What Is a Data Breach?
A data breach is any incident in which any unauthorized party gains access to sensitive, protected, or confidential information. When data breach prevention fails, two types of data can be viewed and/or shared without permission:
- Personal data (e.g., Social Security Numbers, medical information, or credit card numbers)
- Corporate data (e.g., customer records, intellectual property, or legal documents)
When considering data breach prevention, it is important to understand that a data breach is not synonymous with a cyberattack. A data breach could be the result of a cyberattack or simply a mistake. Data breach prevention is predicated on understanding the threat actors, which include:
- Accidental insider—e.g., an employee loses their phone, which contains sensitive information, or accidentally emails confidential information to the wrong person.
- Malicious insiders—e.g., disgruntled employees or former employees who take advantage of authorized access to illegitimately expose data as retaliation or an employee who accepts a bribe and shares sensitive data.
- Cybercriminals—i.e., malicious outsiders (e.g., crime syndicates, hackers, or nation-state actors) launch cyberattacks to steal data.
Anatomy of a data breach
Data breach prevention should consider the three basic steps that most intentional data breaches caused by internal or external threat actors follow:
Taking into account how a data breach plan begins makes data breach protection more effective. Once a target has been selected, the attacker seeks out vulnerabilities that can be exploited to gain access.
Once an attacker has identified the attack vector based on weaknesses in data breach prevention, they launch a cyberattack. In some cases, attackers circumvent data breach prevention by acquiring stolen access credentials from the dark web. Exploited gaps or weaknesses are usually related to employees, systems, or networks and include the following.
Brute force attacks
To evade brute force attacks, data breach prevention should mandate the use of strong passwords and multi-factor authentication. Brute force attacks take advantage of weak passwords, using software to guess them. Leveraging artificial intelligence and machine learning, brute force attacks are increasingly effective at cracking weaker credentials.
Insiders misusing privileged access
Even the best data breach prevention can be thwarted by a privileged insider who goes rogue. Because of their broad access rights, an insider with privileged access can wreak havoc on an organization, using authorized access to move through systems to compromise sensitive information.
Malware and ransomware
Data breach prevention focuses a significant amount of attention on malware and ransomware as they are commonly exploited attack vectors. Although there are detection solutions, malware and ransomware continue to circumvent data breach protection when users accidentally unleash them, as well as when system vulnerabilities (e.g., unpatched software) are targeted and exploited.
Physical or site security breaches
Although data breach prevention tends to focus on digital protections, it is important not to overlook physical security. This can include unauthorized access to anything from filing cabinets to server rooms. Physical compromises also include the loss or theft of laptops, mobile devices, hard drives, and USB drives that contain sensitive information.
Social engineering attacks
Social engineering is one of the more difficult vectors from a data breach prevention perspective, as people are considered a very weak link. Cybercriminals use social engineering tactics to manipulate people into compromising security systems.
One of the most common types of social engineering is phishing. Data breach prevention is often overcome by these clever, but fraudulent emails, text messages, social media content, and websites that fool users into executing malware or sharing credentials.
Data breach prevention cannot protect passwords when users store them in obvious physical or digital locations. Some of the worst places where users continue to put passwords are on sticky notes, in notebooks or journals, in unencrypted files, in email or messaging applications, and saved in browsers. Cybercriminals will take advantage of users’ poor judgment to steal these easily accessible credentials.
Once data breach prevention has been eluded, cybercriminals move to compromise data. This can be exfiltrating, destroying, or executing a ransomware attack that encrypts the data until the ransom has been paid.
Data breach prevention
Many security solutions can be used for data breach prevention. Below are several of the most widely used:
- Artificial intelligence (AI) and automation for threat detection and response
- EDR (endpoint detection and response)
- SOAR (security orchestration, automation and response)
- UEBA (user and entity behavior analytics)
- XDR (extended detection and response)
- High-grade encryption to protect sensitive data
- AES-256 for data at rest
- TLS 1.2+ for data in transit
- Identity and access management (IAM)
In addition, standard security measures should be implemented and embedded into processes, including:
- Data protection procedures kept up to date
- Proper database, firewall, and network configurations
- Regular vulnerability assessments
- Scheduled backups
- Strong password policies
Additional components to data breach prevention include the following.
- Check applications and networks regularly to ensure that they have been updated.
- Create a process to identify vulnerabilities and address threats in your network proactively.
- Develop and conduct employee security training regularly with a focus on:
- Handling sensitive data according to the organization’s security protocols
- Identifying and avoiding social engineering attacks, specifically phishing
- Responding to a data breach according to processes set forth in incident response plans
- Enforce Bring Your Own Device (BYOD) security policies, such as requiring all devices to use a business-grade VPN service and antivirus protection.
- Enforce the use of strong credentials and multi-factor authentication.
- Patch systems and networks as soon as updates are available.
- Perform security audits on a regular basis (ensure that all of the systems connected to the organization’s network are included).
- Prevent data storage devices (e.g., hard drives and USB drives) from being stored in unsecured locations in offices.
- Upgrade devices when the software is no longer supported by the manufacturer.
