My Employees Are in a Data Breach! What Now?

My Employees Are in a Data Breach!

There have been many articles written on what organizations should do if someone connected to them is the source of a data breach, covering aspects from the costs associated with a breach and how to mitigate the effects to analyses of several of the more prominent attacks.

What is not so clear-cut, however, is what you as the CISO and the rest of the organization need to do when employees are caught up in these data breaches.

What Is the Scale of the Problem?

Employee involvement can take on several forms: perpetrator, innocent victim and participant. In the case of the perpetrator, the employee likely used privileged access to leak data in direct violation of security requirements.

At the other end of the scale is the employee who is the innocent victim. The employee may have had his or her work email address, personnel number or other data exposed. There have been many cases of this type of data breach, including governments, companies and charities. Breaches of this type can have many implications for the employee and the employer; both could be at increased risk of compromise because attackers could be using the leaked data to seed other attacks.

In the middle of this scale are two classes of users where there is some type of suspected, unintentional involvement by the employee. One such scenario is where the employee uses a work email account or other work-related assets to access something like dating, gambling, pornography or other nonwork-related websites. There have been recent examples of where this type of employee involvement could occur, including the use of dating apps that could leak or steal private information. The other case is when a user’s email has been used without his or her knowledge and ends up on a breached site.

CISO to the Rescue

As the CISO, how should you be helping to protect these individuals and your company?

From the IT security perspective, for example, if a company email address has been used on a compromised site, then it will be good practice to suspend that email account and issue a new one.

You should also be on the lookout for an increased number of attacks. For example, the leaked email address could be the target of spam emails and phishing attacks, and the more sophisticated cybercriminals could use the email address and any associated information as supporting data in social engineering attacks.

If employees have used their corporate email on an external site, have they also used the password associated with this account? A CISO should force a password reset on all affected accounts. Resetting the password will reduce the risk of attackers using the initial compromise as a springboard to get access to other accounts.

Another factor to consider is that the employee could be at risk of blackmail attempts. Does he or she have access to sensitive data within the enterprise? What additional precautions may be necessary around that data and the employee?

Download the Ponemon Institute 2016 Global Cost of Data Breach Study

Have Your Plan in Place

The CISO’s incident plans will, hopefully, cover the expected scenarios of an in-house data breach and also address social media guidelines. These plans should be regularly reviewed and updated.

The situation of an employee using corporate identifiers on third-party sites and then a breach revealing these identifiers is generally not a use-case many CISOs consider. However, with the increasing use of social media sites, cloud services and identity federation, a data breach in another company can easily become a headache for the CISO.

Discovering these third-party data breaches is also a challenge — many will be revealed in the media, giving little or no time to plan a response. Responses may need to be immediate and follow a predefined set of steps.

Some third-party breaches may not be made public, and a CISO’s internal controls and monitoring may discover unusual network traffic or a sudden increase in attacks. This might be the only clue a breach has happened somewhere.

A New Normal?

With data breaches coming thick and fast, the CISO should be positioned to respond quickly through a well-rehearsed process. Data breaches are becoming like virus and malware outbreaks and patching: just one more thing that the CISO has to be able to recognize and respond to. Your users will perpetrate, participate or be the unwitting victim of a data breach, and you have to be there to make sure the business can continue to operate despite the challenging environment.

The tools to help you address these issues are already available in the market: log collection and correlation to help identify unwanted behavior; identity management to reset or revoke accounts and reissue passwords; Web reputation databases to identify sites that are business-related and more. Tools that prevent reuse of corporate credentials on external sites can also help reduce the potential for a compromise spreading to corporate systems. There are also systems that allow access to approved cloud services and block access to unapproved cloud services. All these tools need to be supported by a robust set of IT and HR policies and user education.

Your employees will be involved in data breaches – you need to help address the threat to your organization and keep the business running.

Share this Article:
Neil Warburton

Security Architect, IBM

Neil Warburton is an IBM Security Architect within the IBM Security division. He has over 15 years experience in security, helping customers solve their security challenges. Neil has been involved in developing, deploying and testing applications for over 20 years. Neil has a Degree in Applied Computing and has worked on a wide range of systems: mainframe; midrange; PC and mobile and has an interest in IoT devices.