Vulnerability Management Blog | Nodeware

MSPs: Intentional Ignorance is Not a Defense; It's a Liability (Part 2) — Nodeware

Written by Matthew K. Koenig | Dec 27, 2023 5:00:00 AM

Dear Diary,

Remember when I was talking about how naivete (or willful ignorance) isn’t an acceptable defense and, as the IT provider for an organization, MSPs are expected to be the expert in their field? Well, about that …

As an MSP, you are not expected to be perfect. No one is perfect and no one ever will be. The real question that others would ask is if you did everything that was reasonable to help, based on your expertise.

So, let’s say you do a vulnerability scan or a penetration test for the first time and you find out that maybe you have not been doing as well as you thought. What now? YOU MAKE A PLAN OF ACTION.

When a doctor finds something wrong that cannot be addressed immediately, they create a plan of action. Maybe it’s resting and drinking a lot of fluids, or taking some medicine for two weeks along with changing your diet, or doing x-rays and some lab work to further see what is going on. Eat more vegetables, drink more water, take a vitamin, you cannot have steak every night, blah blah blah… My point is that they cannot always solve the issue right then and there, but because they have a plan of action that they believe will give you answers and a solution, you accept that.

The same is true of you! Things are going to happen, issues are going to pop up, you may make mistakes. (Like the time I pretended that my grandmother’s hearing aids were having an issue by talking and leaving out sounds…oh that was funny…until she realized, and then it wasn’t funny.)

The real question is what your plan of action is to fix it. Think of it like a repair to a car. The job may just take some time to get handled no matter what you do. You cannot reasonably make that any faster. The same is true for issues you discover. Inherently, the only thing a client wants to know is that you know what is going on and that you are handling it. There is no expectation from any human that you can fix everything immediately.

Also, do you think letting the problem get worse is going to help you? What if a third-party pen test needs to be done and they come back showing all the issues that the network has? Do you tell your client, “I did not know about any of that,” and, if so, how do you answer the “Why not?”

OR do you say, “I’m aware of those things. However, there were a lot of things that needed to be addressed, so we made a plan of action to address the most critical items first and then work our way down the list. Here is a document showing what we have done so far.” Kind of like therapy, you cannot fix yourself after one session, even if your ex-wife is demanding that the psychologist is not working on you fast enough!

Which response would make you feel better about the service provider?

You are an expert in your field and expected to act like such. If you truly think the defense of “I did not know” is going to somehow let you off the hook with your client and possibly legally, you are completely delusional. You get paid to know.

So, at the end of the day, naivete is NOT a defensible position. Not with your significant other, not with your clients. You take it step by step and do the best you can, and that is all you can do and be reasonably expected to do.

For those of you still thinking this is a ton of work and I do not have the time or manpower to accomplish it, I do not mean to be harsh (yes, I do as I have no filter), but then maybe it might be time for you to look at another career.

Finally, if you think that I'm too blunt (and you would not be the first), have no idea what I am talking about, or think I am another vendor throwing around FUD to get you to buy my product, that is not my point. I mean, I do want you to buy my product, but this is about you and not me.

There are four things you can do:

  1. Ignore me and take your chances.

  2. Heed my advice and move forward by obtaining information on what is going on with your clients’ networks and create a plan of action.

  3. Consult your own attorney or cyber liability insurance company and ask them!

  4. Or, you can read this for yourself…

Here is an explanation on willful ignorance from a legal standpoint, which is what this is about in the first place …

“In law, willful ignorance is when a person seeks to avoid civil or criminal liability for a wrongful act by intentionally keeping themselves unaware of facts that would render them liable or implicated.” (Source)

THIS IS NOT IN ANY WAY MEANT TO BE LEGAL ADVICE OR GUIDANCE. THIS IS FOR INFORMATIONAL PURPOSES ONLY. PLEASE CONSULT YOUR OWN LAWYER FOR SPECIFICS AND PROFESSIONAL GUIDANCE.

So, Diary, what do you think? You think this will make them angry or make them think? Yeah, I think so also, but I am going to publish it anyway.