Cyber Security Breaches and the Legal Ramifications for MSPs
In a podcast episode, Connor Swalm and guest Wes Spencer discuss a real cybersecurity breach where a midsize MSP, overwhelmed by onboarding its largest client without clear responsibility boundaries or backups, faced a ransomware attack that caused millions in losses, forensic data loss due to improper initial response, lack of cyber insurance, and significant financial and reputational damage, highlighting critical lessons for MSPs on managing complex client engagements and cybersecurity preparedness.
Podcast Conversation: Cyber Security Breaches and the Legal Ramifications for MSPs
Host: Connor Swalm
Guest: Wes Spencer (Fifthwall)
Introduction
Connor welcomes Wes Spencer back to the show to share a real-life cybersecurity breach story involving an MSP (Managed Service Provider) and a large client. The story highlights the financial and reputational damage caused by the breach and the lessons that can be learned from it.
The Breach Story
- The MSP, a midsize company, was onboarding its largest client ever—a large company with a local factory branch.
- The MSP was excited about the new revenue and hired additional staff to support the client, but they underestimated the complexity and scale of the engagement.
- Onboarding was slow due to coordination between the local branch and the distant headquarters.
- The MSP rolled out EDR (Endpoint Detection and Response) tools, which began alerting as expected.
The Incident
- During a major sports event on a Sunday, the client’s account manager received a call about systems being offline.
- Initial suspicion was an internet outage, but further investigation revealed that all systems were inaccessible.
- Local IT staff attempted to troubleshoot by restarting machines, which resulted in the loss of valuable forensic data.
- As staff in other regions came online, they discovered ransomware notes on every desktop: all files and machines had been encrypted.
- The client began losing millions of dollars due to downtime and demanded immediate resolution.
- The MSP’s team, including their security expert, panicked and struggled to respond effectively.
Aftermath
- The MSP and client did not have cyber insurance.
- A digital forensics firm was brought in at significant cost to both parties.
- The breach occurred during onboarding, so no backups had been established.
- The MSP had not clarified the full scope of their responsibilities or the client’s IT landscape, as other branches had separate IT providers.
- Poorly defined contracts and onboarding processes led to confusion about when the MSP’s responsibility began.
- The client paid the ransom, but the MSP lost the client, suffered public embarrassment, and expended massive resources on recovery.
- The incident set the MSP back by at least a year in revenue and reputation.
Lessons Learned
- Preparation is Key: Operate under the assumption that a breach will happen, not if, but when.
- Legal Readiness: Have a good attorney review your Master Service Agreements (MSAs) and ensure clear incident response protocols are in place.
- Communication: Ensure both MSP and client understand their roles and responsibilities in incident response.
- Insurance: Both parties should have appropriate cyber and tech insurance.
- Education: Continuously educate clients about cybersecurity risks and best practices.
- Thorough Onboarding: Ask comprehensive questions about the client’s IT environment and clarify all responsibilities before starting work.
- Incident Response: Have a well-practiced incident response plan and ensure all staff know their roles during a crisis.
Final Thoughts
- Stories like these are valuable for understanding what can go wrong and for educating clients and staff.
- Using real-world breach stories can help communicate the importance of cybersecurity in relatable terms.
- Wes Spencer encourages MSPs and clients to connect with him for further advice or assistance, particularly regarding cyber insurance.
Closing
Connor thanks Wes for sharing the story and encourages listeners to learn more about security awareness training and to connect with Phin Security for resources.
Note: Contact information and show notes are available for those interested in reaching out to Wes Spencer or learning more about Phin Security's offerings.