- Take a zero trust approach to security that:
- Continuously verifies users, applications, or infrastructure components, even those already inside the network, with contextual authentication, authorization, and validation
- Enforces the principle of least privilege, where users, applications, or infrastructure components are granted the minimum access and permissions required to complete their tasks or fulfill their role
- Identifies sensitive data and applies classification and protection, such as data loss protection (DLP)
- Implements comprehensive, continuous monitoring of all network activity
- Never trusts users, applications, or infrastructure components, regardless of whether they are inside or external
- Provides complete visibility into the organization’s entire network ecosystem, including how users and entities access and use sensitive information based on their roles and responsibilities
- Segments networks to prevent lateral movement
Creating an incident response plan
A well-developed and tested incident response plan is a critical part of data breach prevention. While it is applied in the wake of a data breach, it supports data breach prevention by mitigating the damage done and the blast radius of an incident.
An incident response plan is a written set of guidelines that instructs teams on how to prepare for, identify, respond to, and recover from a cyberattack that succeeds in bypassing data breach protection systems.
It should also provide details about what constitutes a data breach.
An effective data breach incident response plan is heavily focused on IT teams. However, it should also include instructions for other departments that will be affected and involved after a data breach, such as:
- Customer service
- Human resources
- Legal and compliance
- Marketing and public relations
- Executive representatives
There are many benefits that come from having a data breach incident response plan, including the following.
- Expedites incident response
A formal plan helps organizations focus their risk assessment and response activities to catch an incident or attack quickly.
- Limits deployment of costly disaster recovery (DR) plans
Rapid incident response after a data breach can often save an organization the time and expense of executing full disaster recovery and business continuity (BC) plans. Even when data breach prevention systems are compromised, a fast response can result in fast containment and resolution without DR or BC being engaged.
- Mitigates damage from threats by facilitating early intervention
When an organization has an incident response plan in place, the team responsible for responding is in place and knows what to do. This not only mitigates the potential damage and loss, but also minimizes the duration of the incident. In addition, it expedites forensic analysis, which reduces recovery time.
- Regulatory compliance
Most regulatory organizations and many legislatures (e.g., Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS)) mandate that organizations not only take measures to protect sensitive information with data breach prevention measures but also have an incident response plan. Failure to have an incident response plan can result in noncompliance penalties.
Steps for preparing an incident response plan to respond to data breach prevention failures
Before writing a data breach incident response plan, leverage data breach prevention; valuable risk assessment information can be garnered from it regarding sensitive information. The following should be included in the preplanning step. Note that much of this can be drawn from risk assessment reports and data breach prevention plans.
- Categorize sensitive information
- Record where sensitive information resides and who has access to it
- Define what constitutes a data breach
- Outline potential cyber attack scenarios (e.g., ransomware, credential compromise, phishing)
- Determine when the incident response plan should be activated
Define the data breach incident response team members.
A data breach incident response team will be heavily weighted with IT team members involved in data breach prevention, as they have a deep understanding of the people, systems, and processes that will be affected by an incident. In addition to the IT team, representatives from other parts of the organization should be included as noted above. The incident response plan should include each team member’s contact information and details about their role.
The largest and most likely vulnerability to be targeted is employees. Take time to develop and implement mandatory cybersecurity training to reduce this risk. Use risk assessment information to identify additional vulnerabilities that could be used to evade data breach prevention.
Specify critical assets.
Information that can be pulled from risk assessment reports includes a categorized inventory of assets. This should be used to prioritize efforts after a data breach by focusing on the systems where critical assets and sensitive information reside.
Ensure that automated data backup systems are in place.
Data backups should be automated, with data stored offsite and not connected to the organization’s networks. In addition, there should be at least one person in charge of data backups with experience in recovery.
Identify external data breach recovery experts.
All organizations should research cybersecurity and data recovery experts and have their contact info ready. These resources provide valuable expertise for data breach prevention and incident response.
Develop a data breach incident response plan checklist.
A widely used incident response framework is one developed by the SANS Institute.
- Develop data breach prevention security policies.
- Perform a risk assessment.
- Identify sensitive assets.
- Define a data breach.
- Monitor IT systems to detect unusual activities and determine if they are security incidents.
- Collect additional evidence, determine incident type and severity, and document all findings.
- Initiate immediate and targeted containment, such as isolating the network segment that is under attack.
- Move on to temporary containment, which includes short-term fixes to bring systems back online while clean systems are rebuilt.
- Remove malware from all affected systems.
- Identify the root cause of the attack.
- Implement remediation steps to prevent similar attacks from occurring again.
- Carefully bring affected production systems back online to prevent additional attacks or the spread of malware.
- Test, validate, and monitor affected systems to ensure they are functioning normally.
- Lessons learned
- Perform an audit of the incident.
- Prepare complete documentation of the incident.
- Determine whether anything in the incident response process could be improved.
- Update data breach incident response plan with lessons learned.
Create a communications plan.
Crisp, clear communications are critical after a data breach. Having prepared statements to share with law enforcement, regulatory bodies, staff, customers, and the media drafted will allow teams to quickly adapt them to reflect the details of the incident and distribute them promptly.
The draft statements should include a timeline of when they should be released and include contact information. Since each state has its own data breach notification law and rules dictated by other governing bodies, it is important to do this research up front and know exactly who needs to be notified and when.
Regularly evaluate and update the data breach incident response plan.
Data breach incident response plans should be regularly updated to accommodate any changes to the data, users, and IT infrastructure. Reviews of the plan should take regulatory changes into account.
Prepare, plan, and revise data breach prevention for success
Successful responses to a data breach start with preparation and planning. Experts agree that most organizations will face a data breach incident. Organizations with a data breach prevention plan recover more quickly and with less impact than those without invested time in developing and maintaining a robust plan.
You might also be interested in:
Smart, scalable, seamless identity security
Trusted by 48% of the Fortune 500