There have been a number of times in my career in the managed services industries where I have been asked by a client about another client in the same business. How they find out about them is probably through recommendations and testimonials which, at times, can be a double edged sword. These questions have to be handled delicately but they have to be handled.
When working on client systems we always protect the data from scrutiny without compromising the security of the business. Unless it is absolutely critical that we know what the data is, our business is to ensure that the data is protected at all times that includes protection from not only your staff but also our IT staff.
In our business you have to be exceedingly honest when it comes to protecting your clients information. In most cases a service level agreement (SLA) has the necessary protection in place for both your clients and yourself. The SLA should include a clause stating your understanding of the business requirements for protecting your clients network and data.
All of YOUR staff should also have an understanding of the SLA requirement and if any information from a client site is revealed in the process of doing their job it is not to be revealed to anyone outside the clients business. In most cases we ensure that it is not revealed to anyone in our business either.
The staff should understand their priorities within a business, loyalty is to the business owner or manager first at all times, followed by loyalty to our business then to everyone else. Mates and friendship are far down the list of approved disclosure routes. Staff should always err on the side of management no matter what. Protective resources can also be deployed to ensure better than normal auditing on file and folder access to ensure compliance with these principals.
How to ensure that the data is secure.
Critical client business data – intellectual property, financial records and banking details should be considered highly classified and have a need to know system applied to it. If you don’t need to know the information then you shouldn’t have access to the information. Pretty basic but at times the lines can become blurred.
Ethics is a interesting principle when allied to business dealings at a MSP level but they are definitely a driving principle for the client as well,as the supplier.
Just in passing what is the ethical position for an MSP when they discover a client is doing something illegal. Does disclosure of the information become an issue or are you bound by your SLA. What would you do?