Did you ever see the 70’s movie “Avalanche”? During the entire first half of the movie, everyone on the planet, including this guy’s mom, tells him NOT to build his resort on the side of this particular mountain. They tell him about the dangers, and even in the classic disco scene where everyone is celebrating the opening of the resort, the word “avalanche” gets said about 1,000 times.
Even if you’ve never heard of the movie before, I think you know what happens next. There’s an avalanche.
Spoiler alert: almost everyone dies including the resort owner’s mom. (The disco instructor survives, though, for some odd reason.)
So, what’s my point? You’re on the front lines of cybersecurity for your clients. Everyone, including me and possibly your mother, is saying that it’s not a matter of IF, but rather WHEN a breach will occur. What happens next? What happens when a client’s data is compromised?
The avalanche of blame begins.
The finger often points to the MSP. Whether it’s fair or not, the burden of proof typically falls on your shoulders to show you’ve done everything possible to prevent the breach. The question isn’t just, “How could this happen?” but “Why didn’t you stop it?”
MSPs must actively safeguard themselves from blame in a breach scenario. Without proper preparation, the consequences can be devastating ranging from lost clients to lawsuits and even financial ruin.
Here’s your survival guide to navigating these challenges:
1. Document Everything
Documentation is your first line of defense. Ensure every action, recommendation, and client decision is clearly recorded. This includes:
- Detailed service agreements outlining roles and responsibilities.
- Client approvals or rejections of specific recommendations.
- Incident response actions and timelines.
If a breach happens, you’ll need to prove that you upheld your end of the deal, and that the client understood the risks.
2. Be Transparent About Risks
Many MSPs avoid tough conversations about risks to maintain a positive client relationship. However, sugarcoating potential vulnerabilities can backfire. Regularly educate your clients on their security posture, including areas of concern. If they choose not to address those risks, ensure they acknowledge this in writing.
3. Conduct Regular Risk Assessments
It’s not enough to set up security solutions and walk away. Risk evolves as technology, business needs, and threats change. Offer quarterly or monthly risk assessments to your clients to identify gaps before attackers do.
These assessments not only help your clients but also show that your MSP is proactive and thorough. Regular reporting adds another layer of evidence to protect your business in case of blame.
4. Clarify Incident Response Roles
When a breach occurs, confusion over responsibilities can lead to finger-pointing. Develop clear incident response plans for your clients, explicitly outlining what your MSP will handle and what falls under their purview. Better yet, simulate breach scenarios with your clients so everyone knows their role.
5. Stay Ahead of Compliance
Compliance regulations like GDPR, HIPAA, and CMMC often serve as a benchmark for security practices. Stay informed about industry standards and ensure your services align with these requirements. When clients face audits or legal scrutiny, your compliance knowledge can be a significant value add and a protective shield for your MSP.
6. Offer Security Awareness Training
Clients often underestimate the human element of cybersecurity risks. By offering regular training to your clients’ employees, you can reduce the likelihood of breaches stemming from phishing attacks or poor password hygiene. Plus, it’s another proactive service that adds value and reduces your liability.
Some Final Thoughts
Blame in a data breach is inevitable just like disco in a 70’s movie or an avalanche in a movie that spends 45 minutes stating there’s going to be an avalanche, but it doesn’t have to land on you. By documenting your work, staying transparent, conducting regular assessments, and clearly defining responsibilities, you can prove that your MSP has done its due diligence.
Preparation isn’t just about protecting your clients. It’s about safeguarding your business and reputation. If you take these steps, you’ll be ready to survive and thrive, no matter what challenges come your way.
