An Argument for Exclusivity

MSPs, listen up: You should require exclusive control over your customers' managed networks.

If you read that and thought, "I'm not demanding exclusive control over anything—I’ll be blamed for everything that goes wrong," then you’re governed (and likely paralyzed) by fear, and fear isn’t a good business strategy.

I get it--maintaining exclusive control over a customer's network can be a double edged sword. On the one hand, having exclusive control prevents your customer from installing things it shouldn't into the managed network, modifying configuration files that weaken or disable security protocols, or simply screwing things up.?Exclusivity just makes life easier for you, right? On the other hand, having exclusive control means that all eyes are on you, and if things go awry you'll be a slow moving target for your customer's emotional buckshot.

I’ve considered both sides of the argument and I’m convinced that, on balance, exclusive control over your customers’ managed networks is the way to go because it can lower your liability. (Wait, what? Lower it?) Yes, you read that correctly. If you do it right you’ll lower your liability—and that’s a good thing, right?

Establishing the Rules

If you don’t establish the rules about who controls your customer’s managed network, then your customer will write the rules when something bad happens and, I assure you, those rules will not be favorable to you.

For example, let's say you're operating in a co-managed environment and your agreement is silent about installing endpoint detection and response (EDR) solution on BYOD devices. (For non-techs, BYOD stands for “bring your own device” and refers to personal devices that employees bring from home and connect to a managed network—like an iPad, notebook computer, etc.).??One day, Employee Joe brings his personal notebook computer to work, connects the device to your customer’s managed network, and unintentionally uploads a cryptovirus into the system. The network goes down and the finger-pointing begins.

[Your Customer]: “I thought you provided us with EDR!"

[You] "We do--but BYOD devices are something that we don't monitor in real time, that's why you have an internal IT Department."?

[Your Customer’s IT Director] "Hey, don’t blame me. If you were monitoring the Active Directory you would have spotted Joe’s device the moment it connected, you could have ported the EDR solution to Joe's device, and this incident wouldn’t have happened."

[You] "This is a co-managed situation so we couldn't lock down the network--that was your job!"

[Your Lawyer] “We’ll sort this out at $500/hour.”

Sound familiar? This kind of situation occurs and re-occurs all the time, and involves everything from BDR to RMM, from BYOD to EDR, from MDM to phishing incidents--sorry for slinging the lingo, but you get the picture, right???

Require exclusivity and implement processes and procedures to avoid "Employee Joe" situations.?Nothing should happen without you knowing about it, monitoring it, and/or controlling it. Stop thinking that you're better off when responsibility is spread thin between your customer and you. You're not better off. When responsibility is spread thin, no one takes responsibility and, eventually, it will bite you in the wallet. Really, it will. Eliminate ambiguities and let clarity and consistency reign supreme.

Exceptions to exclusivity should be handled on a case by case basis. If they occur, then you need an agreement with your customer addressing the scope of the exceptions and how overlap situations will be handled. Of course, that agreement must have a proper waiver of liability in your favor. (That's the topic of a future newsletter, but if you can't wait, then message me.)

Will Exclusivity Expose my Company to Greater Liability?

Historically, MSPs have avoided exclusive control over networks they manage under the (misguided) theory that they’ll be blamed for anything that goes wrong in the network.

If you subscribe to that theory, permit me to offer you a very different theory: Regardless of whether you have exclusive control over your customers’ networks, you’re going to be blamed for anything that goes wrong—so why not reduce the chances of things going wrong by monitoring and controlling those networks in the way they need to be controlled? ?

Think about it this way: With exclusive control comes certain privileges, such as the privilege to implement services in the time, manner, and place dictated by your customer’s needs, free of delays caused by less-than-competent in-house IT directors. That lowers your liability.?Exclusive control also gives you the privilege of being able to implement the five functions of NIST (i.e., Identify, Protect, Detect, Respond, and Recover) if something does go wrong—again, without interference from in-house IT directors who are more interested in pointing fingers than fixing a situation.?That also lowers your liability. Exclusive control gives you the opportunity to discuss newer and more effective solutions with your customer without facing the inevitable pushback offered by (you guessed it) in-house IT directors who see effective solutions as a direct threat to their continued employment. That also lowers your liability.

Non-exclusive relationships always include a high degree of ambiguity, and ambiguity leads to disputes which lead to attorneys’ fees. By exercising exclusive control over your customers’ managed networks (with exceptions made on a case-by-case basis and, of course, with an appropriate waiver) ambiguities fade away and, along with them, so do liability-incurring impediments and disputes.

Do you disagree??Let me know.?Perhaps you can convince me of a different position—but I doubt it.

And if you haven't done so, take a visit to?www.technologybradcast.com ?and subscribe to the most popular podcast that's devoted to issues impacting the MSP industry. #MSPEducation