By Mike Semel
Are you protecting your clients from… you?
As a managed service provider your company has the highest level access to your clients’ networks. You pride yourself on your honesty and integrity, and think that your employees would never do something to hurt you or a client. Besides, even if someone left your company and logged into a client’s account, nothing would ever happen, right?
Wrong.
Mark W. left his job as a systems engineer for a managed services provider and moved to another technology company. His parting was not entirely amicable, and within a few days he logged into a client of his previous employer, and messed with the executives’ user accounts.
You can imagine the uproar. The client was angry. So was Mark’s previous employer. They contacted the police, whose cybercrime team confiscated Mark’s computer, verified what took place, and filed charges against Mark for “Attempted Unlawful Acts Regarding Computers,” which can be prosecuted either as a Felony or Gross Misdemeanor.
Mark pled guilty to the charge as a Gross Misdemeanor and was sentenced to spend ons year in jail, pay $8,000 restitution, complete impulse control counseling, and have his DNA registered. The jail sentence was suspended and he is on 3-year’s probation. Any missteps and he will go to prison. All for a few minutes of revenge.
The real issue is why the previous employer did not protect his clients against Mark or anyone else that left his company. Was it too much work to go into each client site and disable Mark’s access? Was Mark sharing a login and password that everyone in the company used to access client sites? Had Mark worked with the client for so long that he knew one of their employees’ passwords?
Did Mark sign a Security Policy Agreement when he joined the MSP? Did it include a non-disclosure agreement covering confidential information both at the MSP as well as its clients? Or was Mark’s manager just asleep at the switch when Mark left the company?
What are you doing to protect your clients against your employees?
- Do you know who you are hiring? Do you check references and conduct background checks. If this seems too difficult just look at the limitations of your Errors and Omissions insurance, and the criminal penalties tied to HIPAA and other regulations.
- Have you educated your staff about the improper access to a client network, or divulging confidential information they see in the course of their work?
- When you are terminating an employee, or someone resigns, is a security reminder part of their exit interview?
We have implemented the following steps to ensure our clients are protected.
- Our security policy forbids unauthorized access to client networks and the release of confidential information.
- Each of our employees has a unique login and password at our client sites.
- We purchased an authentication system where our employees carry fobs that give them one-time codes to access our client sites. Just knowing a password is not enough. Even knowing the password and having the one-time code is not enough, because our system also requires a PIN to be entered as part of the code. Best, when an employee leaves we get the token back, or we can disable it immediately and render it useless.
Both Mark and his former employer give our industry a black eye. There is nothing more important than maintaining our trust and integrity. We make security a prime focus of every proposal we deliver. We always promote our security certifications. We know what our prospects are thinking and get the ugly questions out of the way. And we get angry whenever we find out about a security breach caused by someone in our industry.
Mike Semel is one of the Resident Experts of The ASCII Group, which provides partnering to its MSP/VAR community to expand their businesses. Business Continuity Technologies is a Las Vegas-based MSP that helps other MSPs and VARs with business continuity planning.