Most MSPs are banking on their clients staying in business and hoping for a long, fruitful partnership based on delivered value and shared needs. But businesses do fail, and lurking within the ruins of a wrecked business are cybersecurity dangers that can leave the MSP on the hook for any damages. Yet, what to do with these dangers can also sometimes leave the MSP in a bind.
The pandemic has exerted a toll on businesses, causing 200,000 enterprises to permanently close in the United States from April 2020 to April 2021. Many of these were SMBs that relied on MSPs for their cybersecurity and network needs.
“When a business shuts down the MSP, like any other vendor or stakeholder, understandably wants to get paid and get out,” says Terry Berg, a cybersecurity analyst and former MSP owner in Tel Aviv, Israel. “But there are cybersecurity consequences to not having an orderly exit.”
Berg adds there are two types of business closures: very abrupt without warning and announced closures where there is some time to prepare.
“In a perfect world, a business realizes that it can no longer function and provides a month or so for an orderly wind-down. If that’s the case, then an MSP can negotiate their final payment and an orderly shut-down with the company that includes securing of data and destroying or decommissioning hardware,” Berg advises. “That is the best-case scenario.”
The worst-case scenario, Berg tells us, is one where a business owner realizes they no longer have the cash to function and they shutter without notice.
In this case, the risk for the MSP is that a business’s website that is not entirely disabled can be hijacked by bad actors, some code installed, and attacks launched from it. This can result in reputational damage on the shuttered business and the MSP, by association. Then, there are the physical assets of the business itself.
“I’ve seen offices abandoned as if the workers were fleeing a volcano. Everything is left in place and frozen in time. These abandoned physical assets can be a goldmine for hackers,” Berg says. These quick shut-downs provide the thorniest issues for MSPs who are caught between wanting to receive their final payment and not wanting to leave behind a cybersecurity mess.
Keep cybersecurity defenses up through the close
Once a business is closing down, the MSP’s obligation to their client winds down.
“But from an ethical standpoint, the MSP should do everything possible to ensure that a ‘hacker haven’ isn’t being left behind,” Berg advises. But there are also laws and regulations that must be followed. Just because a business doesn’t exist, an MSP could still be on the hook if data isn’t safeguarded. So it is crucial to handle any client data that is heavily regulated, appropriately.
“Some of this office equipment sitting around could have personally identifiable information (PII), credit card information, and other data that could fetch a good price on the dark web,” Berg states. “We’ve seen abandoned offices where employees have passwords written on notepads at their desk.”
Every MSP should take time to evaluate their client’s economic health and have a plan in place should their client goes out of business.
“The reality is that when a company is closing, the MSP’s role is limited by whatever the SMB’s owners are willing and able to do. All the MSP can really do is limit their own exposure and try to do the right thing by limiting risk to others,” Berg notes.
Even with these built-in limitations, there are some general guidelines for what and MSP should do when a client goes out of business.
Activate your closing cybersecurity checklist
MSPs should have an “exit plan” in place for every client. Few businesses think they are going to go out of business until they are going out of business.
“It can happen so suddenly,” Berg says. “Each situation is different, so you can’t really have a set plan. The best you can do is have some sort of plan in place and hope you can stick to it as much as possible.”
The MSP should, if appropriate, disable access to accounts, terminate IT vendor relationships, and ensure data is securely destroyed if the business is closing. The MSP should be coordinating with the company’s IT contact or a CISO throughout the process to prevent any breaches.
This includes coordinating with the hosting company the complete the shut-down of the business’s website. But, again, an MSP can be limited in what can be done by the business’s arrangement with their hosting company.
“You don’t want your client’s businesses inadvertently living on because their site wasn’t shut down properly,” Berg advises.
Securing the premises
This one is tougher because if the business is closing due to a lack of funds and they don’t have the money to pay for a proper shut-down, the MSP might not be able to do much.
“Do everything you can to avoid just letting an empty office with data-packed computers sitting around,” says Berg. “If the business is going under and they plan to just abandon hardware, see if you can buy it from them, or they may just let you take it.”
Watch For insider threats
Often if the ship is going down anyway, that is the time when insiders might act in a rogue way, salvaging passwords, data, or hardware, all of which can have cybersecurity ramifications. So MSPs need to immediately disable account access to anyone who doesn’t need it if a business is going under.
“Closing a business can be a messy process. The best thing for an MSP to do is have a plan in place and try to get out as quickly and cleanly as possible,” Berg concludes.
Photo: Stanley Fong / Shutterstock