Get ahead of the warning by building out your own Shared Responsibility Model showing the responsibilities you have for your clients’ cloud services security, what your clients’ responsibilities are, and what the cloud provider is responsible for. For example, what if there is an incident because your client failed to tell you that an employee or contractor should have had their access terminated? What if their cloud’s security fails? Are you liable?
You should incorporate these concepts into your contracts, limiting your liability only to things you can control.
You should also review your procedures and implement policies to share more information with your clients.
Recommendations like this warning and breach reporting laws are requiring more security and transparency when it comes to accessing client systems and clouds. Implement zero-trust concepts to your access to client resources. Offer to proactively provide your clients with the access logs your RMM tool generates when your staff accesses their resources, review the reports, and automatically send clients their reports each month.
Remember that you aren’t in this alone. Talk with your attorney to ensure your contracts meet your current needs. Whenever a client wants to change the terms of your contract, spend the money to get your lawyer’s advice. If your lawyer says no, then you need to decide how bad you want the revenue based on the risks you will incur. Also understand how your Errors and Omissions and cyber liability insurance policies cover you when managing a client’s cloud.
Trust in MSPs is being targeted. The more regulators and governments warn businesses about working with MSPs, the more you need to up your game and be willing to show that you are walking the walk, not just talking the talk. You must earn your client’s trust every day, even when they aren’t looking.
But clients also need to understand their roles and responsibilities, which they can’t just outsource.
Opening image: Roxana Balint © 123RF.com
Images
Pages
About the Author
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.
