Light Dark
December 15, 2015 By Neil Warburton 3 min read
Data Protection

My Employees Are in a Data Breach!

There have been many articles written on what organizations should do if someone connected to them is the source of a data breach, covering aspects from the costs associated with a breach and how to mitigate the effects to analyses of several of the more prominent attacks.

What is not so clear-cut, however, is what you as the CISO and the rest of the organization need to do when employees are caught up in these data breaches.

What Is the Scale of the Problem?

Employee involvement can take on several forms: perpetrator, innocent victim and participant. In the case of the perpetrator, the employee likely used privileged access to leak data in direct violation of security requirements.

At the other end of the scale is the employee who is the innocent victim. The employee may have had his or her work email address, personnel number or other data exposed. There have been many cases of this type of data breach, including governments, companies and charities. Breaches of this type can have many implications for the employee and the employer; both could be at increased risk of compromise because attackers could be using the leaked data to seed other attacks.

In the middle of this scale are two classes of users where there is some type of suspected, unintentional involvement by the employee. One such scenario is where the employee uses a work email account or other work-related assets to access something like dating, gambling, pornography or other nonwork-related websites. There have been recent examples of where this type of employee involvement could occur, including the use of dating apps that could leak or steal private information. The other case is when a user’s email has been used without his or her knowledge and ends up on a breached site.

CISO to the Rescue

As the CISO, how should you be helping to protect these individuals and your company?

From the IT security perspective, for example, if a company email address has been used on a compromised site, then it will be good practice to suspend that email account and issue a new one.

You should also be on the lookout for an increased number of attacks. For example, the leaked email address could be the target of spam emails and phishing attacks, and the more sophisticated cybercriminals could use the email address and any associated information as supporting data in social engineering attacks.

If employees have used their corporate email on an external site, have they also used the password associated with this account? A CISO should force a password reset on all affected accounts. Resetting the password will reduce the risk of attackers using the initial compromise as a springboard to get access to other accounts.

Another factor to consider is that the employee could be at risk of blackmail attempts. Does he or she have access to sensitive data within the enterprise? What additional precautions may be necessary around that data and the employee?

Download the Ponemon Institute 2016 Global Cost of Data Breach Study

Have Your Plan in Place

The CISO’s incident plans will, hopefully, cover the expected scenarios of an in-house data breach and also address social media guidelines. These plans should be regularly reviewed and updated.

The situation of an employee using corporate identifiers on third-party sites and then a breach revealing these identifiers is generally not a use-case many CISOs consider. However, with the increasing use of social media sites, cloud services and identity federation, a data breach in another company can easily become a headache for the CISO.

Discovering these third-party data breaches is also a challenge — many will be revealed in the media, giving little or no time to plan a response. Responses may need to be immediate and follow a predefined set of steps.

Some third-party breaches may not be made public, and a CISO’s internal controls and monitoring may discover unusual network traffic or a sudden increase in attacks. This might be the only clue a breach has happened somewhere.

A New Normal?

With data breaches coming thick and fast, the CISO should be positioned to respond quickly through a well-rehearsed process. Data breaches are becoming like virus and malware outbreaks and patching: just one more thing that the CISO has to be able to recognize and respond to. Your users will perpetrate, participate or be the unwitting victim of a data breach, and you have to be there to make sure the business can continue to operate despite the challenging environment.

The tools to help you address these issues are already available in the market: log collection and correlation to help identify unwanted behavior; identity management to reset or revoke accounts and reissue passwords; Web reputation databases to identify sites that are business-related and more. Tools that prevent reuse of corporate credentials on external sites can also help reduce the potential for a compromise spreading to corporate systems. There are also systems that allow access to approved cloud services and block access to unapproved cloud services. All these tools need to be supported by a robust set of IT and HR policies and user education.

Your employees will be involved in data breaches – you need to help address the threat to your organization and keep the business running.

 |  |  | 
Neil Warburton
Security Architect, IBM

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature