Compliance, Automation, and More: An Interview with IT Director Luke Bragg

IT Director Luke Bragg
Ryenn Gaebler Client Success

By Client Success Manager Ryenn Gaebler

With giant data breaches perpetually in the news, it can be overwhelming to sift through cybersecurity information and updates. Once you think you’re caught up on the latest threats, a dozen more appear.

I wanted to learn more about the IT issues our clients are facing in the current moment and what’s on the horizon, so I sat down with Anderson Technologies’ IT Director Luke Bragg to chat about what’s most pressing on our clients’ minds (and pocketbooks).

Right now, in this moment, what would you say is the biggest IT concern for our clients?

Cybersecurity is always front and center, so many of our clients have cybersecurity insurance policies with compliance requirements. That’s the call we used to get just once in a blue moon, and they were quick solves. Now, we’ve probably had three or four just in the last month. There’s a whole slew of regulations depending on what industry vertical they’re in (like HIPAA), and some of our financial clients have SEC compliance or others like Sarbanes Oxley.

What’s required to comply with the average cybersecurity insurance policy?

Years ago, an average cybersecurity insurance policy was one or two pages with some very generic standards: antivirus, an email spam filter, just basic stuff that most people can go through pretty easily.

Now, even the insurance companies are getting way more specific and granular because of all the breaches that have been going on. The questions are more in-depth:

  • Are you doing two-factor for everything?
  • Do you have content filtering, intrusion prevention?
  • Do your workstation endpoints have antivirus and next gen EDR/XDR [Endpoint Detection and Response/Extended Detection and Response], which is basically a much more active AI-driven protection that has all of this auditing around it, installed?

If there’s a breach, investigators can use that to track every file touched, every machine hit, so they can try to get a footprint of what data might have been exposed once data exfiltrated out of the environment. A lot of that stuff is just getting way more in depth, and obviously takes a lot more time.

But breaches have been happening forever; why the drastic switch now?

The real shift that I’m seeing is in the policies. HIPAA, for example, doesn’t spell out “You need to do X, Y, and Z to be compliant.” It’s a framework of best practices; you have to come up with the model that works for your company, such that you feel comfortable if you get audited, you’re confidently within the realms of being compliant. That’s the hard part. Because the language is so massive and so broad, there’s a lot of gray area, especially for a client who’s looking at this like, “I don’t even know what this means.” We can’t legally answer the questions for them, but part of what we’re doing is sitting down with them and working through the questionnaire.

Is your company working towards HIPAA compliance? Check out our free resource Get Hip to HIPAA for step-by-step advice and more!

If there are things they need that they don’t have, we provide them information on what it will cost and how to implement. A lot of these services are components the clients may have passed before on if they didn’t feel like they needed it. Now, it’s going to cost them because if they say “no” to too many of those questions, their existing cybersecurity policy can get cancelled. If they do get a renewal quote with their network as-is, the price might be astronomically higher. If they’re able to implement everything where it needs to be, they can continue with a reasonably-priced policy.

Their HR and finance groups have to handle a certain amount of those questions. Stuff like “Does your company have a designated officer for X, Y, and Z?” We can ask the client to designate someone specific to govern who has access to what systems. Then from there, we can recommend tools and options to set up access control, where only certain people have access to certain files. We can make sure PII (personal identifiable information) data is locked down and encrypted.

It’s really a process, not just checking off a box. It’s ‘What do I need to start working on to get to this level?’ We’re trying to take the legal and the technical and put it in a way that our clients can better understand what they need to do and the costs of the investment.” – IT Director Luke Bragg

Aside from insurance coverage, at what point does not meeting policy-required cybersecurity measures become detrimental to the business itself?

Because so much is digital, IT is now the biggest chunk of most businesses. If that’s not functioning correctly or not meeting certain requirements, it can be the death of your business in a heartbeat.

Years ago, IT wasn’t necessarily looked at as an investment that can help you get to the next level, to be able to generate more revenue. But if a business is fully HIPAA compliant, that opens up revenue streams for potential clients who require that level of cybersecurity.

Companies have investors coming in saying, “If you’re not doing all this stuff, we don’t want to invest in your company.” When you start looking at it from that bigger picture, you start to see what IT can cost you if you’re not doing it, because you might have some potentially phenomenal deals, acquisitions, or investors that pass on you for somebody else.

Do you still get client pushback on recommendations that could move their business forward?

We do our best to implement things that are as cost effective as possible. We understand the struggles, especially if you’re a smaller business. But if you’re not in compliance and you get audited, you could be looking at X number of fines per day. It’s potentially astronomical. They have to really look at the risk of, “If I don’t do this, I’m putting my entire business at risk of being pulled out of existence, because I don’t want to spend a few extra dollars to meet a requirement.” I see the most struggle in the small businesses that just aren’t used to making that kind of investment.

This is why it’s so important to educate clients on a layered approach. You can’t rely on a single solution. There’s no magic button that says, “If I do this one thing, I’ll never have an issue.” It’s about spreading things out, having multiple layers of security, not relying on any one thing or one vendor and even having some overlapping, where you’ve got two products that are two sets of eyes—which is probably a hard sell for some.

It can be expensive, but then you have to have the conversation of, ‘Well, what would a breach cost you?'” – IT Director Luke Bragg

It’s not about pushing them to buy something. We don’t sell stuff we don’t use ourselves, that we don’t think is important. But that’s happening a lot where MSPs are getting put out of business because they didn’t do their due diligence. They’re just out there peddling as many products as they can with no thought of the legal ramifications of, “If my client gets breached and it’s proven that this software didn’t offer the protections promised, who’s responsible for it?”

What are some ways to instill confidence in clients who are trying to meet compliance requirements but are worried about that level of protection?

What we’re able to do through our systems and different security software is audit and track at a global level. Automated tools can help do this in a manageable way. If their insurance company needs a report to prove they’re following through on their policies and not just “checking it off,” we can easily spit out an automated report. If something happens, they’ve got a paper trail.

It’s not this big, scary, “the sky is falling, how do I even come close to doing this?” thing. The harder part is with the smaller clients that have operated under the radar for so many years and don’t have huge cybersecurity budgets. The HHS OCR [Health and Human Services’ Office of Civil Rights] isn’t looking at your size or what you can do. That’s irrelevant to them. What matters is if you touch certain types of data. This is what HIPAA requires, or you can end up getting some hefty fines.

With certain levels of our services, if a machine triggers a specific type of alert, we can immediately lock the machine and isolate it from the network, all through automation. In a breach situation where somebody’s working remotely and you can’t send someone to go unplug an affected computer, seconds or minutes count. We’re trying as much as we can to remove the human element where possible, because people are human, and they’re going to miss something. And that could be the one machine that gets breached.

Luke had so much more to share about data breaches, scalability, and the future of business IT, so stick around for Part 2 of this interview.

Don’t want to wait till Part 2 to start looking at how Anderson Technologies can help protect your business? Just give us a call!