You've probably noticed that our website doesn't include a page full of shiny client logos or detailed case studies naming specific businesses we work with. If you've ever scrolled through competitor websites and seen that wall of recognisable brands, you might wonder why we're different. As we've been redesigning our own site recently, this question came up more than once, and the answer reveals something important about how we think about security.
Here's the thing: every piece of information you make public is a piece of information that can be used against you. In cybersecurity circles, this is called reconnaissance, and it's typically the first step in any targeted attack. When a managed service provider like us publishes a client list, we're not just showing off our credentials, we're also publishing a roadmap for attackers. They now know exactly which businesses use our services, what industries we specialise in, and might give them the illusion that compromising our systems could give them access to all of those organisations at once. The 2021 Kaseya attack demonstrated this perfectly: attackers targeted a single IT management platform and ended up deploying ransomware to over 1,500 businesses through their MSP connections. The ransom demand? $70 million USD. Supply chain attacks against IT service are documented, devastating, and increasingly common.
But there's another angle that's just as concerning: impersonation. According to the US Federal Trade Commission, impersonation scams resulted in $2.95 billion in losses in 2024 alone, making them one of the top reported fraud types. When criminals know that your business works with a particular IT provider, they can craft incredibly convincing phishing emails or phone calls. "Hi, this is Sarah from [your actual IT company]. We've detected suspicious activity on your network and need you to verify your credentials." If the attacker knows the real name of your IT provider, that email suddenly looks a lot more legitimate. The MITRE ATT&CK framework actually catalogues impersonation as a documented adversary technique (T1656), noting that attackers routinely pose as IT support personnel, executives, or trusted vendors to manipulate targets into handing over credentials or running malicious software.
After more than 20 years serving Sydney businesses, we have plenty of success stories we're genuinely proud of. But when we sat down to redesign our website, we had to ask ourselves a harder question: does publishing those stories benefit our clients, or does it primarily benefit us at their expense? We decided that protecting our clients' security was more important than adding a few impressive logos to our homepage. Instead, we describe the industries we work with and the types of problems we solve, giving you a genuine sense of our capabilities without painting a target on anyone's back.
This kind of thinking extends to everything we do. When we consider a new tool, a new process, or even how we talk about our work publicly, we're always asking: what information does this reveal, and who might use it? Sometimes the most security conscious decision is the most boring one. The decision not to share something, not to enable a feature, not to take a shortcut. It's not glamorous, but it's the foundation of genuine protection.
So when you're evaluating IT providers, consider this: the ones who splash client names everywhere might be prioritising their own marketing over their clients' security. The best security is often invisible. It's in the policies that prevent problems before they happen, the decisions that close doors attackers might walk through, and yes, sometimes it's in the things a company deliberately chooses not to publish.
If you'd like to learn more about how we approach security, or if you just want to chat about whether we're the right fit for your business, get in touch. We're always happy to have a conversation, even if we won't be putting your logo on our website afterwards.
WhatsApp 