Troy McCollum is the Managing Partner of Layer 9 located in Virginia.
For 19 Years, they have built something great as a team. Layer 9 is now listed on VA’s Best Place to Work and a MSP 501 top company. Troy could not have done this without the entire team. He is proud of what they have done, the clients they continue to help. Their passion is helping companies leverage the technology they have and fill in the gaps of what they don’t. They once were a break/fix computer company, now they have partnerships with clients and help workflow, risk, and assist with company decisions. They are now specializing in 3 verticals. Construction – Medical – Law.
Learn from his expertise and what trends are helping grow his firm on this episode of The Managing Partners Podcast!
Erik J. Olson (00:00):
Hey everybody. This is Erik J. Olson for yet another episode of The Managing Partners Podcast. On this podcast series, we talked to managing partners about how they are growing their firms, running their firms and what they are doing to get more cases. But today we’re changing it up. We don’t have a managing partner on, we have an it provider to talk about how he helps law firms stay secure, protected, and how he can help you as well. Without further ado, what’s up, Troy? How you doing? Yeah.
Troy McCollum (00:31):
How you going?
Erik J. Olson (00:32):
I’m doing great, man. Appreciate you joining us.
Troy McCollum (00:34):
Sure. Thank you for the invite.
Erik J. Olson (00:36):
Of course, man. Well, Hey, tell us a little bit about yourself and your firm.
Troy McCollum (00:40):
Yeah, so my name’s Troy McConnell with layer nine. It firm local here in Hampton roads for this is our 19th year be our 20th year in August. So we’ve been around for a while. Seen some changes in the in the it events, if you will. And really just got started and have a passion for really protecting people’s data and delivering it properly and make sure that we can manage workflows and productivity. So law firms naturally became attractive because to all of ’em, they, they really value time. And that’s the things we, we work to give back in the in the it world to make sure that we’re protecting their data, their client’s data and delivering that time back to them.
Erik J. Olson (01:18):
So I would imagine with the law firm yeah. Time is, is, is, is a big issue. Yeah, we, we bill by the hour and so we gotta make sure that we’re efficient with our time usage. Right. But also like security. I would imagine email is a huge thing. Maybe even text messages, do they come into play as well?
Troy McCollum (01:38):
Yeah, they can cuz it depends on how the, the, the relationship with them and their clients, you know, and what policies they have in place. I find it almost ironic a lot of times that there’s a lack of policy in law firms for it management and, and how things are handled, how cases you know, documentation is delivered, whether it’s emailed through a portal, you know, hand delivered, scanned in what, you know, are they using Dropbox? What are they doing to, to house the data that, that becomes the big part of it?
Erik J. Olson (02:11):
Yeah. So I would imagine if there’s like a request for discovery, like a lot of that information has to be dug up potentially, but certainly it needs to be preserved and probably centralized. Right. If you have say five attorneys and, and that they’re sending emails to the same client, like probably that all needs to be centralized.
Troy McCollum (02:27):
Yeah. Document management becomes a huge part of
Erik J. Olson (02:30):
It. Yeah, definitely. We, we have a, a personal injury law firm in South Carolina and they have a requirement to preserve every piece of advertising and public messaging for two years. Wow. And their, their it person is gonna be like handling that one. They came to us at first as a marketing agency. We’re like, eh, that’s kind of it it right. So big requirements. And if they don’t do it and they get called out on it or, you know, if they have to produce it and they can’t it’s, it’s a concern. So it’s a project that’s definitely going forward. Do you see things like that a lot as well?
Troy McCollum (03:03):
Yeah. And a lot of times what we also see, it depends who their clients are, you know, it, they could be, you know, personal injury. It could be, you know, divorce, it could, but then you get some that also do and review government contracts. So if like the new CMMC requirement is one as well, that if they’re reviewing the contracts and touching some of that information, they too have to adhere to that same compliance. So that’s where it, it, that’s where the people have to really understand and know what information that they’re, they’re housing protecting and reviewing.
Erik J. Olson (03:37):
So let’s talk about that regulation you just talked about. Can you, can you explain in a little more detail what that is and, and how that applies to law firms?
Troy McCollum (03:44):
Sure. Yeah. So CMMC is cyber security, mature maturity modeling cert certification. So a lot spit out. That’s why we all say CMMC. But what that is, it’s a new government compliance that is being rolled out. You, everybody, I would imagine has heard of the N compliance, but now the CMMC CMMC takes that N 801 71 guideline and it adds to it. It’s adding 15 additional controls. It’s still in the works a little bit. They’re close. They’re on, CMMC 2.0 now, and it’s supposed to roll out by, I believe it’s the 20, yeah. 24. It’s gonna roll out and be official, but people now are doing their CMMC readiness. And what that is is it’s things is to get, make sure that compliance is happening and you can demonstrate it with, I am such a two factor and, you know, you’re encrypting the hard drives or wherever the data sits. You know, you don’t have to encrypt the machine if there’s no data on there, but you do have to encrypt it if there’s actual you know, data resting on the device.
