Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News

April 10, 2018 |

How to Protect Your Clients from … You

The tools that make it easy to manage a client’s network can also make it easy for ex-employees to hurt you and your customers. By Mike Semel

AN MSP who had just been involved in a HIPAA breach once told me, “I haven’t slept in four days, because I know my business won’t survive this.”

He had good reason to worry. His business didn’t survive.

As hard as you work to provide great services that help your clients, the sad truth is you also create risks. The steps you must take to protect your clients from those risks will also protect your company’s value and reputation, and your personal financial future.

I’ve dealt with two examples of MSPs whose employees harmed their clients and their business. Both cost the MSP customers. Both reduced the value of the MSP’s business. Both were preventable.

One involved a fired technician who was still able to remotely access client sites, because his former employer used a single, shared company login and password for all its customers. The MSP didn’t care enough about the potential risk to change the password after terminating the tech, even though IT best practices, HIPAA, and common sense require IT providers to have procedures in place for blocking access by former employees.

He cared later, though—after the client told his help desk it couldn’t access its network, and the recently fired tech was the reason why. The MSP owner felt like a victim. The client, who couldn’t believe the MSP’s security practices were so lax, fired him and ultimately collected a financial damages settlement. The tech, believing he was committing some harmless mischief, thought it was funny until the police handcuffed him. Later he pled guilty to a crime.

The second situation was remarkably similar. A fired engineer was able to get back into the MSP’s network and used the remote access server to log into healthcare clients, with domain admin privileges, and delete medical records. That’s a reportable HIPAA breach, and the MSP wasn’t prepared to survive an audit or investigation. He thought his company was too small to get caught. In hindsight, he wished he’d implemented HIPAA policies and procedures, performed a HIPAA compliance assessment, and trained his employees in HIPAA requirements, which likely would have prevented the breach from happening.

To avoid becoming part of a similar incident, create a checklist identifying every way your employees can access your clients’ networks, cloud services, online backup services, vendor portals, and data. Use two-factor authentication wherever possible. When you terminate someone, immediately:

  • Prevent your former employee from accessing your tools and client information.
  • Go into your client sites and change your company’s access credentials.
  • Change the access credentials to your network, devices, and applications if there is any possibility your former employee may have the information.
  • Get your clients to change their passwords if there is any possibility your former employee may know them.
  • Review network user lists with your clients to ensure your ex-employee hasn’t created a phantom account “just in case” they might have to get back in someday.

When you hire techs, stress that accessing your network, or a client’s, without authorization is a crime, and that you will assist in their prosecution.

Too harsh? Too much work? It’s nothing compared to sleepless nights, federal compliance violations, being fired and sued by your clients, and closing your business. Think your E&O insurance will cover you? A cyber-liability insurance company is currently suing one of its policyholders for $4.1 million after its MSP accidently published a medical client’s patient records to the internet.

It’s your choice whether you wake up at 2 a.m. wondering if your clients are really protected against your company, or roll over and sleep peacefully because you’ve done the right things.


Editor’s Choice

MSP360 Bolsters Managed Backup Solution With Full Sharepoint Backup and Restore, Object Lock, and More

March 25, 2024 |

MSP360 CEO Brian Helwig details the latest improvements in its managed backup solutions and teases some new opportunities down the road for its partners in an exclusive ChannelPro interview.

Peer to Peer: Aurora’s Philip de Souza shares his secrets to creating a successful MSSP

March 19, 2024 | Philip de Souza

“It’s important that we understand when it comes to this whole MSP world that it’s all about the customer.”

Evolving State AI Regulations: Best Practices for Mitigating Risk

March 14, 2024 | Anurag Lal

While AI technologies can unlock tremendous business value, they also have potential risks.


Related News

Growing the MSP

Explore ChannelPro

Events

Reach Our Audience