Mitigation and Recovery: An MSP Guide to Data Breaches

Ben Taylor

Most MSPs live in fear of a data breach at one of their customer sites. In early October 2013, Adobe experienced a breach that compromised the personal details of millions of customers, as well as some of their internal source code.

If it can happen to a firm the size of Adobe, it can happen to anyone, and the frightening reality is that there’s really nothing you can do to offer 100% protection against it.

mitigation-and-recoverySo, keeping this in mind, what should your MSP business do to protect itself when the worst happens? In this article we discuss ways to mitigate some of the inherent risks of running an IT services business, and talk about how you should react if and when a breach does occur on one of your sites.


It’s not often something that’s discussed openly, but a significant reason behind many businesses outsourcing IT is to “shift the risk” to a third party service provider. In effect, this means that if something goes badly wrong, they have someone to blame and someone to sue.

This all sounds rather unpleasant, and obviously isn’t the way most day-to-day client relationships work, but when it comes to contracts and limiting your exposure to future financial impacts, it’s wise to think in such a way.

We would suggest the following:

  1. Invest money in having your MSPs standard terms and conditions properly drawn up by a legal expert. Don’t simply copy some standard terms from somewhere else. Most importantly, ensure there is a clause that limits your own liability. Obviously the legalities of this vary from country to country, and in some cases from market sector to market sector – hence the need for professional guidance.
  2. Ensure you have quality indemnity insurance in place in case you end up culpable for a security breach.
  3. Be honest with your clients about modern realities. Tell them that successful businesses of all kinds experience occasional breaches, and work as a partner to plan for them. Don’t be there merely as a party upon which to apportion blame.


The recovery stage of a security breach is no fun at all, but here are some tips to help deal with it:

  1. Avoid a “blame” culture. Finding a party to blame does nothing to help recover a company’s reputation. Also, the nature of IT security means that you won’t always be able to give a definitive answer as to what went wrong. Preventing the same thing happening again is far more important.
  2. Think about damage limitation. The blog post sent out by Adobe (following their breach) is a good example of how to keep customers informed and keep a lid on their anger.
  3. Use your insurance company if the need arises. If things “get nasty,” insurance companies would usually rather you allow them to deal with any claim negotiation.

Security breaches are a sad inevitability of the technical world we live in. It’s only a matter of time until you deal with one – so make sure you’re ready.

Do you have a mitigation and recovery plan in place to protect you from the risks of running an IT Services business? Tell us about it in a comment below!