Don’t Let Your MSP Become the Next Big Headline, Part 1

Back in August I attended the #BigBig Conference hosted by Taylor Business Group in rainy, humid South Florida. During the conference, I had the opportunity to deliver a mainstage presentation to the MSPs in attendance, entitled How to Build a Cybersecurity Business for Your MSP.  As you can imagine, this is quite a comprehensive topic when given only a 30-minute speaking slot. So, I thought I would flip it and deliver a talk focused on what NOT to do when developing a cybersecurity practice, by examining three court cases that have made headlines over the past couple of years.

In each of these court cases, three different MSPs were either sued or are currently being sued by their respective customers for failing to protect them from cyberattacks. These customers were breached, had their data stolen, and were blaming their MSP for allowing it to happen. The lawsuits range from breach of contract to professional negligence and malpractice; and not only are these MSPs’ names and reputation taking a hit, their bank accounts and financial stability are at risk as well.

So, in honor of Cybersecurity Awareness Month, I thought I would take my presentation and repurpose it into a new bootcamp and blog series, as the topic seemed to resonate well with the MSPs that attended the conference.

Spoiler Alert! Nothing that I am writing here is going to be considered revolutionary. All of the takeaways and key lessons extracted from these three court cases serve more as common-sense reminders – but sometimes reminders don’t hurt. While building a profitable and successful cybersecurity practice takes considerable time, money, patience and effort, you don’t want to neglect the basic fundamentals. Because in all three of these court cases, if these basic fundamentals had been considered and implemented, these lawsuits could have easily been avoided.

For background purposes, the court cases I’ll be referencing include:

• California: Law Firm Sues MSP Over Black Basta Ransomware Attack
• Maine: IT Consulting Firm Blames MSP for Data Breach
• Ohio: MSP Sued By Customer After Phishing Attack

6 Key Lessons From These Three Court Cases

I believe there are six key lessons that MSPs can takeaway from these cases. I will cover the first three in this blog and follow up with lessons 4-6 next week (READ PART TWO HERE). But in short here are my points in headline form:

• Ensure you have a signed, written contract in place with Every. Single. Customer
• Ensure your agreements clearly define your scope of services to set expectations and limit your exposure
• Ensure you build your cybersecurity business in a way that pushes liability and risk back onto the customer
• Ensure your customers have their own cyber insurance
• Be consistent in your service delivery
• Ensure that you are delivering your quarterly business reviews!

So, let’s dive into these in detail…

1. Ensure you have a signed, written contract in place with Every. Single. Customer.

 2. Ensure your agreements clearly define your scope of services to set expectations and limit your exposure

While it would seem like good business practice for an MSP to have written contracts in place with all of their managed services customers, unfortunately, as the California case demonstrated, not all MSPs adhere to this. In that lawsuit, it was discovered that only an oral agreement and a handshake existed between the MSP and their law firm customer. And according to the oral agreement, it stated that the MSP was to “provide monitoring services, advice, installation, selling cloud backup, and picking and selling software and hardware.”  Based on this description, it isn’t EXACTLY clear whether the MSP was also responsible for the cybersecurity protection coverage as well, as details around what ‘advice’ constituted seemed to be vague.

Two important takeaways are highlighted by this case. First, it highlights how important it is that every MSP has a signed, written contract in place with every single one of their customers. Second, the agreement contains a comprehensive managed services statement of work that outlines precisely what is both in and out of scope when it comes to the partnership and the monthly fee you are charging.

Because imagine this worst-case scenario happening to you – where your MSP is being sued by your best customer because they fell victim to a cyberattack and they are blaming YOU for allowing the attack to happen. What happens when you are called into court to defend yourself against these allegations, but you don’t have anything that proves what you were, and were not responsible for? It becomes a case of finger pointing, and your MSP making headlines.

