Lessons for employers following major data breach
A recent data breach at several major firms has left tens of thousands of employees’ personal data exposed to hackers, including contact and bank details.
The breach occurred, in basic terms, via a third-party software vulnerability—which can also be referred to as a supply chain attack.
The software produced by Progress Software (MoveIT) had a ‘Zero Day Vulnerability’ (a vulnerability that has no current mitigation or fix available from the vendor) which was exploited by a suspected Russian-speaking malicious threat actor; Clop. They used the vulnerability to deploy ransomware on several organisations including the BBC, British Airways, Aer Lingus, and Boots.
Alastair Brown, Chief Technical Officer at BrightHR, explains how businesses can limit the risk of such breaches occurring within their workplaces.
“Defending against Zero Day threats can be a challenge. Knowledge is usually scarce given the ever-changing nature of hacker attacks, however, that doesn’t mean that they are impossible to defend against.
“Detection technologies are adaptable, self-learning, and consistently able to detect anomalies and odd behaviour within an environment, which can offer protection against Zero Days. Security vendors react extremely quickly to analyse threat information and release detection and mitigation steps to their customers. But in some cases, this could take 24-48 hours. So, businesses need to have some mitigating steps in place too.
“Employers should ensure they have a good knowledge of the Data Protection Act 2018 and what it means when handling personal data. Train employees on all aspects of data handling, how to identify the risk of a breach and ways to prevent data breaches from happening. Have processes in place requiring employees to notify of any possible data breaches so they can be addressed properly.
“Where a breach occurs, you will probably need to notify the data subjects as well as the ICO. This will be dependent upon the extent of risk caused to the data that has been breached.
“All businesses should have a robust and tested business continuity plan/disaster recovery plan in place, along with a proven and validated endpoint protection solution.
“The take-home message from this most recent attack is that whenever outsourcing any function, employers must ensure that the contracted company meets all their legal obligations and can evidence the robust measures they have in place to protect data.
“Carry out due diligence processes as part of the contracting process to ensure that the provider you choose is the best option. Ask to see the processes in practice. Ultimately, each employer is responsible for ensuring data compliance, so you need to be confident that suppliers are not compromising your business and putting your data at risk.”