really highly recruited staff that are coming after us. And now they’re leveraging AI. They used to say, hey, they’ll scan the world, and if you have an open port, they’ll get in. They don’t have to scan the world anymore, because they can just log in. Because all our employees’ credentials and our credentials are out there, and now AI makes it so easy for these criminals to find them. So I would say be very vigilant and make sure you’re defensive, meaning have a defensive posture, meaning you document that you’re finding risk and reducing it. And you’re repeating that process. That’s defensibility in cyber because we’re up against something right now where that’s got to be top of mind as a business owner.
Zack Miller: All right, you’ve heard it. I have maybe one last question, then, Alex, we will give you a question as well. My question for you, John, is around knowing that a lot in this audience are investors or future investors, buying businesses, doing an M&A transaction, I saw a study recently that said, after an M&A transaction or deal is announced, there is an uptick of 100%, over 100% increase in cyber breaches and attempted cyber breaches against the company that has announced a transaction. I think the logic is the cyber criminals say, all right, a transaction just happened, money’s going to be changing hands, let’s get into the email system, simple business email compromise. That’s the method to get- BEC, bacon, egg, and cheese. But it’s the other BEC, the business email compromise. That’s the route. And people try to spoof wires and intercept wires. Tell us a little bit, like I know we’ve helped out some organizations, we can’t be specific about it, but we’ve helped out a number of organizations that are going through M&A transactions that are seeing that uptick in attacks. But what are we doing specifically around email security? Maybe talk about some of the AI stuff that the good guys have on our side to secure emails and prevent this type of business email compromise.
John Flory: Yeah, and that’s a really good point because 90% of these breaches are business email compromises. It starts in the mailbox, Zack. So I’m really glad you said that. I talked about AI. Here’s what AI has – it has speed, it has availability, and it has context. So the game has changed in technology where our old systems would just want to make sure that the person sending the email was that person. And what Zack’s talking about, business email compromise, I’m getting somebody else’s password, logging in as them, and then sending out emails to their contacts or extorting them, watching for a long time and seeing where the money is and then sending that out to change your bank account or et cetera. So that’s on the rise. And I talked about all hell breaking loose. Our normal defenses are struggling and our people are struggling because AI now has the context. It’s not a prince anymore. They know your family. They know your schooling. They know your business contacts. So, they’re coming at our users in a way which is very hard for them to defend. So AI could be used as a defense. And it’s the most effective thing right now that’s working because we cannot keep up with it. If we’re trying to fight AI as humans, we’re going to lose. We can’t do a million investigations in a minute.
Johnny Lieberman: John, how are they using AI for email defense?
John Flory: Yeah, so for email defense, here’s an example. Johnny, you log into some free app somewhere, you create your account in that app, you can’t remember all these passwords because there’s too many of them, so you use your work stuff. You say okay, I’m just going to use my work email, my work password because I’ll be able to remember it, and then what people aren’t realizing is that information is being sold. That’s how they’re making money. That’s what the app is for; they’re selling your password, clear text out the door, so people have this information. So say I get that information. I’m you, and I reach out to Zack. And I say hey, Zack we have a new account. I’d like you to transfer $250,000 into this account and please do it immediately. What a normal email defense does is nothing right there, just stone-cold truth. But what AI does is it says hey, yeah, Johnny is a trusted sender, but he’s asked Zack to do something he’s never asked him to do before, this link is something that’s never appeared before, so we’re going to start to run our million investigation in a second, which we just cannot do as humans and we’ll absolutely stop that attack using AI. So it’s something. The second biggest thing to take out of this is if you’re not fighting AI with AI you will lose. You will not win the fight. I don’t know if that answered your question there.
Johnny Lieberman: Beautiful, well said. You’re going to do the next podcast by yourself.
John Flory: Wait, wait, mergers and acquisitions, very, very important because it strikes a chord with me. Yeah, biggest target. Manufacturing is up, but acquisition’s very vulnerable, and they’re going after these. Business email compromise specifically during these transactions are 400% on the rise. Remember what I told you, our users are are against, our filters are against, and it’s very disruptive. And one other thing while I’m thinking of it, a lot of it is third-party breaches. We all saw the Microsoft CrowdStrike. It took down so much of the world. It took down the airlines. That is something that’s very hard to control, so we have to understand a couple of things. Who are our vendors? Who’s accessing anything to do with our business, and then we have to build that foundation, or we have to make sure that they’re secure or we accept that risk. And then secondly, the only way that people would make out okay with these big breaches from third parties is if they have an incident response plan, and they’re able to recover quicker. That’s the name of the game. We’re not going to be able to avoid it because these vendors and these different softwares are just huge targets. And I’ll tell you as somebody that breaks in to help businesses, to show them where they’re vulnerable, we could always get in. So you could invest all the money in the world. So really, it’s about building that program and that culture to safeguard your business.
Johnny Lieberman: That’s great. Alex, do you have anything for Mr. Flory?
