Technology is vast, means a lot of different things to different folks. IT Support is another giant world – folks think we should be able to fix the blinking 12:00 on the VCR and launch the space shuttle – and everything in between.
In a typical IT Service Provider contract, the “implied security” generally revolves around a duty of care to manage the IT environment with industry-standard, professional skill, diligence and technical tools. While rarely guaranteeing 100% security against breaches, the implied obligation is to proactively maintain, monitor, and protect the network infrastructure to a reasonable standard.
Here is a breakdown of the implied security in a typical IT contract:
1. The Core Implied Obligations
- Proactive Maintenance & Patching
- Fundamental Security Deployment
- Monitoring and Alerting
- Access Management
- Data Backups
2. Implied “Duty of Care”
Beyond the explicit list of services, MSPs are often held to a “standard of care” expected of IT professionals. This includes:
- Advising on Risk
- Confidentiality
- Incident Response
3. Critical Limitations (What is NOT Typically Implied)
It is crucial to distinguish between what is implied and what is explicitly, or not, covered:
- Not a Guarantee against Breaches
- Advanced Security Requires Explicit Agreement
- Client Responsibility for Compliance
- No Liability for Ignored Advice
InControl, the Now IT Works cyber security solution creates a “best effort” promise to a validated, defensible, and compliance-ready program. It converts abstract security promises into concrete, actionable evidence through third-party audits, risk, and vCSO services. This reduces liability and validates security controls, proving they are actually working, not just installed.
Key impacts on implied security include:
- Defensible Security: Provides documented evidence of compliance and security controls (IRPs, AUPs, WISPs), which is essential for insurance claims and liability reduction.
- Independent Validation: Uses credential-free scanning and penetration testing to verify security effectiveness rather than just promising it.
- Ongoing Compliance: Transforms compliance from a one-time task into a recurring service (e.g., quarterly risk reviews).
- Reduced Liability: Shifts the focus to proactive risk management, reducing the chances of a breach and mitigating damage if one occurs.