You’ve got your biggest clients sealed up tighter than Fort Knox. SIEM? Deployed. SOC? Active. MFA? Mandatory. Policies signed, training delivered, logs timestamped—every piece of evidence tucked away like it’s going to court. Because one day, it might.

Gold star. Seriously.

But while you’re busy building digital fortresses for your top-tier clients…Who’s watching the ones in the weeds?

Let’s talk about your smaller clients—the ones who make up 80% of your ticket volume and 100% of your stress. Are they getting the same love? Or are you hoping no one notices that they’re still running Exchange 2013 and storing payroll spreadsheets in a shared Dropbox folder?

Because guess what? The lawyers are noticing. Let me introduce you to a little cautionary tale: Cohen Cleary, P.C.

An 11-attorney law firm. Not a tech giant. Not a big target. Just a regular small business.

12,000 records exposed in a breach. Names. SSNs. Medical records. The kind of stuff you swear your clients never email…until they do.

The result? A $150,000 lawsuit settlement. “But that’s not bad,” you say, sipping your coffee.

Add in three years of credit monitoring. Legal fees. PR damage control. Internal cleanup. Suddenly, that $150K turns into a seven-figure dent in someone’s profitability.

Now imagine that’s your client. And you’re the MSP on record. Do you think they’re going to say, “It’s okay, like you, it’s too bad the hackers got in”?

Or are they going to print out every email, every contract, every proposal you ever sent and hand it to their lawyer?

Yeah. That second option.

Here’s where it gets really fun:

If you don’t have documentation proving you warned them about risks…

If you can’t show evidence of security training…

If you’re missing a single risk acceptance form…

You’re not a vendor anymore. You’re the defendant.

Let’s fix that.

Your Survival Checklist:

  1. Evaluate Every Client Like They’re MGM. Small clients don’t mean small liability. Everyone gets a real security stack.
  1. Document Like Crazy. If it’s not written down, it didn’t happen. Proposals. Recommendations. Training. Risk acceptance. All of it. (We can help you here with Cyber Liability Manager)
  1. Train Their Users and Get the Proof. Send them videos. Send them tests. Send them phish. Just get the receipts.
  1. Build Your Stack With Purpose. Don’t just pile on tools. Map controls back to standards. Prove your why.
  1. Get a Third Party to Check Your Work. Because when you’re the only one grading your paper, the F comes as a surprise.

Don’t wait until your smallest client becomes your biggest lawsuit. Get the evidence. Get the program. Get it documented.

Start with a Cyber Liability Assessment—before some hungry lawyer does it for you. Your future self (and your E&O carrier) will thank you.