Viewson

You can't firewall your way out of vendor risk. But you CAN contract your way into accountability. Full breakdown in this week's ƒCTO on Call newsletter: https://t.co/VUXT3hrY08

The fix isn't more tools. It's better contracts. Define liability caps that cover YOUR costs, not just their fees. Require audit rights so you can verify their security posture. One contract clause can save you $200K in breach response costs.

72% of SMBs hit by fraud/scams/ransomware in past year. Average per incident: $60K-$90K+. 76% involved AI. The gap isn't technical anymore. It's governance.

Your cyber insurance may not cover it (breach originated outside your network). Your vendor contract has a vague "reasonable security" clause with no timelines, no liability terms. Your DR plan assumes backups are accessible—which they're not if your MSP got hit.

Full story + what to do about it in this week's ƒCTO on Call: https://t.co/VUXT3hrY08

This is the nightmare scenario for businesses that outsource IT. Your MSP is your single point of failure. If your DR plan, backups, AND vendor escalation all route through the same MSP, you don't have redundancy. You have concentration risk.

The question every SMB should be able to answer: "If our MSP goes dark for 48 hours, do we have offline access to critical credentials, recovery docs, and the ability to restore operations independently?" If you can't answer "yes" right now, you have a problem.

Here's the part no one tells you: When YOUR VENDOR gets breached, the legal obligation to notify customers/employees falls on YOU. Not them. You.

A Maine MSP called Katahdin Technology got hit by ransomware last week. They provide IT services, DR, backups, and vendor management for dozens of SMBs across Maine. The attack disrupted ALL of it. Simultaneously.

For SMBs relying on Katahdin: • Lost IT support • Lost backup access • Lost DR plans • Lost vendor coordination

Last 30 days alone: • McGraw-Hill → breached via Salesforce • Adobe → BPO contractor phished • Vimeo → Anodot breach • ADT → vendor access • Adidas → licensing partner NOT ONE breached directly. All through vendors.

Your firewall is perfect. MFA is on. Backups tested. Then your payroll provider gets phished. Suddenly YOU'RE notifying customers. YOU'RE handling the regulatory response. Third-party breaches doubled in one year: 15% → 30%.