Light Dark
December 15, 2015 By Neil Warburton 3 min read
Data Protection

My Employees Are in a Data Breach!

There have been many articles written on what organizations should do if someone connected to them is the source of a data breach, covering aspects from the costs associated with a breach and how to mitigate the effects to analyses of several of the more prominent attacks.

What is not so clear-cut, however, is what you as the CISO and the rest of the organization need to do when employees are caught up in these data breaches.

What Is the Scale of the Problem?

Employee involvement can take on several forms: perpetrator, innocent victim and participant. In the case of the perpetrator, the employee likely used privileged access to leak data in direct violation of security requirements.

At the other end of the scale is the employee who is the innocent victim. The employee may have had his or her work email address, personnel number or other data exposed. There have been many cases of this type of data breach, including governments, companies and charities. Breaches of this type can have many implications for the employee and the employer; both could be at increased risk of compromise because attackers could be using the leaked data to seed other attacks.

In the middle of this scale are two classes of users where there is some type of suspected, unintentional involvement by the employee. One such scenario is where the employee uses a work email account or other work-related assets to access something like dating, gambling, pornography or other nonwork-related websites. There have been recent examples of where this type of employee involvement could occur, including the use of dating apps that could leak or steal private information. The other case is when a user’s email has been used without his or her knowledge and ends up on a breached site.

CISO to the Rescue

As the CISO, how should you be helping to protect these individuals and your company?

From the IT security perspective, for example, if a company email address has been used on a compromised site, then it will be good practice to suspend that email account and issue a new one.

You should also be on the lookout for an increased number of attacks. For example, the leaked email address could be the target of spam emails and phishing attacks, and the more sophisticated cybercriminals could use the email address and any associated information as supporting data in social engineering attacks.

If employees have used their corporate email on an external site, have they also used the password associated with this account? A CISO should force a password reset on all affected accounts. Resetting the password will reduce the risk of attackers using the initial compromise as a springboard to get access to other accounts.

Another factor to consider is that the employee could be at risk of blackmail attempts. Does he or she have access to sensitive data within the enterprise? What additional precautions may be necessary around that data and the employee?

Download the Ponemon Institute 2016 Global Cost of Data Breach Study

Have Your Plan in Place

The CISO’s incident plans will, hopefully, cover the expected scenarios of an in-house data breach and also address social media guidelines. These plans should be regularly reviewed and updated.

The situation of an employee using corporate identifiers on third-party sites and then a breach revealing these identifiers is generally not a use-case many CISOs consider. However, with the increasing use of social media sites, cloud services and identity federation, a data breach in another company can easily become a headache for the CISO.

Discovering these third-party data breaches is also a challenge — many will be revealed in the media, giving little or no time to plan a response. Responses may need to be immediate and follow a predefined set of steps.

Some third-party breaches may not be made public, and a CISO’s internal controls and monitoring may discover unusual network traffic or a sudden increase in attacks. This might be the only clue a breach has happened somewhere.

A New Normal?

With data breaches coming thick and fast, the CISO should be positioned to respond quickly through a well-rehearsed process. Data breaches are becoming like virus and malware outbreaks and patching: just one more thing that the CISO has to be able to recognize and respond to. Your users will perpetrate, participate or be the unwitting victim of a data breach, and you have to be there to make sure the business can continue to operate despite the challenging environment.

The tools to help you address these issues are already available in the market: log collection and correlation to help identify unwanted behavior; identity management to reset or revoke accounts and reissue passwords; Web reputation databases to identify sites that are business-related and more. Tools that prevent reuse of corporate credentials on external sites can also help reduce the potential for a compromise spreading to corporate systems. There are also systems that allow access to approved cloud services and block access to unapproved cloud services. All these tools need to be supported by a robust set of IT and HR policies and user education.

Your employees will be involved in data breaches – you need to help address the threat to your organization and keep the business running.

 |  |  | 
Neil Warburton
Security Architect, IBM

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature