Here at Saaslio, we are committed to helping our partners and customers understand what Shadow IT & SaaS Security mean for their business. One area where we hear a lot of questions is what you should do when one of your SaaS vendors has a breach. Responding to these breaches is one area most cyber-teams are under-equipped to respond to. With 68% of business leaders feeling they’re more at risk for cyber-breaches, we are here to help.
Internally, it would be best to consider bringing together a special team to handle this scenario. You likely should include representatives from senior management, legal, IT, and PR. It is also critical to include the technical & business owner for the platform. Having this mix of folks is crucial as they all will play a role in the response.
Since there has been a historic rise in SaaS offerings and SaaS data breaches, we have seen that breach responses have also improved. Some of this information may be publicly available. However, as with any other security incident, knowing the whole picture is critical. Collect as much information from the vendor as possible. Ask the following questions:
After having a clear understanding of what happened and the data that was exposed, you need to understand which team members were part of the impact. Reach out to your team and understand the following:
It is critical to rotate passwords for all users that were part of the impact in the organization. If you do not have an acceptable-use-policy or password management tool, you may need to rotate additional third-party vendors to ensure that duplicate passwords do not introduce a new attack. If this was an un-sanctioned piece of software or Shadow IT, educating the team members on how shadow IT can introduce risk to your organization is essential.
Use this as an opportunity to push other security concerns that have been getting put off in executive leadership. For example, you are more at risk of being part of a supply-chain attack with third-party data breaches. You are more at risk because your credentials are out there, the usernames are out there, and confidential business information is there. Bad actors recognize this data as a great entry point for phishing or attacking accounts to gain entry into your organization.
Finally, communicate with the company. If it’s a Shadow IT piece of software, this is the opportunity to educate your team on why Shadow IT and un-sanctioned IT are not acceptable. Encourage team members to bring their shadow IT forward and educate them on best practices for using external software.
If client data is part of the breach, you may need to communicate externally. This communication can vary widely depending on the sensitivity of the exposed data. It is essential to articulate the details you collected earlier with your customers. You have a responsibility (potentially a legal one, depending on the data compromised) to let people know if their data is exposed.
It would be best to communicate what was compromised, when it was compromised and why it happened. (see why collecting the information is essential?) Then, provide them an opportunity to meet with someone on your team to understand more about the exposure.
If you have no visibility into an exposure until after the case, it is likely worth introducing a SaaS Security & Shadow IT Monitoring tool into your cyber-stack. These solutions can monitor and reduce shadow IT before this software become widespread in your organization. As a result, less shadow IT in an organization can lower your footprint and risk. Furthermore, these solutions can significantly shorten the cycle when a third-party data breach happens.