How to Recover from a Data Breach
This guest blog was contributed by Jackson Shaw, CSO, Clear Skye
When it comes to cybersecurity, the conversation often revolves around prevention. We’re constantly inundated with expert advice and articles detailing how to avert attacks or avoid the lapses that lead to data breaches. The emphasis is on building robust defenses and perfecting best practices to avoid the worst-case scenario. But despite our best efforts, breaches happen. And there’s considerably less discussion on how to respond when they do.
Whether breaches are the result of intentional actions or, more commonly, oversights and human error, swift action is crucial for a successful recovery. Fortunately, there are several steps organizations can take to get to the root of the problem, address it effectively, and rebuild to strengthen defenses for the future. Below are 4 that security leaders can use to guide them:
-
Determine the Blast Radius
First and foremost, gather the right information. In order to do this swiftly and effectively, you need access to identity data within your organization. Remember, employees are usually at the root of a breach, and to contain the compromised accounts, you need to be able to disable access quickly. Attackers typically get on a network through an account, many via phishing scams, and once they’re in, look around for other vulnerabilities. Being able to identify what access the person/persons who were breached have and amend that to protect those accounts is key. So ask yourself, if you wanted to reset the compromised passwords or disable certain accounts at a moment’s notice, could you? This is the key to containment.
-
Know the Signs—and Appropriate Responses
In many cases, the tip-off for a breach isn’t a smoking gun. It’s when day-to-day activity becomes slow, you’re locked out of certain applications, or software begins to act funny. The next logical step is to call the HelpDesk. But what happens downstream to contain the issue? First, temporary accounts should be given to those compromised, so their work isn’t disrupted entirely. Single-sign-on (SSO) is used by many organizations to make it easier for employees to access what they need to get work done. But if intercepted by the wrong person, it also makes it easier for them to access more within an organization. Disabling SSO until the issue is mitigated will prevent access to other corporate data that’s federated. This is where the alternate work credentials come in handy.
Accountability starts at the executive level. It would be tough to hold employees accountable beyond IT, security, and leadership. With the exception of Solarwinds, we’ve rarely seen employees be held personally accountable for a company breach. Although if this is the direction we’re headed in, we need to do a better job not only protecting our businesses, but the people who run them. This starts with good communication. FIrst, employees, customers, and partners should be notified of a breach as soon as possible. While this is mandatory in some states, transparency is important, whether bound by the law or not. For next steps, security training should be implemented or rebooted for all employees, contractors, and individuals associated with your organization.
Post-breach recovery strategies should be implemented after the security incident has taken place. This involves incident response planning, data backup, and rebuilding a comprehensive cybersecurity strategy. This starts with visibility. Historically, IT has had to rely on spreadsheets and siloed SaaS solutions to view the entirety of an organization’s user access. This is not sustainable as companies evolve, migrate to the cloud, and applications multiply. The only way to effectively manage identity and access in modern business is via a platform approach. This connects disparate information in one central repository so IT always has eyes on who has access to what. Not only does this improve security, but makes it easier to identify and address issues as they arise.
Although they will differ in financial, reputational, and legal consequences based on the size and scope of the incident, recovering from a breach can be quite straightforward. The ability to investigate thoroughly and close incidents is critically important to bouncing back. While preventative practices remain important, having a plan in place for when the inevitable happens is key to a speedy recovery.