So, if you happen to be an MSP who operates without having proper, written contracts in place, seek out an attorney to get this formalized for you. Being noble and striving to be an ‘accommodating’ and ‘flexible’ type of service provider who doesn’t want to ‘tie their customers to their MSP via a contract’ is an incredibly risky mindset. If your goal is to transform your MSP into a true cybersecurity business, then investing the money in hiring an attorney will be required. And I encourage you to not repurpose something that you found off the internet or received from one of your vendors or another MSP. Use an attorney that is familiar with the MSP industry, your business, and the laws of your state, and have them complete this for you.

3. Ensure you build your cybersecurity business in a way that pushes liability and risk back onto the customer

Keep in mind that cybersecurity is a shared responsibility. Although you are their MSP, it’s not all on you to keep your customers safe – they play a critical role in their own safety and security as well.

And what do I mean by that?  A question I often get asked by MSPs is: “If I have customer tell me that my recommended cybersecurity package is too expensive and they won’t pay for it, should I just get them to sign a Limited Liability waiver or a Release of Liability form to protect my MSP instead?”

Short answer: ‘NO’. I don’t agree with getting customers to sign any form of limited liability or release of liability waiver with you. Because even if you got your customer to sign a limited liability waiver, your MSP could still be subjected to reputational damage, and you could still make headlines regardless. In the heat of the moment – when they get breached – that is when your customer will conveniently forget that they ever signed a waiver with you.

And your customers WILL get breached! If your customer doesn’t have all of your recommended security services in place, this means that there will be holes in their network protection levels. And when you allow holes in a customer’s protection levels, you have subsequently made it a whole lot easier for the bad guys to get in. And as a result of this, they will get breached, and they will likely be very angry and looking to lay blame – and it won’t be on themselves. They could potentially turn on you and say: “Why didn’t you insist that we had to be enrolled into your security program?” “Why didn’t you mandate this? You are the expert – we aren’t – you know more about this than we do.”

As Charles Weaver – founder of MSP Alliance – said recently on the N‑able Now That’s IT podcast with Chris Massey: “You can no longer continue to absolve your customers from their poor decisions.”

So, if a customer has told you that your security services are too expensive and they won’t sign your new agreement, instead of having them sign a limited liability or release of liability letter, I would rather see you walk away from this customer – as that is the only REAL way you can truly protect your MSP from liability AND reputational damage.

Respectfully acknowledge their concerns by saying: “Mr. Customer, I understand where you are coming from. Why don’t I refer you to another MSP then – one who doesn’t enforce the same set of cybersecurity standards that I do? Because this is the program that I recommend to all of my customers who are in the same industry/business as yours. My job is to protect you, your business, your livelihood and the livelihood of your employees, and if you won’t allow me to do my job correctly, then unfortunately I cannot serve as your MSP. But I would be happy to refer you to someone else.”

By telling your customer that you would happily refer them to another MSP, what you are doing is standing your ground and conveying how seriously your MSP takes its cybersecurity responsibilities. But by capitulating and having the customer sign a waiver instead, I feel that you are sending mixed messages. On one hand, you are telling them that security is important, and they need to be enrolled in your advanced cybersecurity program. While on the other hand, you are also telling them: “No worries if you don’t agree with me. Just sign this waiver then and we will still continue to support you anyways.”

I would rather see MSPs normalize the disqualification of prospects who don’t take their cybersecurity responsibilities seriously and have them walk away from customers that will subject their MSP to unnecessary risk and financial and legal liability. Churn is not a bad word when you are focusing on building a better book of business for your MSP, because it is through building a quality book of business that it will ultimately bring higher business valuations – which will make your MSP better off in the long run.

READ PART TWO HERE

If you are interested in learning more, then consider registering for my upcoming bootcamp Don’t Let Your MSP Become the Next Big Headline.  And I also encourage you download a copy of my new security e-book: Defend & Prosper: Maximizing the Cybersecurity Opportunity.

Stefanie Hammond is Head Sales and Marketing Nerd at N‑able. You can follow her on LinkedIn