Ransomware Wake‑Up Call: One MSP’s Blueprint for Non‑Negotiable Security And Crisis Communication

‘If you’re still letting clients skip security, you’re playing with fire. I walk into every room now and basically scare them to death. As for communication, one of the worst things you can do is crawl into a hole and stop talking. Call them. Sit down with them. Communicate constantly,’ says Zac Paulson, vice president of technology at ABM Technology Group.

The call came while Zac Paulson was on vacation near Mount Rushmore.

“The message said, ‘Zac, this is the CFO of your biggest customer. You need to call me. You need to figure this out,’” said Paulson, vice president of technology for Fargo, N.D.-based ABM Technology Group.

What followed would become one of the worst weeks of his career as an MSP owner. That largest customer, responsible for about 25 percent of his company’s revenue, had just been hit with ransomware. More than 500 machines were affected.

Paulson recalled his 2022 experience to a room full of MSPs at CRN parent company The Channel Company’s XChange March conference in Orlando this week. He said a decision he made before the attack still haunts him.

“They had about 400 computers, but they only wanted security on 40 of them,” he said. “Just the executives. Because they’re the only ones who matter, right?”

He had warned the client it was risky but ultimately agreed to their request.

“I told them, ‘If we do this, we’re bound to miss something,’” he said. “But that didn’t hold up later. They didn’t care what I had said.”

While still dealing with that client, another major client, his fourth largest, had also been hit with a cyberattack the same week.

“Two clients, same week, likely the same Russian hacking group,” he said. “That was a rough vacation.”

About a year later, one of the clients sent a letter accusing the MSP of negligence, outlining millions in damages. They didn’t ask for millions but a much smaller number. Paulson asked if the client would stay on if he wrote the check. They didn’t, and the second compromised client left too. Overnight, Paulson’s MSP lost 40 percent of its revenue.

For a moment, he considered shrinking the company back to a small shop. But after building the business for years, he couldn’t bring himself to do it.

“I thought I’d built a successful business,” he said. “Then suddenly I’m looking at cutting the company in half.”

Instead, he pushed forward with an acquisition that was already in the works. His MSP was eventually purchased by a larger organization that believed in the team, even if the valuation dropped.

“They told me, ‘We’re not just buying the clients. We’re buying the framework you built,’” he said.

Today, the company has recovered. Revenue has reached its highest level to date and profitability is back. But the experience reshaped how he runs the business as well as the advice he gives other MSPs.

The first lesson is security can’t be optional. The second lesson is communication during crises is paramount.

“If you’re still letting clients skip security, you’re playing with fire,” he said. “I walk into every room now and basically scare them to death. As for communication, one of the worst things you can do is crawl into a hole and stop talking. Call them. Sit down with them. Communicate constantly.”

And he encouraged the MSPs in the room to lean on the community when things get difficult.

“My biggest regret is that I didn’t ask other MSPs for help when I was going through it,” he said. “This industry is full of people who would show up for you. Don’t go through it alone.”

For Chelsea Skinner, Paulson’s story was a good reminder to not put all your eggs in one basket.

“And when it comes to security, MSPs shouldn’t be afraid to push back. If a client refuses proper protection, you have to be willing to tell them they’re wrong,” Skinner president, CEO at Lewisville, Texas-based Oversee My IT, told CRN.

A client of hers was hit with ransomware years ago because they only wanted the bare minimum for security services.

“Eventually, they were hit with ransomware,” she said. “They stayed with us afterward, though, and now they have full security services in place.”