Erik J. Olson (04:46):
Gotcha. Okay. Now the, the law firms that come to you, do they typically come for something like that, this C MMC, or is this something a little more like mundane? Like, I, I just, I need someone that can like get computers to the new staff and printers and all that kind of stuff.
Troy McCollum (05:04):
Yeah. Usually there’s a frustration part that plays into there that something’s happened, or there’s been at least a trigger of something in it that is not working for them. We did just actually sign off a new, a new partner and we onboarded ’em actually yesterday. But what they, what their pro their concern was, was actually security because some, their cyber insurance was calling for things that they realized that they didn’t have. So that became a huge part cuz they, they wanted to make sure they could get cyber insurance and it’s changed a lot. Cuz you used to be able to check a box that yes I do this, this and this three things and I’m good. And they were given, given an insurance for, you know, 1500, $2,000. Now there’s specific items they’re asking for that. Do you have like an EDR, which is an advanced endpoint detection in response it’s an advanced antivirus they’re looking specifically for things is all your email too factored. And when you’re signing off and checking those boxes, they’re also asking to sometimes to, to show proof of it. Sometimes I know the reports are having to be sent showing the documentation and the proof that that’s being done.
Erik J. Olson (06:10):
So yeah. Speaking of like different systems, like say email, do you provide that as well? Or do you guide them to some other system like say outlook or
Troy McCollum (06:19):
Yeah. So generally we’ll either they’re using G suite or office 365 it’s it’s could be user preference. We’ll make recommendations depends on the workflow again, cuz you know, if they’re using solidify, you know, we we’ll make some recommendations on what software they’re using. That’s gonna be the best for integrating into that. And then making sure, you know, you can have office 365, but that doesn’t necessarily mean it’s protected. There’s things to do specific for, for legal, with legal hold is one of ’em that has to be enabled so that you really can’t ever delete anything. It’s always there and that’s a requirement and it’s it, it’s one of the compliance requirements that you guys have. But also there’s, you know, making sure that two factors enabled it’s it’s there by default, it’s just turned off by default as well. When you first sign into your inbox, it’s just a log, a password, you know, it doesn’t cost really any extra to do it. Maybe the implementation depends on how many accounts and things, but to physically check it and do it yourself. It’s free.
Erik J. Olson (07:14):
Yeah. So for, for the benefit of, of some of the audience that may not be aware of two factor authentication, can you explain what that is and how it helps?
Troy McCollum (07:21):
Yeah. So multifactor or two FA two factor authentication. I would hope that when you sign into your bank account, you’re doing this today. It’s when you have a login, a password and then there’s a second form of, of authentication via the text message or using an app to like a Google authenticator there, mean there’s multiple ones out there, but that it’s a six, six digit seven digit code. Generally that’s pushed out that you can type the code in. And some of ’em also offer a push option where if you go to the site, put in the log in the password successfully, it’ll actually your phone will pop up and say, did you, do you wanna allow? And you can just hit allow if it pops up and you didn’t ask for it, then you know, somebody has your login and password. So that would be something to obviously take action on.
Erik J. Olson (08:04):
Yeah, definitely. Yeah. We use two-factor authentication on any system that allows it and we use we’re all cloud here a hundred percent. So we, we have a lot of two-factor authentication codes being sent out and whatnot. At one point my, my dad actually said that he thought that my email got hacked because he got a spoofed email. Right. And I’m like, nah, I don’t think he said that. I got two-factor authentication. I’ve got a strong password. And I use a password manager. And speaking of which password managers, is that something that is commonly probably not used or is it, is it recommended by you and your firm?
Troy McCollum (08:37):
Yeah. Commonly not used. We do recommend it for example. So you have a paralegal that’s working and she’s got access to obviously all the internal software that you guys are using, whether it’s cloud or one pro. But then there’s also other sites that maybe it’s your, your practice admin. And she also has access to the, the 401k information or anything else that’s happening inside the practice internally. That’s gonna be logging the passwords that you’re gonna need. If that ad practice admin leaves quits you fire, whatever happens, you wanna maintain control over that for the practice, not for the individual. So that’s something that we definitely recommend and push because a lot of times people by nature, lazy and easy kind of go hand in hand sometimes and they use that same password. Yeah. This is a scan that we actually run and we just, for the office that we actually just signed up, we ran the scan and came back multiple times on the websites we’re using the same passwords for. And that the problem with that is if let’s just say, for example, your Netflix password is the same as your bank password is the same as to your online portal to your client information. Or it’s a small variable. If I take that known password and plug it into a bot, it can actually go out there in, you know, multiple times a second trial password, especially if things are not in place to tell, to reject it lock after seven attempts or notifications, things like that.
