What should SMB/MSPs learn from the Morgan Stanley data Breach?
At the root of this issue were three main points of failure. While MS has not admitted fault in this matter, CyberHoot believes all business could learn three things from this breach.
1. Create, develop, and fund your 3rd party Risk Management program.
Start by creating a list of critical 3rd parties and focus on them to begin with. Assess their cybersecurity preparedness with a questionnaire and track results through to your satisfactory conclusion.
2. Have Cybersecurity Review your 3rd Party Contract language for Gaps.
Morgan Stanley’s data destruction policy should have prohibited the sale of equipment to other recycling vendors without first proving the data destruction process had completed. That alone might have prevented this breach from occurring.
3. Document your Data Retention and Destruction Policy and Processes
Ensure you have prescriptions in your Information Handling Policy that call out retention and destruction requirements. Write process documents outlining the procedures your IT resources are to follow when backing up and destroying your data.
A vCISO can Help in All Three Areas
Cybersecurity professionals are in high demand. If you can find one, hiring them full-time is beyond the ability of most companies, no different than why you don’t hire a full-time physician or lawyer, or plumber, or electrician to assist your business.
This is where a virtual Chief Information Security Officer can help you out at a fraction of the cost of a full-time professional. The vCISO profession has been growing and expanding rapidly over the last 5 years. CyberHoot provides vCISO consultants to SMBs and MSPs to help them build and mature their cybersecurity programs. Learn more about our program here.