December 15, 2015 By Neil Warburton 3 min read

My Employees Are in a Data Breach!

There have been many articles written on what organizations should do if someone connected to them is the source of a data breach, covering aspects from the costs associated with a breach and how to mitigate the effects to analyses of several of the more prominent attacks.

What is not so clear-cut, however, is what you as the CISO and the rest of the organization need to do when employees are caught up in these data breaches.

What Is the Scale of the Problem?

Employee involvement can take on several forms: perpetrator, innocent victim and participant. In the case of the perpetrator, the employee likely used privileged access to leak data in direct violation of security requirements.

At the other end of the scale is the employee who is the innocent victim. The employee may have had his or her work email address, personnel number or other data exposed. There have been many cases of this type of data breach, including governments, companies and charities. Breaches of this type can have many implications for the employee and the employer; both could be at increased risk of compromise because attackers could be using the leaked data to seed other attacks.

In the middle of this scale are two classes of users where there is some type of suspected, unintentional involvement by the employee. One such scenario is where the employee uses a work email account or other work-related assets to access something like dating, gambling, pornography or other nonwork-related websites. There have been recent examples of where this type of employee involvement could occur, including the use of dating apps that could leak or steal private information. The other case is when a user’s email has been used without his or her knowledge and ends up on a breached site.

CISO to the Rescue

As the CISO, how should you be helping to protect these individuals and your company?

From the IT security perspective, for example, if a company email address has been used on a compromised site, then it will be good practice to suspend that email account and issue a new one.

You should also be on the lookout for an increased number of attacks. For example, the leaked email address could be the target of spam emails and phishing attacks, and the more sophisticated cybercriminals could use the email address and any associated information as supporting data in social engineering attacks.

If employees have used their corporate email on an external site, have they also used the password associated with this account? A CISO should force a password reset on all affected accounts. Resetting the password will reduce the risk of attackers using the initial compromise as a springboard to get access to other accounts.

Another factor to consider is that the employee could be at risk of blackmail attempts. Does he or she have access to sensitive data within the enterprise? What additional precautions may be necessary around that data and the employee?

Download the Ponemon Institute 2016 Global Cost of Data Breach Study

Have Your Plan in Place

The CISO’s incident plans will, hopefully, cover the expected scenarios of an in-house data breach and also address social media guidelines. These plans should be regularly reviewed and updated.

The situation of an employee using corporate identifiers on third-party sites and then a breach revealing these identifiers is generally not a use-case many CISOs consider. However, with the increasing use of social media sites, cloud services and identity federation, a data breach in another company can easily become a headache for the CISO.

Discovering these third-party data breaches is also a challenge — many will be revealed in the media, giving little or no time to plan a response. Responses may need to be immediate and follow a predefined set of steps.

Some third-party breaches may not be made public, and a CISO’s internal controls and monitoring may discover unusual network traffic or a sudden increase in attacks. This might be the only clue a breach has happened somewhere.

A New Normal?

With data breaches coming thick and fast, the CISO should be positioned to respond quickly through a well-rehearsed process. Data breaches are becoming like virus and malware outbreaks and patching: just one more thing that the CISO has to be able to recognize and respond to. Your users will perpetrate, participate or be the unwitting victim of a data breach, and you have to be there to make sure the business can continue to operate despite the challenging environment.

The tools to help you address these issues are already available in the market: log collection and correlation to help identify unwanted behavior; identity management to reset or revoke accounts and reissue passwords; Web reputation databases to identify sites that are business-related and more. Tools that prevent reuse of corporate credentials on external sites can also help reduce the potential for a compromise spreading to corporate systems. There are also systems that allow access to approved cloud services and block access to unapproved cloud services. All these tools need to be supported by a robust set of IT and HR policies and user education.

Your employees will be involved in data breaches – you need to help address the threat to your organization and keep the business running.

More from Data Protection

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today