Erik J. Olson (09:59):
I have never heard of a scan like that. I I’ll, I’m gonna ask you questions after we stop recording about that, how it works. That’s pretty interesting. That’s neat. I, I, I’m kind of interested in that for, for, for me personally. But, but yeah. Password managers are fantastic. We use one for our entire team and so we can create these little like vaults and then the vault has the credentials and that’s kind of a need to know basis. Which is, well, I, I think that’s kind of a foundational aspect of security, right? Like need to know you give people access to what they need to know and, and know more.
Troy McCollum (10:31):
Yeah. Keep keeping it minimized. And then also understanding what information you’re protecting. That, that same scan that we ran there was a new operations person that came on board had been there for three, four weeks, not very long, you know, they’re really trying to head down, get a lot of things straight in the business from an operational standpoint, from an it standpoint. And hence the reason we came on, but also we, we, when we ran our scan, we found out that that person, the new operations person also had a number of cases on her machine, which they didn’t realize that when they went to their new cloud based system, that they were still syncing their old OneDrive to every machine that was a new user in the practice. And that the new operations manager had a laptop and it wasn’t encrypted and had all the case files on it and they asked, why does she have case files?
Troy McCollum (11:18):
I was like, that’s a great question to ask you guys. So they realized that the case files were there, cuz they knew the names. I didn’t know the names when I, when I showed them the report. But knowing where that information is is, is key and what’s going on with it. Cause you know, you think about how many years you’ve been in practice and how the business has grown or changed or, and morphed and the software’s changed and everything else that cleanup sometimes get gets ignored. And that that’s super important and know where, where, where that data sits.
Erik J. Olson (11:45):
So, so the, the, the people that listen to this podcast are a lot of managing partners. A lot of partners, a lot of marketers, they’re all trying to grow their firm. That’s that’s the point. Right. Right. Which means that they’re adding staff what would it be like if they worked with you and they, and they hired someone new from an it perspective? Like how would things change maybe from the way that they’re doing it now to the way that they’re doing it with you?
Troy McCollum (12:06):
Sure. I mean, and we also take, take these recommendations and use ’em with your, your it person, but the, the key to it and the things that we’ve seen that have been really super successful is having during the onboarding documentation that you have with the new staff member, whether it’s a paralegal front desk person, partner, you know, man, new managing partner, or, you know, just another just another attorney having it set up so that when they come on, they’re set up for success and, and their software’s set up, their emails set up, their printers are right. But having that new user check sheet and that being part of the onboarding in HR, just to say, if they’re off boarding that information, be in there as well, so that they are locked out properly and we’re protecting the firm practice. But that’s, that’s what we’ve seen key is doing that.
Troy McCollum (12:53):
We ask for a week’s notice we ask for five business days to notice of notice before a new person begins. Generally nobody walks into a law firm and says, I’d like to have a job when they’re hired on the spot. So we ask for at least five days so that we can make sure they are set up for success. And then also it gets tested by either the practice admin or whoever it may be in the practice just to make sure they’ve got everything they need and any nuances to it are taken care of before that person sits in that chair logs in and has a successful it relation, you know, or successful relationship with the practice from the start. So they have a good onboarding.
Erik J. Olson (13:29):
Very nice, very nice. Now I, I noticed on your website, you have a, a, a book or a white paper about cyber security, five ways to prevent a cyber attack. What, what are, what are some considerations when it comes to cyber security, cyber attacks what, yeah. Ways that you can prevent it.
Troy McCollum (13:48):
Sure. really the first thing is identifying what you’re protecting and, you know, knowing what’s there. Also the simple steps you can take is making sure the two factor as we discussed earlier are enabled whenever you can. You definitely turn off your email and then, you know, user training is also the biggest thing. You know, end user training because the human firewall is the best element you can have for defense just yesterday. Amy who works at our office, got an email and sent and forwarded to me, she said, ha ha, I guess you want these gift cards. It was an old email address I used to have and she sent it to me and it, it, it was my, my name, Troy McCollum. And in hyphens, it had my email, my email account. So to the eye, it looked real. Yeah. You know, she sent me a screenshot of it and it was asking for four home Depot gift cards, totaling a $2,000 total.
Troy McCollum (14:41):
And she knew it wasn’t me asking for ’em. So because we’ve done end user training, you know, had I not done that? She may have got ’em cuz it, it looked legitimate from my email, but when I, I walked over to her desk and cuz she sent me the screenshot teams, we used Microsoft teams for inter office communication and she hit reply and I showed, I said, well, I hit reply and I’ll show you. And the actual email address was some other random Gmail account that was not true. But to the naked eye, if she’d have gone and got and hit reply and insert that would’ve done it. And we’ve seen that multiple times in practices and businesses alike.
