Splitting up with your managed service provider (MSP) doesn't always go smoothly. In some cases, it can even turn ugly with your legal team getting involved. You've probably read or heard about similar horror stories before. Imagine this scenario: You get into a billing dispute with your IT company. The vendor then withholds your login credentials and takes them hostage so you will pay up, leaving you unable to access critical systems until you do.
That scenario begs the question: can MSPs even do that?
Intelligent Technical Solutions (ITS) is an IT support company that has been providing businesses with managed services for over a decade. So, it's safe to say we've had our fair share of breakups. In this article, we'll discuss whether an MSP can refuse to give you back your credentials or not. We'll also share what you can do if you get into a similar scenario, as well as best practices to follow when transferring credentials back to your internal IT team.
After reading this article, you'll have a better understanding of who really owns your login credentials.
Let's get this out of the way; you and you alone have full ownership over your credentials. Even if your IT provider creates the accounts you use, the rights over them still fall under your umbrella. So, you should have access and control over the logins and passwords of all your programs and tools.
You granted your IT vendor access to your accounts so they can manage them; it's not the other way around. Your MSP should never withhold your login credentials, regardless of whether you're splitting up on bad terms. As a valued customer, you have the right to your information, and it should be provided when requested.
Most MSPs, especially well-established ones, will hand over your credentials with no hesitation. Though it's a bitter pill to let a client go, an MSP should never stoop to taking your logins hostage.
It's impossible to provide a single solution when a vendor takes your login credentials hostage. That's because there are so many variables to consider, and no scenario is ever the same. However, here are a few things that you need to keep in mind:
Just as with any dispute, it's easy for either party to lose their head. It's vital that you don't let that happen, especially since access to your systems is at risk. Try to de-escalate tensions whenever possible and engage in civil conversations with your vendor. Most of the time, cool heads can resolve the issue and help you move forward.
Maintain the lines of communication. That not only helps you address the issue with your vendor, but it also helps ensure that they don't do anything to your accounts. Failing to show up at the negotiation table might push them to try and drive a point home, regardless of whether it's ethical.
Of course, not all disputes can be solved amicably. When that happens, reach out to your legal team. They can help you parse through your service level agreements and guide you through your legal options.
Once you've resolved the issue with your vendor, it's now time to think about transitioning your accounts to your internal IT team or new MSP. Now, your problem will be how to retrieve your credentials without the risk of compromising them.
ITS' Partner in Security, Edward Griffin, emphasized that the integrity of the client's credentials must prevail in this process.
According to Griffin, if ITS was transitioning client accounts to a different provider, "We definitely want to maintain the integrity of client credentials right up until our very last day and even beyond. We want to make sure that we're maintaining the security of all those proprietary data and systems access that we've been stewards of over the years."
In doing so, you and your MSP must work together to move the sensitive information from one side to the other. The following are some methods you can use when transferring credentials from your current MSP to your internal IT team or your new provider.
Only the recipient with the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text. This means that even if criminals have intercepted your email, they won't be able to decipher it since they don't possess the key. This ensures that no one other than the intended recipient reads the data in the email.
In retrieving your credentials, an MSP can save and share your credentials in a secure repository and provide the key for recovery. However, the key must be delivered in a safe method. They can use an encrypted email or encrypted instant messaging services such as RedPhone or Signal.
Other than KeePass, you may also want to look into the following programs when sharing passwords:
Your credentials belong to you, and you have the right to have them when you request them, regardless of any dispute with your provider. A great IT company will support that and won't think twice when asked to do so.
Finally, once you're in the process of retrieving your credentials, ensure that the transition is done as safely as possible. One method you can use is sending them through encrypted email or sharing them through a secure repository. Both are viable ways to retrieve credentials as they use encryption and special keys only the receiver can use.
At ITS, we are dedicated to helping businesses thrive with technology, and we do so by sharing our knowledge and expertise in IT. Find the right MSP for your business by checking out the following resources: