I was chatting with the owner of an MSP the other day when I noticed something weird. He seemed… relaxed. You know, like someone not carrying the weight of 2,500 endpoints and a 10-year liability tail on his back. So I asked him straight: “What’s up? You don’t seem too worried about cyber liability.”
His answer? “Nah, my ops team says we’re good.”
Ops team?
Let’s hit pause. Because that right there is the root of the problem.
“Trust the Ops Team” is Not a Defense Strategy.
Look, I love a solid operations team. They keep the tickets flowing and the alerts blinking. But if you’re an MSP owner and you’re outsourcing your risk decisions to ops, you’ve got a blind spot bigger than the one in your EDR config.
Why? Because when the breach hits—and it will—your ops guy can just walk. He’ll get a new job in two weeks. You, on the other hand, will be the one sitting across from the lawyer, the regulator, and possibly a jury asking, “What were you thinking?” You are the one that invested your retirement in the MSP you are running. You are the one that has everything on the line.
And if your answer is “I trusted my ops team,” congratulations—you just became Exhibit A.
The Green(e) Vertical Is a Trap.
So I asked this guy what kind of clients he had.
He said: “Whoever has money.”
Ah, yes. The famous Greene vertical—those with greenbacks, not necessarily compliance needs. The ones who want to throw cash at IT but have no idea how exposed they are. And guess what? Those clients? They absolutely have liability.
I started wondering: Is there any business that doesn’t have cyber liability?
Trash company? Surely they’re safe, right? After all, it’s just garbage.
Turns Out, Even Trash Can Get You Sued.
Enter GreenWaste, a waste management company. They got popped. Between November 22 and 27, 2023, their network was compromised. The haul? Full names, Social Security numbers, driver’s licenses, even medical records like COVID results.
If trash companies are being sued for data leaks, what makes you think your client—the one holding medical files, tax returns, or financial data—is safe?
Spoiler alert: they’re not. And neither are you.
The Real Threat Isn’t the Hacker. It’s the Lawsuit.
It took a year and a half for GreenWaste’s legal nightmare to even start. That’s right—18 months after the breach, the lawsuits came rolling in. So here’s your homework:
- Think back 12 months. Any breaches in your client environments?
- Think back 10 years. Any issues that could now be reclassified as a breach of contract?
Cyber liability doesn’t respect time limits. The statute of limitations on these cases is ridiculously long by IT standards. Like, “we were still using Blackberry servers” long.
If You Don’t Have Documentation, You Don’t Have Defense.
The biggest threat to your MSP isn’t ransomware. It’s the lack of evidence that you did your job. Because when the lawsuit hits, it won’t be about whether you meant well. It’ll be about whether you can prove it.
“What were you thinking?”
“Why did you do it that way?”
“Can you prove it wasn’t negligent?”
If your answers involve “I think…” or “My ops guy told me…” you’re already losing.
Here’s What To Do Next (Before It’s Too Late)
- Start collecting evidence. Documentation, policies, screenshots, patch logs—everything.
- Assume the breach has already happened. Your job is to prove you weren’t negligent.
- Understand your client’s risk profile. If they have cash, they have liability. If they have data, they’re a lawsuit waiting to happen.
And if you’re still not convinced? Just remember the trash company. If their business can lead to cyber lawsuits, yours definitely can.
Want help analyzing your exposure before it becomes Exhibit A?
Because nothing smells worse than a breach you could’ve prevented.