Erik J. Olson (15:15):
Oh yeah, that happens here all the time. I, I, I get forwarded an email or, or one of my employees will slack me, which is, you know, similar to teams communication where they’ll say, Hey, Hey, is this really you? And it’s like, no, that’s good eye. You’re smart. You did the right thing. And then I’ll, I’ll just tell the entire team that just beware cuz apparently like they, they, these hackers like to masquerade as me, but they they’re not even as sophisticated as, as like what you described. The email address that is coming from is not my email address. It may have the word Eric in there, but it’s clearly not my email address and they can see that. And then, you know, we work with computers all day long and kind of sorta in it with digital marketing, at least, you know, a little segment of it, but we, we can spot it. But I would imagine that other people that haven’t been talked to haven’t been warned or aren’t as sophisticated when it comes to that could easily get booed and, and you’re right. That’s, that’s the big problem, right? Is the human engineering.
Troy McCollum (16:13):
Yep. Yeah. I mean it’s 88% of the time breaches happen through email because it’s public facing. People can send to it and it’s just the easiest way into a network.
Erik J. Olson (16:25):
Troy McCollum (16:26):
And then, you know, if they click on that one click and that’s really what our, our, our test does that we, we, we actually do simulated fishing testing to end users. Mm-Hmm <affirmative> that would be nice. The first time we do it, we do it without telling anybody now the, the managers know like the owner manager sea levels. No, but we don’t tell anybody else in the practice and we send it out and see how, how they perform. And then we do a on onsite or remote depending on, you know, location seminar with ’em and kind of, and show ’em the results. And I’ll ask the, I’ll ask the managing partners, Hey, do you want me to show what these people did individually? Or do you want me to just, you know, kind of gray it out, but let ’em know what happened internally, but not call anybody out most of the time they’re like call ’em out, you know, cuz they’re saying you’re not gonna get me, but it happens a lot. But that’s that’s part of the education piece is understanding what they did and then quarterly doing actual training that is, is a click through that. They can’t just turn a video on a walk away.
Erik J. Olson (17:19):
Is it so is it possible if you get an email and you click on a hyperlink, you will go to a website that just immediately downloads and executable that’s a virus.
Troy McCollum (17:30):
Yes. So part of the, the, the test that I sent out, that one, speaking about that written report on, and I’m more than happy to send it to the, the list was on the call. If they wanted to run it, it’s a miniature pen test. I do have a document they sign before we run it, cuz it is actual penetration test on the network. But the document just states that obviously speaking to lawyers here, you know, we’re not gonna sell any information. We may see proprietary information cuz we, we may see the website and the same passwords being used type deal. It won’t show us the full password and you’ll get a copy of the report. But inside that report, the, the things it looks for and shows you, you you’ll be amazed at it. How many times people do reuse passwords and do things like that. And that that pen test really gives you a good insight on what’s going on there.
Erik J. Olson (18:15):
Well, I’ll tell you what, Troy, I’m interested. We’re gonna talk after this. So <laugh> Hey, if, if someone else is interested and they wanna find out more about your services, the penetration test you’re talking about, they have some questions about it. Where can they contact you?
Troy McCollum (18:30):
Sure you can. You can go right to our website. It’s layer nine L a Y E R, the number nine it.com. Or you can give us a call. That’s our direct to our sales number there, the 5 9 8 3 4 3 9 7.
Erik J. Olson (18:43):
And you are based in the Virginia Beach Norfolk market as MI, right? How far away from this, you know, Eastern Virginia, can you work? Like do, do you fly to places or is it all within driving distance?
Troy McCollum (18:58):
Yeah, so funny I, I have a new hobby, which is palace license, a pilots license. So we do fly of places as well, even before the hobby, but we’ve got some, we’ve got firms in South Carolina, Florida, Tennessee, we’re talking to, gonna to Colorado. Good
Erik J. Olson (19:13):
Troy McCollum (19:14):
So yeah, so really east coast, but a lot of it it’s starting to spread out now because really our, my goal is really to help protect and deliver data that that’s, that’s really our, our company mission is getting that done. So 95% of the work is done can be done remote. There is times we, we do go on site and we do spend time, you know, doing reviews and things and, and getting businesses to, to move forward and align with a lot of businesses with aligning technology with the business needs and goals. But in doing that, sometimes there is FaceTime involved, but mm-hmm, <affirmative> a lot of work with troubleshooting, help desk support, things of that nature, standardization and optimization. A lot of that can be done remote.
Erik J. Olson (19:53):
Very cool. Love it. Well, Troy, thanks again. And everybody, if, excuse me, if you are looking for digital marketing for your law firm, that’s what my firm specializes in. You can find out firstname.lastname@example.org. We focus on websites, a lot of SEO, online advertising and social media all Troy, appreciate it. All
Troy McCollum (20:11):
Right. Thank you. Appreciate it.