Meet Steve.
Steve is that guy.
He’s the one who clicks every email. If a Nigerian prince asks for bank details? Steve’s got it covered. If there’s a flashing pop-up that says “YOUR COMPUTER IS INFECTED! CLICK HERE!”—Steve’s already on his way.
And when Steve inevitably opens the wrong email and lets hackers waltz into your client’s network? Who do you think gets blamed?
Steve?
Nope.
You.
User Attestation and Policy Acceptance—It’s Not an HR Problem, It’s YOUR Problem
If you think user policy attestation is some boring HR checkbox, think again.
Here’s the reality: Hackers don’t attack firewalls. They don’t spend days brute-forcing passwords or reverse-engineering your antivirus. That’s too much work.
Instead, they attack Steve.
And when Steve inevitably falls for it, your client isn’t going to say:
“Well, Steve was careless. We should really train him better.”
No. They’re going to say:
“YOU were supposed to protect us. WHY did this happen?!”
And if you don’t have proof that Steve was trained—if you don’t have evidence that he acknowledged your security policies—then guess what?
You own the problem.
Without Evidence, You Have No Defense
Let’s rewind.
Imagine this same scenario, but this time, Steve:
- Signed off on security policies that explicitly warned about phishing scams.
- Completed cybersecurity training (with timestamps and proof).
- Attested that he read and understood the policies.
Now, when Steve clicks on that “free iPad giveaway” and ransomware locks down your client’s entire network, you have evidence.
You can show:
- The exact training Steve completed.
- The policy he agreed to follow (and ignored).
- Proof that your MSP did everything right—and Steve just screwed up.
At that point, it’s not your negligence—it’s Steve’s failure to follow the rules.
Without Policies, There Are No Rules
Without user policy attestation, you can’t officially say Steve made a mistake.
Because if there were no rules in place, how could he have broken them?
Without documentation, it’s just your word versus your client’s lawyer. Guess whose side the court is going to take?
How to Fix This Before You Get Burned
- Deploy user policies that actually get read and signed. (Not buried in some forgotten onboarding packet from three years ago.)
- Set up a real attestation process. (Your clients need to prove they’ve seen and understood the policies—before disaster strikes.)
- Tie training to controls. (Security awareness isn’t optional. Make users prove they know the risks and agree to the rules.)
- Collect evidence. (If you don’t have proof, it didn’t happen. If you can’t show it in court, it won’t save you.)
The MSPs Who Do This Will Survive. The Ones Who Don’t? Well…
Let’s be honest: Some MSPs are going to keep taking the blame for Steve’s screw-ups because they never put a system in place.
Those MSPs? They’re one breach away from a nasty lawsuit.
The smart MSPs are locking this down NOW—before Steve clicks another phishing link.
Which one do you want to be?
If you’re serious about protecting yourself, your business, and your clients, get your policy attestation process in place today.
Steve is out there. And he’s going to click that link.
