If your client’s network isn’t secure, how does that affect you? It’s a question every MSP must grapple with in agreeing to provide remote services to clients.
If the answer isn’t acceptable, you have to seriously consider walking away from a business that refuses to take the proper steps to secure its network. The liability is too great. It takes remarkable discipline to turn your back on business, but you must weigh the perils of a potential security breach at a client site and the risks it poses to you.
“Clients that don’t follow your advice or fail to adhere to security standards not only put themselves at risk, but also expose you to legal and social liability as well,” says John Tippett, vice president and general manager of Aisle8, a manufacturer and distributor exclusively serving the channel.
“Although you can create legal language to minimize the exposure there, you can’t avoid the headaches that come with security breaches, and enforcing contract clauses can be expensive and time-consuming.” Clients, he adds, are prone to forgetting that they didn’t take your advice. “You’ll be on the hook one way or another, and you’ll be in a lose-lose situation.”
Tippett has vast experience in managed services, having himself been an MSP before joining Aisle8. He also served as Chair of CompTIA’s Managed Services Community and was named the association’s first Member of the Year earlier in February.
Protect Your Reputation
Every MSP needs to have well-defined contracts that specify your liability as well as the client’s regarding security incidents. But as Tippett points out, defining the legalities only gets you so far. You also have to think about protecting your company’s reputation.
“News of a client security breach will surely spread throughout the community, and undoubtedly the name of the IT company will be attached to the rumor mill, something you don’t want to be a part of,” Tippett says. “The public will make the assumption that the breach was equally the fault of the IT company, and you won’t have the opportunity to share your side in many cases.”
IT providers also can be dragged into investigations involving a client over data security and privacy protection. Such was the case with Datto, SECNAP Network Security and Platte River Networks, all of which had some involvement with former Secretary of State Hillary Clinton’s private email server. Controversy surrounding the server plagued the former First Lady’s 2016 race for president, which she lost to businessman Donald J. Trump.
Although investigators have found no evidence of a security breach involving Clinton’s server, those companies found themselves tangled in the story and subjected to heightened scrutiny. Had a breach been discovered, the service providers would have had to address additional liability questions and further manage public perceptions of their brands.
Before Giving Up
Tippett recommends trying to make prospective clients understand the risks before giving up on them. “Educate prospects on shortcomings in security and do what you can to win the business so long as plans are in place to improve. However, if you get the impression that it’s going to be an uphill battle and they don’t seem serious about security, take a hard look and decide if you truly want to engage further,” he says.“I’m definitely not a fan of taking on just any work. When you’re small and growing, it’s appealing to take on anything that helps pay the bills, but you have to be careful to decide which clients to align yourself with as you grow.”
And that is sound advice.