My Employees Are in a Data Breach!

There have been many articles written on what organizations should do if someone connected to them is the source of a data breach, covering aspects from the costs associated with a breach and how to mitigate the effects to analyses of several of the more prominent attacks.

What is not so clear-cut, however, is what you as the CISO and the rest of the organization need to do when employees are caught up in these data breaches.

What Is the Scale of the Problem?

Employee involvement can take on several forms: perpetrator, innocent victim and participant. In the case of the perpetrator, the employee likely used privileged access to leak data in direct violation of security requirements.

At the other end of the scale is the employee who is the innocent victim. The employee may have had his or her work email address, personnel number or other data exposed. There have been many cases of this type of data breach, including governments, companies and charities. Breaches of this type can have many implications for the employee and the employer; both could be at increased risk of compromise because attackers could be using the leaked data to seed other attacks.

In the middle of this scale are two classes of users where there is some type of suspected, unintentional involvement by the employee. One such scenario is where the employee uses a work email account or other work-related assets to access something like dating, gambling, pornography or other nonwork-related websites. There have been recent examples of where this type of employee involvement could occur, including the use of dating apps that could leak or steal private information. The other case is when a user’s email has been used without his or her knowledge and ends up on a breached site.

CISO to the Rescue

As the CISO, how should you be helping to protect these individuals and your company?

From the IT security perspective, for example, if a company email address has been used on a compromised site, then it will be good practice to suspend that email account and issue a new one.

You should also be on the lookout for an increased number of attacks. For example, the leaked email address could be the target of spam emails and phishing attacks, and the more sophisticated cybercriminals could use the email address and any associated information as supporting data in social engineering attacks.

If employees have used their corporate email on an external site, have they also used the password associated with this account? A CISO should force a password reset on all affected accounts. Resetting the password will reduce the risk of attackers using the initial compromise as a springboard to get access to other accounts.

Another factor to consider is that the employee could be at risk of blackmail attempts. Does he or she have access to sensitive data within the enterprise? What additional precautions may be necessary around that data and the employee?

Download the Ponemon Institute 2016 Global Cost of Data Breach Study

Have Your Plan in Place

The CISO’s incident plans will, hopefully, cover the expected scenarios of an in-house data breach and also address social media guidelines. These plans should be regularly reviewed and updated.

The situation of an employee using corporate identifiers on third-party sites and then a breach revealing these identifiers is generally not a use-case many CISOs consider. However, with the increasing use of social media sites, cloud services and identity federation, a data breach in another company can easily become a headache for the CISO.

Discovering these third-party data breaches is also a challenge — many will be revealed in the media, giving little or no time to plan a response. Responses may need to be immediate and follow a predefined set of steps.

Some third-party breaches may not be made public, and a CISO’s internal controls and monitoring may discover unusual network traffic or a sudden increase in attacks. This might be the only clue a breach has happened somewhere.

A New Normal?

With data breaches coming thick and fast, the CISO should be positioned to respond quickly through a well-rehearsed process. Data breaches are becoming like virus and malware outbreaks and patching: just one more thing that the CISO has to be able to recognize and respond to. Your users will perpetrate, participate or be the unwitting victim of a data breach, and you have to be there to make sure the business can continue to operate despite the challenging environment.

The tools to help you address these issues are already available in the market: log collection and correlation to help identify unwanted behavior; identity management to reset or revoke accounts and reissue passwords; Web reputation databases to identify sites that are business-related and more. Tools that prevent reuse of corporate credentials on external sites can also help reduce the potential for a compromise spreading to corporate systems. There are also systems that allow access to approved cloud services and block access to unapproved cloud services. All these tools need to be supported by a robust set of IT and HR policies and user education.

Your employees will be involved in data breaches – you need to help address the threat to your organization and keep the business running.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…