Alex Bridgeman: Are there any specific tools that utilize AI that you’d recommend? What’s a starting point if someone has none of these things and just wants to explore and see what is the first line of defense that I could implement in this coming quarter?
John Flory: Guys, I can’t really hear Alex, I’m sorry. Can you just repeat it real quick?
Johnny Lieberman: Yeah, what are the basic tools or like the pillars you would want to explore if you have nothing right now but you want to start with the lowest hanging fruit?
John Flory: Yeah, that’s an amazing question. There are two things really to start with. One is training and the second is monitoring. Train your employees, get a certificate and have them phished every month so they can start to build that culture, and it’s good for them personally as well as professionally. And guess what, it costs about $25 a year per employee. So that’s something to do, and monitoring 24 by 7 by 365 is absolutely crucial because these criminals know when to attack, and they attack when you’re not being guarded. So, if you’re not having your- if you’re not being watched around the clock, you’re going to be really, really vulnerable. So those two things would be great starting points. I mean, there’s a lot to it and the documentation. Remember I said before, have an assessment because that’s going to give you a baseline to be defensible and proactive. Have that assessment. It’s going to show you where your risk is. And guess what, it’s not in technology. So where is your risk in the organization? And then it gives you a chance, but more than that, it gives you a roadmap to win, and so you’re reducing your risk and documenting it on a consistent basis, and that’s a proactive program that will really help a business.
Zack Miller: Alex, I would add, first of all, John, I couldn’t agree more. I would add those are sort of all services on the service side that you need product and people to make sure you’re doing those right. If we’re talking pure technology tools, I would add identity and access management, which is really just as simple as multi-factor authentication. I used to work in one of those companies, Okta. They’re great, but honestly, there are multiple good solutions. Endpoint security, again, that’s actually what CrowdStrike does. But there’s other good solutions. CrowdStrike is great, despite that colossal screw-up that they had. They are kind of the Cadillac of endpoint security. And then lastly, I would say email security can be the, or cloud application security if your email is a cloud hosted email is crucial. So those are maybe the three tools that I would start you with, with really identity and endpoint being one and two. It’s funny, like 10 years ago, if you had this conversation, people are talking about firewalls, which is to secure your network, people are talking about antivirus. And now there are cases where we say, look, we tell customers, not always, but sometimes you may not need a firewall. Or if you have a limited budget, that might be priority number five. And you might want to start with securing your own identities and endpoints first.
Johnny Lieberman: I mean, Alex, your question is good. The reason our businesses exist is because most people have no idea where to start. This is not- like the average mid-market board in the United States doesn’t have a single person that knows even elementary information about cybersecurity. So, folks usually come to us saying we have no idea where we are, like tell us where we are first, and then let’s create a plan over time. And I think that’s probably the largest part of our sales motion right now is consulting and meeting people where they are, even if it’s like I’m doing nothing.
John Flory: Yeah, that’s exactly the point. Alex, it’s so hard to answer that question. But really to have a starting point, and our point is there’s a lot of different places to start. Start with a conversation. Meet with the experts that are out there. And understand what’s available and then start making the plan. We have programs that start at a rate that’s really cost-effective. You know why? Because we want people to go on the journey. Because it’s so important and it’s such a big risk, and everything we’re talking about right now from a business email compromise perspective, all indications are showing that it’s increasing. And what’s more scary than that is remember we talked about third parties, that was 33% of breaches last year, it’s already over 40% this year. So, the people we’re trusting are getting breached. So while this is compounding, to have a policy, to have some documentation is really a posture that it’s a must. So I know it’s a long-winded answer, but the reality is there’s a lot of great tools out there that can help you, and it doesn’t cost a fortune to get started. But it does cost a fortune if you don’t. And one last thing while we’re talking about AI is you have to be very careful with AI being used in your organization because once people enter their information, it’s gone. So I’ve seen, hey, index this or sort this or do this. It makes their jobs so easy. But what’s happening on the back end is there’s a lot of personal information that’s being leaked on a lot of companies, and it’s starting to really bite companies. So, if you’re going to implement AI in your organization and enable, be an AI-enabled organization, you really need to have a policy and you really need to have an assessment done so that you will be defensible just in case, and then you have to watch your data. Those three things are really important to think about right now with AI. So in your businesses if you’re using AI, I would go to the owner of that process and ask them what is our AI policy? Do our users have it? Have they signed off on it and agreed to it? Because we’re seeing this bubble up, and I believe it’s going to explode.
Johnny Lieberman: All right. This man redefined the rule, guests don’t invite guests to the podcast. Thank you, John.
John Flory: All right. That was awesome. Well, that was a great surprise call, Zack and Johnny. And good to talk to you.
Johnny Lieberman: We appreciate you.
John Flory: Okay, thank you.
Join small company investors, search funds, private equity firms, business owners, and entrepreneurs in reading the Think Like An Owner Newsletter.