In April, two former cybersecurity professionals were sentenced to four years in federal prison for running ransomware attacks against U.S. companies. One was an incident response manager at Sygnia. The other was a ransomware negotiator at DigitalMint. Both companies are well-known in the cybersecurity industry.

Between May and November 2023, these two (along with a third accomplice sentenced separately) operated as affiliates of the BlackCat ransomware group. They breached networks, encrypted servers, and demanded ransoms ranging from $300,000 to $10 million. One victim, a Tampa medical device company, paid $1.27 million.

These weren’t outsiders who happened to have technical skills. They were insiders. They understood how companies defend themselves because their day jobs were helping companies defend themselves. They knew what incident response looks like from the inside, and they used that knowledge to attack.

Why this matters for firms

Every firm that outsources IT gives significant access to a third party. Admin credentials. Backup systems. Security tools. Client data. That’s not a problem. It’s how managed IT works, and it’s the right decision for firms that don’t have the resources to staff an internal IT department.

But that access is built on trust. And this case is a reminder that trust should be verified, not just assumed.

The question isn’t whether you should work with an IT provider. You should. The question is whether you’ve done enough diligence to know who you’re working with.

What “good” looks like

A trustworthy MSP should make it easy for you to verify them. If your provider gets defensive when you ask questions about their security practices, that tells you something. Here’s what’s reasonable to ask:

Background checks and hiring practices. Does your IT provider run background checks on the technicians who access your systems? Do they have a process for revoking access when someone leaves?

Access controls and least privilege. Does every technician at the company have full admin access to your environment, or is access scoped to what each person actually needs? A help desk tech troubleshooting Outlook shouldn’t have the same access as the engineer managing your backups.

Their own security posture. Does your IT provider practice what they preach? Do they use MFA internally? Do they have a SOC 2 report or equivalent? Are their own systems monitored the same way they monitor yours?

Contractual protections. Your MSP agreement should spell out data handling, breach notification timelines, liability, and what happens if the relationship ends. If the contract is vague about these things, it probably wasn’t written with your protection in mind.

Transparency. A good provider will proactively share information about how they protect your data. They’ll tell you who has access, how that access is logged, and what their internal policies look like. Not because you demanded it, but because they’d want the same thing if the roles were reversed.

It may also be your professional obligation

If you’re an attorney, ABA Model Rule 5.3 requires you to supervise nonlawyer assistants, and that extends to outside vendors who handle client information. You don’t need to understand every technical detail, but you need to make reasonable efforts to ensure your IT provider is competent and that client data is protected. Iowa’s version carries the same expectation.

If you’re a CPA, the AICPA Code of Professional Conduct (ET Section 1.400.200) requires you to take steps to ensure that a third-party service provider has adequate safeguards for confidential client information. If your IT provider has access to client financial records, tax data, or workpapers, you have an obligation to evaluate how they protect it.

In both cases, “I assumed they were handling it” isn’t a defense if something goes wrong.

This case was unusual. The lesson isn’t.

The BlackCat case involved two people who deliberately abused positions of trust. That’s rare. The vast majority of IT professionals and MSPs operate ethically and take their responsibility to clients seriously.

But “most people are honest” has never been a security policy. The firms that are best protected are the ones that verified their IT provider’s practices before something went wrong. They asked the uncomfortable questions early, got clear answers, and documented the relationship properly.

If you’ve never asked your IT provider how they handle access controls, who on their team can see your data, or what happens to your backups if you part ways, that conversation is overdue.

Artech Solutions is a managed IT provider serving law firms, CPA firms, and professional services firms across Iowa. We’re happy to answer any of the questions in this article about our own practices. Get in touch.