Bluffing IT: Five secrets of an IT vendor
As a general rule, IT vendors are knowledgeable, reputable, and valuable to business owners. After all, operating your company IT environment is a complex task and outside vendors bring supplemental expertise that you may not have internally. It's often a wise business decision to engage outside help as needed.
However, there are exceptions to every rule, and this is increasingly evident in the IT industry. With regularity, many business owners are discovering after the fact that their IT vendor is deficient in several basic and fundamental ways. This is especially true with smaller IT vendors who may not have the resources or sophistication of a larger shop.
Oftentimes, an outside IT vendor is given access to the most critical and sensitive assets of a company. These assets include your corporate IT networks that support the entire enterprise. They also include databases that contain customer financial information and personally identifiable employee information (i.e., HR records).
Before engaging an IT vendor and granting them access to your critical assets, you should conduct enough due diligence to ensure that the vendor is of sufficient quality. Your due diligence review should include assessment of five areas in which IT vendors sometimes “bluff it” and claim to be competent, but often fall short. These are the five secrets of disreputable IT vendors:
- They don’t carry adequate insurance. A vendor accessing your most critical networks and data should carry cyber risk insurance, technology errors and omissions insurance, and crime insurance policies, all with minimum coverage amounts of $2 million in aggregate per policy. This coverage is readily available at a reasonable cost, yet many IT vendors are unaware of the coverage or unwilling to incur the expense. Be wary of any IT vendor who does not carry these types of insurance.
- They can’t comply with your non-disclosure agreement (NDA). As a condition to granting access to your IT environment, you will want to make sure that the vendor has signed an NDA or confidentiality agreement in which they agree to maintain your information in confidence. While most vendors will sign such an agreement, they simply don’t have the policies and procedures in place to monitor and track how their employees and contractors are using your information. Odds are your vendor does not have the proper controls in place to comply with your NDA.
- They are using intellectual property they don’t own. Most IT vendors will reuse work product from a prior engagement when providing services to you. It’s a common practice to repurpose the material. Yet, it is often the case that a prior customer owns portions of the work product that is now being delivered to you. This, of course, positions you directly in the crosshairs for a claim that you are infringing upon another company’s intellectual property rights. Your contract with the vendor will need to address this possibility and include sufficient representations, warranties, and indemnities from the vendor.
- They don’t know where your data is physically located. If you’ve engaged an IT vendor to host any of your data, odds are that they are using a third-party host provider. That third-party host provider uses multiple other providers to store, manage, and maintain your data. So, if you’ve engaged an IT vendor in Dallas, they may have subcontracted storage to a vendor in India who uses support teams in Vietnam and Brazil. The end result: your data is strewn to the four corners of the world and your vendor couldn’t give you a full and transparent answer as to its physical location.
- They use subcontractors, not employees. When you hire an IT vendor, you presume that their employees will do the work. Increasingly, most IT shops are staffed very lean and will hire contractors on a project basis as supplemental help when needed. While the contractors may be highly qualified, they are not subject to the same control and oversight as employees. Furthermore, if the contractor makes an error, your vendor may have limited recourse in its agreement with the contractor to recover damages or pursue other remedies. The act of subcontracting by its nature limits remedies, reduces oversight and control, and increases the likelihood of finger pointing.
None of these secrets is particularly fatal or sufficient reason to avoid using an IT consultant. To the contrary, exposing them to the light of day and addressing them openly will make for a stronger working relationship. Good consultants will be happy to demonstrate how they have properly covered these concerns. Less reputable consultants will continue to bluff their way through, until they meet you.
Andrew Schlidt (firstname.lastname@example.org) is an attorney with Whyte Hirschboeck Dudek S.C. practicing corporate and technology law.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.