A managed service provider is being sued by its law firm client because the firm had a ransomware attack. This costly lawsuit likely could have been avoided.
The Black Basta Ransomware Attack That Led to the Lawsuit
The 42-attorney Mastagni Holstedt firm in Sacramento claims that LanTech, a privately-owned MSP serving the Sacramento area, failed to properly protect the firm against cyber attacks.
A few days later the network was inaccessible, and the attackers demanded an undisclosed ransom payment. When the firm turned to its Acronis backup to avoid the payment, they discovered there were no backups. This isn't uncommon. Attackers typically gain admin privileges and remove all backups, both local and in the cloud. That appears to be what happened here.
While there are many details unknown about the MSP's services leading up to the attack, there are failures on both sides that are worth mentioning.
Most notable -- there was no written service agreement. The MSP's website reads like the typical reactive, old-school IT provider:
"We specialize in network management and have extensive experience in analyzing, integrating, and maintaining crucial IT systems for our clients. We offer expert advice and high-quality solutions for a variety of IT matters, including cloud and local backups, spam filtering, cyber security, networking and domain administration, and web management."
These vague words can mean whatever the non-technical client chooses to hear.
This is an all too familiar example of a technology company that knows something about some aspects of technology and a business that doesn't understand the complexity of technology. The fact that the law firm treated these foundational services as unworthy of a written agreement highlights the need for greater tech savviness at the leadership level.
Technology Service Recommendations for Company Leaders and MSPs
1) Clarify Who's Responsible for What
While every company doesn't outsource its day-to-day support to a traditional MSP, we all rely on third-party providers for more services than we at first realize.
Leaders have a responsibility to become informed about the scope of these services, the provider's legal obligations in the event your data is compromised, and what your responsibilities are.
Under the Shared Responsibility Model that most software-as-a-service providers have adopted, your responsibilities and risks are greater than you might think. Here's a quick summary from one of our past
posts.
2) Implement Proper Cybersecurity Protection
Advanced security monitoring services are a must for every company.
It doesn't matter if you're a company of only you or you have thousands of employees. While I don't know the details of the services provided by LanTech, it's quite possible that proper proactive security monitoring would have detected the attackers earlier.
When we implemented these monitoring tools on our internal network a few years ago, three breach attempts were stopped within the first hour.
3) Cyber Risk Expands Its Reach Beyond the First Victim
The law firm is at risk for lawsuits from its clients if they suffer a ransomware attack or have their data compromised. The risk exposure extends far beyond Mastagni Holstedt.
4) Business Leaders Underestimate the Complexity of Technology Services and Cybersecurity
There's a big difference between knowing how to deliver day-to-day IT support and knowing how to deliver in-depth cybersecurity services.
Business leaders need to accept that cyber risks are here to stay and integrate technology knowledge into their strategic planning. Knowing the questions to ask is a critical step in ensuring that your company has adequate protection from the right service providers.
5) MSPs Need to Think Like Business People
Technology providers need to clearly explain -- in business words -- and document the scope of their services.
This failure to communicate is one of the biggest shortcomings we've seen MSPs routinely practice for years. They've survived on assumption rather than clarity. The days of service by omission need to be over.
I once had an MSP tell me that we were the kind of client they dreaded because we knew too much. Since they were the kind of provider we avoided because they were unwilling to explain what they delivered, the relationship landed exactly where it should have.
Why MSPs Need to Follow the Outcome of This Lawsuit
It will be interesting to follow this case. Because the services and expectations were based on an oral agreement, how the outcome is determined can influence our future service contracts and handshake relationships.
MSPs and Their Clients Need to Set Clear Expectations
Grab your free copy of
Having the Cybersecurity Conversation with Your Technology Team.