A common marketing avenue for service providers is to publicly disclose their clients’ names on their websites – regardless of any non-disclosure agreement that is put in place. From a cybersecurity perspective, it’s not a good idea. Anonymity when it comes to clients and the technology they use, the platforms and networks they run their business on – must remain private. Let’s discuss the why.
There are a few critical reasons why a client and company should never allow their IT Service to publicly disclose that they are actively providing technology services to that client. It’s exactly the kind of information that bad actors use to target a specific client. It’s a terrible idea.
Non-disclosure Agreements are designed with and for Privacy
These agreements are specifically put in place, a contract between the client and a service, to ensure that all discussions and transactions (informational and technological) are kept private. It’s how both the business and the service protect themselves. Intellectual Property is important to both parties, that’s why most IT Services deal with this upfront.
The NDA should also protect you, the client. Ideally, you should have a clause in the agreement that notes they are not allowed, without permission to disclosure your company name, or services you use, on any of their marketing material.
Why name disclosures can be a target for bad actors
As a bad actor, investigations and reconnaissance is a very key part of the first steps to targeting a specific business. If you’re a high-value target, knowing exactly what IT services you’re using and where those specific networks are located – makes your acquisition, a lot easier.
Often IT Services are situated on their own fiber networks, that have their own, owned fiber connections with third-party providers. These owned fiber connections are licensed by those third parties with their own company name attached to them. So, attackers can query those fiber connections, and not exactly where you are.
IP Addresses, public ones, can be traced to the current owner. You don’t want your business to be located that easily. That does not mean that definitely on the provider’s network, but it’s a start that you don’t want to give them.
Steps taken to target your company, it’s easy as 1, 2, and 3. You’re ABC corp as an example.
- An attacker looks at the service provider’s website and notices ABC corp is their client.
- An attacker then queries or knows the existing public IP Addresses that the service provider uses.
- The attacker now knows where you live and what services you might use.
Protect yourself and your company by being anonymous.
How can a business use a client’s name but still protect the NDA agreement?
This is not a difficult policy to manage when it makes sense.
Allow the service provider to use your business as a reference privately, when the time comes if they would like your name and service as a reference.
That’s how Selenium Technology utilizes its existing clients for references, without publicly disclosing such information to bad actors. It never ceases to amaze that Managed IT Service Providers that are also Managed Security Service Providers, publicly disclose who their clients are.
As a business, don’t allow this when it can be avoided.
If you would like more information on how your company can protect itself against cybersecurity threats or would like to have an independent review of your IT Services, please contact us for more details.
Contact us today for more information on how we protect clients.