Lessons to learn
3rd Party Risk Management Programs
Many SMBs and MSPs rely on 3rd parties for services and products. Last year, thousands of business were impacted enormously by a software vendors poor security and widescale breach of their product (Solarwinds). This put thousands of enterprises at risk and led to many additional breaches. The lesson learned here is you may trust your vendors, but verify their security measures and controls.
Breaches Happen to MSP/SMB Vendors Too
Before you dismiss this advice because Solarwinds was largely an enterprise software event, CyberHoot reminds you that Kasaya had a nasty ransomware breach last year which led to the encryption of many of its customers data. How many MSPs or SMBs have any sort of 3rd party risk management program? Let’s simplify that question to the reality on the ground. How many SMBs and MSPs even know or track all the 3rd party vendors they rely on to run their business? Given that CyberHoot has rarely been asked about our security and we supply Awareness Training, Phish Testing, and Governance Policy services to tens of thousands of users globally, and we are confident that 3rd party vendor management is severely lacking.
Contract Language Matters a Good Deal
In this instance, the fine print did not prevent 3rd Party vendor A from reselling the equipment purchased from Morgan Stanley to vendor B. This transfer of equipment played a role in not following the contractual obligations surrounding data destruction, and made Morgan Stanley’s job of following up on the data destruction requirements very difficult.
vCISO Tip 1: When companies you support are dealing with critical data make sure you review their contract language. Ensure contract language prevents your 3rd parties from subcontracting the work without your explicit permission.
vCISO Tip 2: Some security professionals may suggest you encrypt the data and destroy the keys instead of destroying the data. This is a short-sighted method that CyberHoot argues against doing. Quantum computers are around the corner and will open up a vast array of methods to break current encryption standards. What is encrypted today could be cracked tomorrow. It is always better to destroy the data rather than encrypt to protect its Confidentiality.
You do have a Data Retention and Destruction Policy, right?
Many SMBs struggle to get rudimentary cybersecurity policies in place. Every SMB should have the following policies in place:
- Written Information Security Policy (WISP)
- Password Policy
- Acceptable Use Policy
- Information Handling Policy
Once an SMB or MSP has these basic policies in place, their maturity has risen to a point where they need to consider developing other policies including:
- 3rd Party Risk Management
- Software-as-a-Service Management Policy
- Data Retention and Destruction Policy
The data retention and destruction policy is an adjunct to the Information Handling Policy. They describe in minute detail the types of data a company controls, how long that data is to be kept for, and how to securely destroy the data after its useful life. This is of vital importance when dealing with critical or sensitive company data. Make sure you have a retention and destruction policy in place at your SMB and MSP.
What should SMB/MSPs learn from the Morgan Stanley data Breach?
At the root of this issue were three main points of failure. While MS has not admitted fault in this matter, CyberHoot believes all business could learn three things from this breach.
1. Create, develop, and fund your 3rd party Risk Management program.
Start by creating a list of critical 3rd parties and focus on them to begin with. Assess their cybersecurity preparedness with a questionnaire and track results through to your satisfactory conclusion.
2. Have Cybersecurity Review your 3rd Party Contract language for Gaps.
Morgan Stanley’s data destruction policy should have prohibited the sale of equipment to other recycling vendors without first proving the data destruction process had completed. That alone might have prevented this breach from occurring.
3. Document your Data Retention and Destruction Policy and Processes
Ensure you have prescriptions in your Information Handling Policy that call out retention and destruction requirements. Write process documents outlining the procedures your IT resources are to follow when backing up and destroying your data.
A vCISO can Help in All Three Areas
Cybersecurity professionals are in high demand. If you can find one, hiring them full-time is beyond the ability of most companies, no different than why you don’t hire a full-time physician or lawyer, or plumber, or electrician to assist your business.
This is where a virtual Chief Information Security Officer can help you out at a fraction of the cost of a full-time professional. The vCISO profession has been growing and expanding rapidly over the last 5 years. CyberHoot provides vCISO consultants to SMBs and MSPs to help them build and mature their cybersecurity programs. Learn more about our program here.