You've Been Breached: What Now?

Breaches are inevitable. Here are four steps to recovery and future-proofing your business.

Jackson Shaw, Chief Security Officer, Clear Skye

May 10, 2024

4 Min Read
Man runs away clutching 1s and 0s, over a field of 1s and 0s with some missing
Source: Brain light via Alamy Stock Photo


Prevention: It's the word we hear most when discussing cybersecurity. We read articles and hear experts speak about attack prevention or carelessness that leads to data compromises. In other words, we spend a lot of time building playbooks and harping on best practices so we don't have to face the inevitable. But the truth is, breaches are just that: inevitable. And there's far less talk about what to do in the aftermath than there is about not getting breached in the first place. 

The "IBM Cyber Security Intelligence Index" report found that human error was a major contributing cause in 95% of all breaches worldwide. And while your team is your biggest asset, it's also your biggest security risk. Whether intentional or, more likely, accidental, quickly identifying and mitigating security issues is critical for recovery. So, what do you do when you've been breached? Here are four steps security leaders can take to minimize the damage. 

How to Minimize Your Damage After a Breach 

1. Gather the Right Information  

First and foremost, determine the blast radius. In order to do this swiftly and effectively, you need access to identity data within your organization. Remember, employees are usually at the root of a breach, and to contain the compromised accounts, you need to be able to disable access quickly. Attackers typically get on a network through an account, many via phishing scams, and, once they're in, look around for other vulnerabilities. Being able to identify what access the person/persons who were breached have and amend that to protect those accounts is key. So, ask yourself, if you wanted to reset the compromised passwords or disable certain accounts at a moment's notice, could you? This is the key to containment. 

2. Go Beyond the Help Desk

In many cases, the tipoff for a breach isn't a smoking gun. It's when day-to-day activity becomes slow, you're locked out of certain applications, or software begins to act funny. The next logical step is to call the help desk. But what happens downstream to contain the issue? First, temporary accounts should be given to those compromised, so their work isn't disrupted entirely. Single sign-on (SSO) is used by many organizations to make it easier for employees to access what they need to get work done. But if intercepted by the wrong person, it also makes it easier for them to access more within an organization. Disabling SSO until the issue is mitigated will prevent access to other corporate data that's federated. This is where the alternate work credentials come in handy. 

3. Take Accountability

Accountability starts at the executive level. It would be tough to hold employees accountable beyond IT, security, and leadership. With the exception of SolarWinds, we've rarely seen employees be held personally accountable for a company breach. Although if this is the direction we're headed in, we need to do a better job not only protecting our businesses, but the people who run them. This starts with good communication. First, employees, customers, and partners should be notified of a breach as soon as possible. While this is mandatory in some states, transparency is important, whether bound by law or not. For next steps, security training should be implemented or rebooted for all employees, contractors, and individuals associated with your organization. 

4. Recover 

Lastly, the "right of boom," which refers to post-breach recovery strategies, should be implemented after the security incident has taken place. This involves incident response planning, data backup, and rebuilding a comprehensive cybersecurity strategy. This starts with visibility. Historically, IT has had to rely on spreadsheets and siloed SaaS solutions to view the entirety of an organization's user access. This is not sustainable as companies evolve and migrate to the cloud, and as applications multiply. The way to effectively manage identity and access in modern business is via a platform approach. This connects disparate information in one central repository so IT always has eyes on who has access to what. Not only does this improve security, it also makes it easier to identify and address issues as they arise. 

Let's end how we started: Breaches are inevitable. Although they will differ in financial, reputational, and legal consequences based on the size and scope of the incident, these four steps can help businesses recover and future-proof. The ability to investigate thoroughly and close incidents is critically important to bouncing back. Once these steps are put into action, then we can pick up our regularly scheduled programming on preventative measures to take.

About the Author(s)

Jackson Shaw

Chief Security Officer, Clear Skye

Jackson Shaw is the CSO at Clear Skye. He began his identity management career as an early employee at Toronto-based Zoomit Corp., a pioneer in the development of meta-directory products, which Microsoft acquired in 1999. While at Microsoft, he was responsible for product planning and marketing around Microsoft’s identity & access management products, including Active Directory and Microsoft Identity Manager. Jackson has held various senior product management and marketing roles since Microsoft, including Vintela, Quest Software, Dell, One Identity, and Forcepoint. He studied computer science at the University of Ottawa, Canada. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights