You've Been Breached: What Now?

COMMENTARY

Prevention: It's the word we hear most when discussing cybersecurity. We read articles and hear experts speak about attack prevention or carelessness that leads to data compromises. In other words, we spend a lot of time building playbooks and harping on best practices so we don't have to face the inevitable. But the truth is, breaches are just that: inevitable. And there's far less talk about what to do in the aftermath than there is about not getting breached in the first place. 

The "IBM Cyber Security Intelligence Index" report found that human error was a major contributing cause in 95% of all breaches worldwide. And while your team is your biggest asset, it's also your biggest security risk. Whether intentional or, more likely, accidental, quickly identifying and mitigating security issues is critical for recovery. So, what do you do when you've been breached? Here are four steps security leaders can take to minimize the damage. 

How to Minimize Your Damage After a Breach 

1. Gather the Right Information  

First and foremost, determine the blast radius. In order to do this swiftly and effectively, you need access to identity data within your organization. Remember, employees are usually at the root of a breach, and to contain the compromised accounts, you need to be able to disable access quickly. Attackers typically get on a network through an account, many via phishing scams, and, once they're in, look around for other vulnerabilities. Being able to identify what access the person/persons who were breached have and amend that to protect those accounts is key. So, ask yourself, if you wanted to reset the compromised passwords or disable certain accounts at a moment's notice, could you? This is the key to containment. 

2. Go Beyond the Help Desk

In many cases, the tipoff for a breach isn't a smoking gun. It's when day-to-day activity becomes slow, you're locked out of certain applications, or software begins to act funny. The next logical step is to call the help desk. But what happens downstream to contain the issue? First, temporary accounts should be given to those compromised, so their work isn't disrupted entirely. Single sign-on (SSO) is used by many organizations to make it easier for employees to access what they need to get work done. But if intercepted by the wrong person, it also makes it easier for them to access more within an organization. Disabling SSO until the issue is mitigated will prevent access to other corporate data that's federated. This is where the alternate work credentials come in handy. 

3. Take Accountability

Accountability starts at the executive level. It would be tough to hold employees accountable beyond IT, security, and leadership. With the exception of SolarWinds, we've rarely seen employees be held personally accountable for a company breach. Although if this is the direction we're headed in, we need to do a better job not only protecting our businesses, but the people who run them. This starts with good communication. First, employees, customers, and partners should be notified of a breach as soon as possible. While this is mandatory in some states, transparency is important, whether bound by law or not. For next steps, security training should be implemented or rebooted for all employees, contractors, and individuals associated with your organization. 

4. Recover 

Lastly, the "right of boom," which refers to post-breach recovery strategies, should be implemented after the security incident has taken place. This involves incident response planning, data backup, and rebuilding a comprehensive cybersecurity strategy. This starts with visibility. Historically, IT has had to rely on spreadsheets and siloed SaaS solutions to view the entirety of an organization's user access. This is not sustainable as companies evolve and migrate to the cloud, and as applications multiply. The way to effectively manage identity and access in modern business is via a platform approach. This connects disparate information in one central repository so IT always has eyes on who has access to what. Not only does this improve security, it also makes it easier to identify and address issues as they arise. 

Let's end how we started: Breaches are inevitable. Although they will differ in financial, reputational, and legal consequences based on the size and scope of the incident, these four steps can help businesses recover and future-proof. The ability to investigate thoroughly and close incidents is critically important to bouncing back. Once these steps are put into action, then we can pick up our regularly scheduled programming on preventative measures to take.