What is a Man-in-the-Middle (MiTM) attack: the risk that IT companies can no longer afford to ignore
Companies are totally dependent on their digital infrastructure, and Man-in-the-Middle attacks are one of the most insidious threats businesses face.
For an IT company or software agency, this vulnerability is not just a technical issue – it’s a time bomb for your reputation, legal liability, and your wallet.
- 🔐 A successful MiTM attack on your client’s network can make your company liable for fraud worth millions – even if you’re not directly responsible, they’ll be looking for you.
- 📡 Every corporate client in a commercial contract will ask for evidence of IT security and policies in this regard; if you don’t have them, you lose contracts before you sign them.
- 💼 A single breach you overlook in a security audit can lead to legal action from clients; the costs can exceed the company’s annual profit.
- 🔑 Intercepted customer personal data means GDPR fines; we’re talking about 4% of turnover, minimum 10,000 EUR, with no upper limit.
- 🛡️ IT professional liability insurance is not an expense; it’s a business necessity that protects your business against situations you may not control.
🔍 How does a MiTM attack work in practice?
📶 The classic scenario: the café, the public WiFi and the hidden attacker
You’re having coffee, connecting your phone or laptop to the free WiFi network. Everything seems normal. In reality, the attacker – maybe someone in the opposite corner with a laptop and some free tools downloaded from the internet – can see every data request your computer sends. If you log in to your email, he sees. If you use your online banking credentials, he sees this and stores the data on his terminal.
The mechanism is simple enough for anyone with minimal technical knowledge. The attacker intercepts communications through what is called “ARP spoofing” (a method by which he lures traffic destined for the router to his device). He then requests your data and forwards it to the real server, creating the illusion that everything is normal.
Compromising the session through ARP Spoofing in a co-working space
On a shared local network, an attacker sends fake ARP (Address Resolution Protocol) packets to the local router and to a software developer’s laptop. The router is tricked into thinking that the developer’s IP identity belongs to the attacker, and the developer’s laptop associates the router’s IP with the attacker’s MAC address. From this point on, all data traffic passes through the compromised device, allowing the passwords transmitted in clear text to be read.
🔐 The more sophisticated version of a MiTM attack: fake HTTPS address and fake certificates
MiTM attacks don’t stop at WiFi networks. There are much more sophisticated variants. The attacker can intercept the HTTPS connection (exactly, the green one with the padlock that means secure).
To do this, he presents a fake digital certificate that basically says to your browser: “I’m Google / I’m your bank, trust me!”. Older browsers or people who don’t carefully check digital certificates usually fall into the attacker’s trap.
There have been cases where attackers have injected fake certificates into corporate devices or even stolen real certificates from servers. Then, everyone on the targeted network had the impression that they were talking to the real entity, but in fact they were talking to the attacker.
🎯 The scenario that creates real problems for IT companies
💼 You develop software, your client is a bank
Your company has developed an account management application for a financial institution. The application is robust, tested, secure. But the attacker doesn’t attack it directly; he attacks it on the client’s premises WiFi network. He interposes himself between the bank’s employees and your servers. He takes over the credentials, sees transactions in real time, maybe even modifies data.
Now – and this is the part that should worry you – the bank won’t say: “The attacker was very clever!”. The bank will say: “The IT company that developed the system didn’t ensure secure data transmission. It didn’t educate any of the critical employees. It didn’t provide security recommendations.”
Then, if there is a standard liability clause in the contract (which appears in about 99% of contracts), you are liable.
🏢 Large companies do due diligence and require insurance
Any serious company, before hiring an IT company, will require:
- Security evidence and certifications;
- Penetration testing audits;
- Compliance documentation;
- And a worldwide IT professional liability insurance.
If you don’t have IT&C professional liability insurance, the client company simply won’t hire you. It’s like wanting to buy a car and the seller doesn’t have the papers. You don’t feel like buying it, right?
🚨 The consequences of a MiTM attack on your customers
📊 Calculating the real costs for an IT company
A MiTM attack in which sensitive customer data is intercepted is not just a security issue. It’s a cascade of costs:
- Recovery and investigation: €50,000-200,000 for digital forensics, security consultants, full audit.
