Written by: Charles Weaver – CEO, MSPAlliance
For years MSPAlliance has been advocating for MSPs to become more diligent in their enforcement of proactive and secure IT management policies. I have even gone as far as to suggest that legal liability could begin to attach itself to bad IT management practices. Well, the theoretical is now a reality.
Shareholders of Equifax have sued the company for substandard IT management practices, which are alleged to have caused the massive data breach announced in 2017.
The Equifax breach has already prompted a $425 million fine from the FTC.
What Went Wrong?
Besides the data breach, which was the apparent manifestation of the problem, there was an apparent technical problem that could have prevented the breach in the first place.
When hackers take extraordinary actions to circumvent IT security, there is not a lot that can be done to stop these types of breaches from happening. However, when it is such a glaring hole in the security or IT process of the company, then scrutiny will follow. And, that is precisely what is happening here.
“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.
“Equifax’s cybersecurity was dangerously deficient,” the court said. “The company relied on a single individual to manually implement its patching process across its entire network.”
So, what does all this mean for MSPs? Well, if you happen to be an MSP Verified company, you probably don’t have much to worry about. You are already addressing those critical issues Equifax missed.
1) Effective password management
2) Limited use of administrator access accounts
3) Oversight of internal patch management processes
What this means for everyday MSPs is to be on your guard! Equifax is getting attention because of the size and breadth of the data breach. But, make no mistake that the shareholders suing for harm to their stock values is going to resonate. Do not be surprised if we start to see lawsuits challenging end-user IT policies.
This raises several issues related to the precise role of the MSP, whether they offered a service that was declined, whether best practices were followed, etc. My point in writing this article is twofold; first, here is a major lawsuit involving a large company dealing with what is an IT service process. Second, I hope MSPs take this to heart and begin talking with their customers about how to avoid being involved in lawsuits. Especially lawsuits which could have been prevented had they only listened to their MSP!