Today, I am the Director of Business Development at Myki. But this story is a recollection from my time running an MSP for over a decade.
The mentality of the client in question is, unfortunately, a reality that all of us in the MSP industry have encountered in some shape or fashion.
2014, 4:00 AM, Los Angeles.
Wide awake. Mindlessly browsing r/msp.
One stupid password. One stupid password was behind my sleeplessness.
The day before, one of my onboarding techs gave me a call and told me that I needed to talk to our new client, a law firm, about their password situation before we continued onboarding them to our MSP.
What was the issue? Management insisted on using the same password across all workstations, emails and WiFi. Both for admins and standard users. Yup yup, high five!
The “Experienced” Client
So I had a talk with the Jeff, the head of the law firm. Here’s about how the conversation went:
Me: “Jeff, I am not sure how to say this, but for the love of God let us manage your firm’s passwords for you.
I am not making a sales pitch here, I am genuinely concerned because it blows my mind knowing that you and your entire staff use the same password which is simply your street address and street name.
I know you’ve seen the news about password breaches. It’s a really bad time in the tech world to use the same password, especially for all the company workstations, email, and WiFi.
It’s only a matter of time before someone swings a massive wrecking ball through your business with a simple but all-access password breach. It’s a real thing that can happen to you when you least expect it.”
I knew Jeff had heard this before by the look of his eyes and the long drawn out slightly dramatic exhale of breath. His response was pretty much the common response of most anyone who’s never experienced a real breach.
Jeff: “Nothing has ever happened and it makes life easier for everyone. I’ve been doing this for 15 years. Never once have we had a problem internally or externally. If something were going to happen, then it would have already happened at some point.
Who’s gonna hack us? We don’t have nothing anyone would want. We are small compared to these huge enterprises. Plus, it’s much easier for our people to remember their passwords. All you tech guys say the same thing and want me to spend more money.”
Money or Reputation?
Here’s the thing: it wasn’t the one password across the whole company that was interrupting my sleep. It was the fact that I had no other choice but to take the unusual step of asking Jeff to sign a “Liability Waiver” the next day.
If they won’t allow us to manage them properly, then we weren’t going to be held responsible for a breach over one password outside our own managed network devices. Problem is, this seemingly reasonable request will probably create an awkward moment, and it’s not the ideal way to start a business relationship.
I scheduled a meeting with him and explained why we needed him to sign the “Liability Waiver” before we can proceed with the onboarding. I explained that the password problem was a deal-breaker for us, and needed to be handled as soon as possible.
Of course, it got awkward real quick, and he refused to sign it. As hard as it was for me to turn down a good-sized business like his, I had to terminate our agreement, which luckily wasn’t too much trouble, as we were only a few days into our 30-day withdrawal period.
This is the kind of risk management decision you have to make all the time as an MSP, because your reputation is at stake. If you turn a blind eye to the weakness of your client’s passwords, and your client gets breached on your watch, you’ll find out real quick who the scapegoat is: dingdingding - it’s you, the MSP! Why? Because you know better.
Put Me In, Coach!
About two weeks later, I get a call from Jeff, who was frantic, explaining that someone, “somehow”, got into their company network, and that hundreds of client folders were missing from their server. They hadn’t found a new MSP at this point, so he asked us to come and do whatever we felt was necessary to protect his company.
I never found out what it cost them to report the breach and comply with the breach process. I think he was a bit embarrassed to tell me, but I do know it was large enough for them to file a substantial insurance claim.
As luck would have it, they had a file level backup that wasn’t deleted and they shockingly had insurance to cover the associated breach costs. However, they did take a big hit from clients taking their business elsewhere.
It wasn’t a catastrophic slow death for the business, but it was plenty of an eye-opener for the firm, and what was originally a lost client, turned into one of the largest projects and contracts for us that year. They always trusted our advice moving forward and we had a great business relationship.
Keep It Simple
It’s not that clients don’t care about passwords, they just want things to work without them having to troubleshoot their own systems.
Any boss has important things to do like, oh I don’t know, keep the business running and growing? The last thing they want to hear from employees are complaints that a service or software they’ve just implemented is frustrating to use. In the immortal words of the lovely, no nonsense, Kimberly “Sweet Brown” Wilkins: ain’t nobody got time for that.
The key to convincing clients to use password managers is to use a password manager that is dead simple for end users, and one you can manage on the technical level you are comfortable with. That’s the bottom line.
An Inconvenient Truth
“OMG. It takes way too much time to figure out. Why are you making us use this? What did we ever do to you? My Post-Its were working just fine!”
As you may have guessed from the above, Jeff and his employees ultimately had no choice but to start remembering unique passwords and opening support tickets with us, and although they were more secure than ever, they were not too thrilled with this new system.
But imagine being able to tell Jeff that his employees wouldn’t need to remember any passwords, because he’d be able to deploy legitimately complex passwords to each user without them ever even seeing them. After all, the employees don’t really care; as a few of the bandwidth hogs just want things to work so they can watch “Keeping Up With The Kardashians” a bit earlier before lunch.
What would have really delighted Jeff and his employees at the time would have been Myki.
Myki is a Password Manager for MSP’s, which you can easily deploy to your end users via email or RMM.
There’s a lot to love about Myki, but some of the key features you should know are:
No master password: Myki relies on thumbprints to verify identity, allowing you to take out the risk of a guessable master password. You can use your pinky too, but have you ever seen anyone use their pinkyprint? I don’t know why but it’s weird to watch. I have questions.
Cloud-like features, cloudless storage: Yes, cloudless! With Myki, your data is securely stored locally and encrypted with 256AES, with all the efficiency and convenience of a cloud-based system.
Easily manage all your companies and users: MSPs lend their services to a lot of companies, but keeping up with the needs of each can become a difficult task. Myki allows you to do everything from assigning members of your team as company admins, to managing the billing process, all through one easy-to-use platform.
So please, do all your clients a huge favor, read more about what Myki can offer MSPs, and let their employees keep up with Kim and Kylie in peace.