In the mistaken belief that their companies are not big enough to attract data thieves, small and midsize businesses notoriously resist tightening their IT security, ranking it as a low priority. Yet, when those same SMBs experience a data breach, they sometimes point the finger at their MSPs. Worse, they may file lawsuits and haul their providers into court to recoup financial losses from the breach.
MSPs, in fact, have their own mistaken belief about raising the issue of security. Some providers actually think that if they attempt to sell additional security solutions, their SMB clients will hold them liable if a breach occurs. This line of thinking ignores the reality that clients may hold them liable anyway.
One strategy for addressing this dilemma is for MSPs to shift from selling clients on the need for stronger security to educating them about why it’s important. MSPs can point out that hackers have grown much more sophisticated in the past 15 years, and SMBs are easy targets. They should educate SMB employees on how to spot malware threats, as well as phishing and social media scams. In addition to positioning themselves as educators and advocates, MSPs must also take these specific steps to avoid costly courtroom battles:
Back it up in court. Even when MSPs explain to clients that they need to encrypt the data on their laptops, those clients can turn around and claim they never heard anything about encryption. In a legal case, MSPs need to prove the steps they took to help protect the SMB from a data breach. A Security Risk Assessment (SRA) is one tool that provides documented proof that the MSP identified IT security risks and made recommendations to avoid them. The SRA identifies data, potential liability, and associated risk levels of threats such as lost laptops or hackers accessing data. It also identifies steps to lower the risk of a data breach. But whether the SMB agrees to implement additional security measures or not, the MSP has documented proof that his or her firm has identified risks and recommended additional security.
Write it up. SMBs rarely have written security policies. MSPs can provide these policies, not only to improve security for their clients, but again, to have documentation in case it’s ever needed in court. These policies need to address a variety of issues such as encryption, physical security, termination procedures, and technical considerations (passwords, authentication, etc.).
Insure it. Insurance is another important line of defense against a data breach. Almost every MSP has an Errors and Omissions (E&O) insurance policy. They also need cyber insurance. Their clients need cyber insurance too. MSPs can identify how much data their clients have and how much potential liability the SMB may incur if the company experiences a data breach. For instance, if the MSP shows that the client faces a $3 million liability risk but only has $100,000 in coverage, more insurance is needed. When SMBs have appropriate insurance policies in place, they are less likely to sue their MSPs.
By taking these simple measures, MSPs can maintain strong relationships with clients and avoid a costly meeting in a courtroom.
ART GROSS is the president and CEO of Breach Secure Now!, which provides security services to medical practices. He can be contacted at [email protected].