Ransomware is a costly threat to consumers, enterprises, and SMBs alike. According to data from Emsisoft, 2019 saw a 41 percent increase in ransomware compared to the year prior. Security firm Coveware reports that the average ransomware payment climbed to $190,946 in December of 2019. Of course, nobody understands these threats quite like managed service providers (MSPs). With their clients all facing ransomware threats, MSPs are on the front lines. But, with critical data and cash at stake, MSPs could find themselves liable if their efforts to prevent or remediate ransomware fail. Luckily, there’s a lot MSPs can do to reduce their risk. Note that while this post offers suggestions, it’s not legal advice. MSPs should always consult with an attorney for that. Let’s dive in.
Take Proactive Measures
You can’t be held liable for related damages if you prevent ransomware attacks in the first place. Proactive ransomware prevention falls in two categories: defense and education. Since email is the most common way for ransomware to infect a network, first use tools like firewalls and spam filters to quarantine emails that might contain ransomware. And don’t forget to keep these tools patched and up to date. Next, help your clients educate end-users about ransomware. Be clear about what they can do to stop nefarious emails that sneak past your defenses. This might include creating a presentation to show examples of ransomware emails, or even sending fake phishing emails to test users. Whatever you do, make sure clients and their end-users understand how ruinous ransomware threats can be to their companies, and what their role is in stopping them.
Put a Backup and Disaster Recovery Plan in Place
Despite proactive efforts to educate users, they’ll still make mistakes. What’s your plan if ransomware ends up on a client’s network? There’s no need to panic if you’ve built and implemented their backup and disaster recovery strategy. Take backups often and remember that just because you backed up client data, that doesn’t mean backups are always safe. Backups are useless if ransomware locks you out of the volume where they’re stored. Create redundant backups to prevent this from occurring. Store backups locally and replicate them off-site to a dedicated recovery cloud like StorageCraft Cloud Services™ or to your own data center or colocation facility. Next, consider your retention policies. You must be sure you have backups dating back as far as makes sense based on the storage you have available. Obviously, it’s too late if your data has already been infected with ransomware before it’s backed up.
Set Clear Expectations in Your SLAs
Your Service-Level Agreements (SLAs) are contracts that set expectations for you and your clients. They may already include recovery objectives and business continuity-related clauses, but do they specifically address ransomware? Your attorney can help you develop customized service agreements that outline where your responsibilities lie. Be sure to help clients understand who is responsible for what. You’ll need take action to prevent ransomware, but your clients and their users also share the responsibility.
Get Cyber Liability Insurance
In the unlikely event that all the measures above don’t work, it’s wise to protect yourself financially. If you don’t already have one, consider getting a cyber liability policy from your insurance carrier. In most cases, these policies offer coverage for financial losses resulting from data breach or ransomware. In at least one case, cyber security insurance actually paid the $600,000 ransom for a Florida city that was infected with ransomware. When you consider that ransoms can cost hundreds of thousands of dollars, a liability policy is a smart choice. Chat with your carrier about your options. While proactive approaches may stop ransomware, no plan is perfect and liability insurance can protect you. If your carrier doesn’t offer cyber-security policies, take a look at Travelers or Nationwide.
Protect Yourself from Ransomware Liabilities
Find a qualified legal professional to offer you guidance as you put together service agreements or any other legally binding agreements. Working with an attorney can help you reduce your liability if the worst happens. But remember, the best protection starts with education and ends with rock-solid backups. As you evaluate your client’s ransomware needs, consider data protection solutions from StorageCraft to keep your data safe, no matter what.