SOME CUSTOMERS simply refuse to spend money on security no matter how clearly you convey the risks. Chances are good, of course, that these recalcitrant customers will eventually get breached and may blame you or even seek compensation for breach-related damages.
There are several strategies you can follow to try to prevent these situations from arising in the first place, and failing that, protect yourself from being on the losing end of a lawsuit.
For instance, at the beginning of every engagement, Mainstream Managed Services, a Merrimack, N.H.-based MSP, conducts a complete network security scan, followed up by a detailed statement of work that includes identified security vulnerabilities, the action plan proposed to address them, and a signature page where clients can accept or decline the plan in writing.
Reluctance to spend on security is a common scenario, though, “mainly because [customers] don’t see it providing them with any competitive advantage,” says Craig Peterson, Mainstream’s president.
For those that resist recommendations, “the first thing we try to do is work with the client to identify the issue,” says Michael Schenck, director of security services for Kaytuso, a New York-based cybersecurity consultant. “If it’s a price-point issue, we try to find another way to reach a security solution.”
If this approach fails, Schenck tries to cover his firm legally with an approach similar to Peterson’s. He prepares a “Risk Acceptance and Waiver of Liability” letter for signature by both parties documenting security solutions proposed, but declined by the client, with the client accepting all risks of this decision and agreeing not to hold the consultant liable. In many instances, he notes, this letter is enough to get clients to rethink their position.
While carefully crafted contract provisions that explicitly lay out who is and is not responsible for what happens if security recommendations are not followed are a must, they don’t provide complete protection.
“Even when a client doesn’t take their advice, the MSP still has some responsibility to show that they are exercising their best efforts to provide security,” says Rory Sanchez, CEO of True Digital Security, an IT services provider with offices in West Palm Beach, Fla.; Tulsa, Okla.; and New York.
MSPs can help protect themselves here by including more security controls as part of their basic services offering, “so that at a minimum, they can show that they are doing their best to safeguard things,” Sanchez says.
Despite these best efforts, though, when a high-profile client breach gets publicized, “what’s also going to hit the news is the fact that you are the MSP,” Sanchez says, “not that you gave the client sound advice and they refused to follow it.”