Cloud-based data storage offers accessibility across devices and locations, an all-in-one data hub, greater mobility, and so much more. But when that convenience is offset by a data breach, things can get ugly. Here’s what to do when your cloud data is compromised.
The SingHealth incident affected 1.5 million people in Singapore in July 2018. Personal data was exposed, including that of high-profile individuals, and the cleanup was extensive and costly. As seen throughout 2018, it doesn’t matter how secure you believe your systems are – everyone’s at risk of attack.
There are ways to protect your digital assets, but what happens when the defenses fail? How does an organization pick up the pieces after a data breach? Your company should have a plan in place specific to your IT infrastructure, and it should include these measures.
1. Freeze All Functions
According to Benoit TA KIM, deputy managing director APAC at EVA Group, an IT consulting and technical expertise firm, there are two key actions a company must take following a breach.
“Identify the intrusion vector [the path taken to gain access] and what data was breached or may have been breached. Then quarantine the systems and users that may have been at the origin of it,” he says.
The quarantine phase involves taking all compromised systems offline so the infiltrating party can’t continue to access them. This includes all hardware, both on-site and off-site, bring-your-own-devices (BYOD), and systems managed by third-party vendors. Contact the cloud system vendor immediately and disclose the breach, as they’ll have their own protocol to follow in such events.
The shutdown may impact productivity for a short while, but it’s essential to prevent further damage. It will also prevent the attackers from tampering with the evidence; cyber experts and even law enforcement can later use this to determine the specifics of the attack.
2. Assess the Damage and Inform All Stakeholders
Now determine the full extent of the damage. What information was accessed? Were funds stolen? Was data targeted with the intent to leak it? Which systems were compromised and which accounts were exploited?
Once the damage has been assessed, it’s time to face the music by informing all affected parties. While Singapore’s Personal Data Protection Act (PDPA) doesn’t enforce any strict deadlines by which you must inform stakeholders about a data breach, Kim says there are certain corporate responsibilities.
“The company must be able to demonstrate its PDPA compliancy and facilitate the work of authorized PDPA officers,” he says. “Failure to do so opens up the company and/or person in charge to fines and even imprisonment.”
Speak to your organization’s legal and compliance teams, and have them vet any outgoing memos or press releases to ensure the organization doesn’t invite litigation. This gatekeeping process also helps maintain a single voice across all communications. This lets outsiders see a united effort from the organization rather than different departments working in silos.
Email is the standard method of communication for alerting stakeholders. But phone calls and in-person meetings may be necessary for higher-ranking clients and those whom the breach may have greatly affected. Apologize sincerely and explain what steps the company is taking to protect itself – and the stakeholders – against future threats.
The next step is to speak to internal stakeholders – from employees to the C-suite, especially the PR and HR departments, because they may be tasked with delivering a public message and handling responses.
Finally, it’s time to make public announcements and brace for the responses. But Kim says companies don’t have to dread this part.
“Some companies turn this into a positive experience,” he says. “They come up with fixes that show a strengthened internal approach to better secure their users.”
3. Change Passwords
When you inform your staff, clients, and other stakeholders, change all system passwords and guide others on the best way to do so. Use this as a chance to emphasize the need to use more complex, stronger combinations of characters.
In organizations that juggle multiple systems, employees may have to create and remember several passwords – a problem that could mean staff end up using the same password across all accounts. Get employees to use a password manager or password vault to consolidate them. These can also bypass the standard password-autofill function, which a recent Princeton University study found was easily exploited by insidious ‘tracker’ programs.
4. Determine How the Breach Happened and Future-Proof Your Organization
After systems are back online and security is restored, the entire data breach should be reviewed to understand how it occurred. Human error is often the cause; it’s no surprise 44% of executives believe their employees are the greatest threat to their organization’s cybersecurity.
However, in many cases, a service provider is at fault. Whether that’s an in-house IT team or a third-party vendor, they are bound to protect your company’s data. It’s their job.
An attack is a clear signal they may not be up to the task. They may be behind on critical patching, or perhaps your organization is running old software not protected by the provider’s systems.
If your third-party vendor was at fault and the breach was serious,you usually should end the partnership and seek a better provider. Unless there are very strong signs of improvement and apology, you cannot afford the continuing risk. Kim suggests companies searching for a new vendor should do their due diligence and ensure they are appropriately certified.
“The ISO27k framework helps, and each industry has its own certifications to abide by,” he says. “However, the first step when conducting due diligence is usually to request that the external party provide its company’s security policy [CSP] and ensure all of the vendor’s employees who service your organization sign your own CSP.”
Your provider should not only offer rock-solid protection against potential data breaches, but they should also limit the ways breaches occur. Sansan, for instance, is a cloud-based contact database management solution that doesn’t sell its clients’ data to third parties. All employees are tested on data-protection measures, and its in-house team continually tests the rigor of its systems and makes adjustments where necessary.
Also consider having your IT team audit your vendor’s system. This process will show whether the vendor has the competence to protect your systems moving forward. It will also reveal any security gaps that need plugging.
If your IT department is at fault for the breach, you need to invest in up-to-date hardware and software to ensure the company is protected against future attacks. If it’s necessary to get external consultants to provide this recommendation, don’t hesitate to engage them; it’s a one-off cost that will save the company a whole lot of trouble in the future. Investing in staff training to upgrade skills is also money well spent.
Finally, maintain a risk registry and keep it up-to-date. A risk registry is a vital component of any risk-management strategy. It acts as a central hub for all identified risks, the nature of those risks, details about how they can be managed and averted, as well as the level of risk and the potential cost to the company. With an up-to-date risk registry, organizations have a one-stop repository to use for future-proofing the company against potential attacks.
It also works as a staff-training mechanism, as it details how everyone should respond before, during and after a breach.
We hope you’re never hit by a data breach, but with these measures you can bounce back if you are.