- Legal notices and communications: Every individual whose data has been compromised must be notified. For a financial institution with 100,000 clients, this means massive legal correspondence.
- GDPR fines: 4% of global turnover, with no lower limit. For a company with €5 million in turnover, this would mean a minimum of €200,000.
- Civil damages: Your client will most likely sue you for direct and indirect losses. Legal costs and damages can easily reach exorbitant amounts.
- Loss of reputation and other contracts: After a public incident, other companies will be reluctant. You may regain some of the trust, but only after 2-3 years and with great PR efforts.
🏛️ Legal and contractual liability
Contracts with large companies contain liability clauses regarding IT security. If you (as the IT company) have not implemented minimum security standards and a MiTM attack compromises data, you are most often at fault.
Corporate lawyers are ready to argue that: “The IT company should have implemented end-to-end encryption, should have educated the customer about WiFi risks, should have monitored the application against attacks, etc.”
🔐 Why MiTM attacks are particularly dangerous for the IT industry
🎭 The attacker is invisible
Unlike ransomware that encrypts your system and demands money to regain access, MiTM is silent. No one knows it’s there. Data leaks, passwords are captured, and things seem normal until something serious happens – a major fraud, an unauthorized transfer of funds.
For an IT company serving corporate clients, this means you can’t just say, “I installed a firewall.” You have to demonstrate that you have continuously monitored, that you can detect abnormal behavior, that you have an incident response plan.
🌐 The attackers are well-organized and funded
We’re not talking about teenage hackers here. We’re talking about organized groups, sometimes supported by states, that aim to access sensitive corporate data. They specifically target IT companies because they know they have access to wealthy customers, where the effort of the attack is worth it.
🛡️ What should an IT company do now?
📋 Checklist for implementing protection measures
- Monitoring and detection: A system that sees when data is accessed abnormally. This is not optional.
- Customer education: Every customer you take on must be educated on the risks. Public WiFi, phishing, social engineering. Document the educational program and course.
- End-to-end encryption: If sensitive data is transmitted, the information flow must be encrypted from the client’s end to you.
- Regular security audit: At least once a year, an external auditor should check the systems. This protects both you and the client.
- Incident reporting: You should have a clear plan for when something happens, who calls whom, how you communicate with the client, how you notify the authorities.
💼 Insurance: last resort protection
But none of the above actions eliminate the risk completely. That’s why there is IT professional liability insurance for both PFAs/microenterprises and SRLs/SAs.
A good policy covers:
- Investigation and recovery costs after an attack;
- Legal costs and compensation to the client;
- Compliance fines (including GDPR);
- Notification and communication costs.
When you think of insurance as just an “administrative expense”, you are wrong. It is an investment in business continuity. If something were to happen, the difference between having insurance and not having it is the difference between surviving the incident or closing the company.
📊 Market reality and customer expectations
Large companies no longer accept risks. That much is already clear. If there is a tender for a major contract and you do not have Cyber insurance and IT&C professional liability insurance documented, you can consider yourself already eliminated from the competition. You simply will not enter the negotiation stage.
Even SMEs that were careless with security until relatively recently are starting to realize that an attack of this type can destroy them. When they see an IT company that takes all the insurance measures, this would give confidence.
Man-in-the-Middle attacks are not something from the future or science fiction scenarios. They are already being used against your customers and your company could be the very next target. The only questions are: When it happens, will you be prepared? Will you have the necessary protection? Will you call on insurance, an external consultant, a crisis plan?
The answer to these questions should be “yes” before the first attack occurs. Not after.
References:
- Kurose, J. F., Ross, K. (2021). Computer Networking: A Top-Down Approach, Global Edition. United Kingdom: Pearson Education.
- Stallings, W. (2022). Cryptography and Network Security: Principles and Practice. United Kingdom: Pearson.
- Speciner, M., Perlman, R., Kaufman, C. (2002). Network Security: Private Communications in a Public World. United Kingdom: Pearson Education.