Avoiding these five mistakes is crucial to building your business and reputation.
Operating a business is not easy. You devote significant energy and time working on the company. Given great focus and productivity, there are not enough hours in the day to address all of our obligations. We often look for more effective methods to improve our efficiency.
Executives rely upon technology to perform in their roles, but few are technically advanced to understand and solve their problems. That is understandable because technology may not be your area of expertise. This realization means finding a Managed Service Provider (MSP) or IT outsourcing provider to address your business technology needs.
As this delegation process occurs, the MSP makes several claims to provide you with a sense of security. They explain how they are experts at all things IT. They are proactive, responsive, and can handle your critical business IT services. Their stated service skills include cybersecurity, network management, and PC support. Some also promote cloud computing, data backup, business continuity, and disaster recovery planning.
You don’t know what you don’t know. You are eager to delegate all IT responsibilities to focus on your role within the business. This lack of understanding forces your hand to trust what the MSP tells you. Criminal enterprises are taking advantage of good people and their companies during this time of disruption and change. Many MSPs are also knowingly taking advantage of good people, and we view this as an injustice.
When your MSP states that you are safe and assures that your data is protected, do you believe them? MSPs provide needed helpdesk support, patch management, and system deployments. However, it is rare to find an MSP that is effective across the many facets of cybersecurity. We will highlight common mistakes we see executives making when trusting their MSP to secure their businesses from disruption, financial loss, and reputational damage.
Delegate Instead of Abdicate
Great leaders effectively delegate responsibilities to competent people as a critical driver to productivity and scale. There is a feedback loop, the parties check-in with each other to ensure the successful completion of the work.
Abdication is to relinquish responsibility or give up voluntarily. The act of assigning security responsibilities to someone and then avoiding efforts to ensure the completion of the work would be abdication. Paying your invoice each month is not a guarantee of completed work.
The act of delegating cybersecurity to your MSP is prone to problems that lead to disastrous results. As MSPs fail in their duty to protect their customers, this typically becomes apparent after business disruption events occur.
Hackers are targeting MSPs and IT outsourcing businesses to attack the service providers’ customers, according to a U.S. Secret Service alert issued June 12, 2020. Threat actors use compromised MSPs to launch cyberattacks against service provider customers. These attacks include point-of-sale (POS) system intrusions, business email compromise (BEC), and ransomware attacks. Insurance companies also validate this alarming trend.
Beazley outlined reported incidents of their policyholders in 2019. Beazley recorded an increasing number of ransomware incidents that resulted from attacks on IT managed service providers (MSPs) and other service companies providing organizations with infrastructure and support services. Criminals target MSPs because of weak security practices and unpatched networks.
Accept Duty and Responsibility
As an executive stakeholder, you likely have a high commitment to the business. You feel the obligation to lead and make effective decisions. Your team and customers rely upon you.
Duty of care refers to a fiduciary responsibility held by company directors, which requires them to live up to a certain standard of care. This duty, which is both ethical and legal, requires them to make decisions in good faith and reasonably prudent manner.
Whether an executive partner or employee, duty is a moral commitment to perform your role and support your team. Accepting personal responsibility is taking ownership of your behavior and decisions. These outcomes become the consequences, good or bad, that impact you and those around you.
We continue to see instances, where the moral duty to perform contracted responsibilities is absent within MSP organizations. This lack of integrity and commitment leads to a failure of duties by the MSP to perform the contracted services. This failure to fulfill obligations causes business disruption.
When tasks are complicated, and issues frequently occur, motivational and capability problems may exist. When problems arise, the key to resolution is determining if the core issue is whether that they can’t perform the work or they won’t perform the job. When tasks aren’t completed correctly or at all, you have missed deadlines, unhappy customers, and financial problems.
Negligence is the breach of the duty of care. An individual can only make negligence claims once the failure for duty of care happens. This reactivity means that you have to wait for an incident to transpire before making a claim. Because of this, if the accident is severe, it’s too late!
If you are careless at work, whether you are an employer or an employee, you could breach a duty of care. Negligence at work can lead to compensation claims on top of any criminal prosecutions. Many people are not aware of this exposure.
It will be interesting to see how the courts rule in lawsuits when MSPs and their customers point the finger. Will you be able to prove that your MSP incurred liability by knowingly accepting cyber security responsibilities without having the necessary qualifications. Will your MSP demonstrate that you abdicated responsibility and are negligent in your duty to care?
Inspectionem℠ Decreases Harm
The volume of businesses impacted by ransomware indicates pervasive integrity issues with MSPs and outsourced IT providers. The lack of oversight and documentation allows many service providers to operate unchecked. Your lack of verification means the exchange of value is mostly one-sided. You pay the MSP, and they do not consistently perform the services you contracted them to perform.
Don’t let it go unchecked. MSPs know you lack the skills to assess their performance. Services rendered in secret, without validation, are inherently suspicious.
There are three typical reasons for inspection and accountability services.
1. Your leadership team has never conducted an independent review of your MSP or IT outsourcing providers’ adherence to security standards and contractual obligations.
2. Your leadership team has concerns about data confidentiality and integrity.
3. Your leadership team acknowledges that they have concerns about their services provider, but lack the technical expertise to evaluate provider performance adequately.
Indirect responsibility involves moving beyond yourself and taking action to help people or situations around you that call for assistance. We provide inspection and oversight services to leadership teams that accept their duty and responsibility to protect the business from harm.
Getting Things Done
The more time that it takes you to consider investments that will improve how your employees remain safe and productive, the likelihood of avoidable business disruptions happen increases. We understand that you are feeling anxious because circumstances continue to change. You probably realize that there are better ways to measure and contain cyber risk as you invest in the areas that will have the most impact.
There is a large group of MSPs and IT outsourcing providers who are negligent in their contracted duties. Many executives, maybe even you, do not inspect what you expect.
- How do you know if you are reasonably secure?
- Do you cross your fingers and hope that today is not the day that your business is shutdown?
- Are you taking their word as validation?
Due to uncertainty, leadership feels compelled to reconsider information security changes to protect their business, employees, and customers from loss. Limited capital for investing in loss prevention requires a plan, aligned to your current priorities, in support of the future. These fundamental elements are where we can help you.
We will not assume that we know what you want or need. Based on collaborative feedback from your team, we guide you through a renewed awareness process to pinpoint key factors that can cause business disruption, financial loss, and reputational damage.
Will you be accountable for preventing harm to your business and customers?
As a proud supporter of American manufacturing, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturing businesses throughout the United States. If you are interested in learning about the empowerment services that Certitude Security® can offer, visit our website or coordinate a time to speak to a team member today.