Responding to a SaaS vendor data breach in your organization.

Here at Saaslio, we are committed to helping our partners and customers understand what Shadow IT & SaaS Security mean for their business. One area where we hear a lot of questions is what you should do when one of your SaaS vendors has a breach. Responding to these breaches is one area most cyber-teams are under-equipped to respond to. With 68% of business leaders feeling they’re more at risk for cyber-breaches, we are here to help.

Form a response team.

Internally, it would be best to consider bringing together a special team to handle this scenario. You likely should include representatives from senior management, legal, IT, and PR. It is also critical to include the technical & business owner for the platform. Having this mix of folks is crucial as they all will play a role in the response.

Talk to the vendor.

Since there has been a historic rise in SaaS offerings and SaaS data breaches, we have seen that breach responses have also improved. Some of this information may be publicly available. However, as with any other security incident, knowing the whole picture is critical. Collect as much information from the vendor as possible. Ask the following questions:

• When did the breach occur? SaaS vendors are required to announce their data breaches within a specific time publicly. This period can range from state to state. Knowing when the breach occurred gives you an idea of which records may be part of the expose.
• Which data is part of the breach? The exposed information should come out with their announcement but determine if your business data is part of the exposure. Understand and map the criticality of this data to prepare an external response.
• Why did it happen? With any good security response, you should capture a root-cause analysis. Determine from the vendor why and how the breach occurred. Document this information. It’s essential to have a strong understanding of your vendor’s response.

Talk to your team.

After having a clear understanding of what happened and the data that was exposed, you need to understand which team members were part of the impact. Reach out to your team and understand the following:

• Who used the software platform? If you don’t have the enterprise version of the software, this may not be easy to determine. First, survey your company to see if there are any other Shadow IT users in the organization.
• What did they implement the software? Ask them what type of information they store in the software. Did it have client information, sensitive or confidential data, accounting or financial records? Get a breadth of what was potentially exposed, treating all data in the system as if it were part of the exposure.
• Determine the scope of this software. Determine the criticality of this software solution in your business. If it’s Shadow IT, update your business & technical owner, business purpose, your sanctioned state (approved, not approved, evaluating), and any contact details. 

Respond internally to the breach.

It is critical to rotate passwords for all users that were part of the impact in the organization. If you do not have an acceptable-use-policy or password management tool, you may need to rotate additional third-party vendors to ensure that duplicate passwords do not introduce a new attack. If this was an un-sanctioned piece of software or Shadow IT, educating the team members on how shadow IT can introduce risk to your organization is essential. 

Use this as an opportunity to push other security concerns that have been getting put off in executive leadership. For example, you are more at risk of being part of a supply-chain attack with third-party data breaches. You are more at risk because your credentials are out there, the usernames are out there, and confidential business information is there. Bad actors recognize this data as a great entry point for phishing or attacking accounts to gain entry into your organization. 

Finally, communicate with the company. If it’s a Shadow IT piece of software, this is the opportunity to educate your team on why Shadow IT and un-sanctioned IT are not acceptable. Encourage team members to bring their shadow IT forward and educate them on best practices for using external software. 

If necessary, respond externally to the breach.

If client data is part of the breach, you may need to communicate externally. This communication can vary widely depending on the sensitivity of the exposed data. It is essential to articulate the details you collected earlier with your customers. You have a responsibility (potentially a legal one, depending on the data compromised) to let people know if their data is exposed. 

It would be best to communicate what was compromised, when it was compromised and why it happened. (see why collecting the information is essential?) Then, provide them an opportunity to meet with someone on your team to understand more about the exposure. 

Establish a SaaS Security & Shadow IT monitoring tool moving forward.

If you have no visibility into an exposure until after the case, it is likely worth introducing a SaaS Security & Shadow IT Monitoring tool into your cyber-stack. These solutions can monitor and reduce shadow IT before this software become widespread in your organization. As a result, less shadow IT in an organization can lower your footprint and risk. Furthermore, these solutions can significantly shorten the cycle when a third-party data breach happens.