MSPs: Intentional Ignorance is Not a Defense; It's a Liability (Part 1)

Dear Diary,

Is being naïve an acceptable defense when someone fails to meet the expectations and expertise required in the services they provide? I mean, I would love for it to be, but, in my role, it is expected that I know whatever I need to do my job, or that I will get the answer, even if it is from my Magic 8 Ball (which has been giving me all kinds of unhelpful advice recently).

The direct answer is “NO” it is not an acceptable defense. I have been told and asked by many MSPs about this. I know, it is killing me too! So, I decided to write a response to this question and do it in the tone I talk in. (My wife would say, “They are in for a real treat,” and then roll her eyes.)

It seems that there is a theory in some circles that if you do not know about issues with your client’s cybersecurity, you cannot be held responsible for it. That it is OK to not to provide services and assistance to the best of your ability. WHAT?!!

As you know, I work for Nodeware, and we have a continuous vulnerability management solution. THIS IS NOT an advertisement for Nodeware; it is being used as an example ONLY. Sheesh, calm down … Once Nodeware is deployed, it creates a complete asset inventory and starts scanning for vulnerabilities immediately. It then shows all the discovered vulnerabilities on the assets.

More and more, I am hearing that it is bringing back too much information and then the MSP will have to do something about it. That an MSP does not have the time and resources to accomplish that. I understand that thought process, especially if they are a growing MSP… BUT I am confused.

Since when did a lack knowledge that you are being paid to know, become a defensible position? “Mom, you never said I could not take the car. I thought it would be fine!” “No, that is not a cop behind me, and the speed limit sign said 70, so I assumed that it meant all the way home …” Sorry, flashback.

Would it be ok for you to be sick and have a doctor state that they just do not have time to run all the appropriate tests and review the information to diagnose you? What about a lawyer you’ve hired telling you that there is no way that they could look at all the appropriate laws and that they will just pick one and hope it works?

Some of you reading this right now are shaking your head and thinking that that is ridiculous. You are correct. It is.

As a client (yourself included), there is a certain expectation that when paying for a particular service, the service provider will perform it to the best of their ability. If they fail to do so, and it causes the client harm, the client will naturally want to make sure that the service provider could never do that again to anyone else. Additionally, they may want damages.

So, do you have any reason to believe that your clients are not thinking the same thing? You are supposed to make sure that their IT infrastructure stays up and running 7x24 and that they are protected from anything that could disrupt their business and cause them harm. Unless you have specifically spelled out and they have agreed that you are NOT responsible for their cybersecurity (in writing), then you need to assume that they believe that is what they are paying you to do.

(Do not get me started on the question “What if they will not let me provide the proper security?” That is for a different blog post.)

Your clients are unlikely to view “I don’t know” as an acceptable response. Furthermore, they could take you to court and have a decent chance of winning if you must answer the question of whether you have done everything reasonably expected to protect them.

Moreover, insurance companies are starting to demand certain things like MFA, vulnerability scanning, email security, security awareness training, etc. I promise they are because my friend that has an insurance company drones about it over dinner every time we go out!!!

So far, insurance companies have done a couple of things to make sure they are protected:

• First, if the client is filling out their application and states that they do not know the answers to the IT security questions, insurance companies are sending out their OWN MSPs to check and help. I know, I know, that would never happen to you because your clients would never do that.
  
  When was the last time you talked to your client about cyber liability insurance? Who is their insuance provider? What are their requirements? What about if they are applying? Are you involved? This is great place for the other MSP to come back and provide a third-party report. Do you think the “I don’t know” defense works here?
  

• Secondly, insurance companies are starting to ask for quarterly assessments to make sure their clients are staying within their guidelines and, if not, are not paying out when standards are not maintained from application to incident. How would you explain that to your client? (The same way I explained to Dad that I was NOT taking the soccer scholarship because I wanted to be a ballerina…I meant drummer …I wanted to be a drummer!)

You see a lack of knowledge when you are supposed to be an expert is in no way a defense. Trust me, I have tried and got the beatings to prove it! Because you are supposed to be an expert in your field, it’s reasonable to believe that, if you were not sure of something, you would get the answer. That is what would be expected of any specialized professional providing services. Although, who I am to judge?

Well, Diary, I’m thinking about diving into this a bit more, but I have some things to take care of. I’ll be back.