Almost all data breaches have a single goal in the mind of attackers: getting access to critical company data. That is why it is called a data breach, rather than an identity or credentials breach. However, getting direct access to company data requires attackers to exploit other security layers from which data access is taken less seriously.
This is a wake up call for security leaders that today’s attackers overcome your device, network, and identity security layers to reach a non-protected data layer. Data Security has become a critical component in preventing data breaches or at minimum reducing the potential exposure in the event of a data breach.
Rightway Health is a healthcare coverage provider serving Okta - arguably the world’s leading Identity Provider company monitoring millions of corporate identities globally. I can only assume that Okta performed extensive 3rd party vendor security assessments on Rightway Health before partnering officially. I can also assume that Rightway Health is subject to strict HIPAA compliance requirements, which means an ocean of security solutions should be in place to protect Rightway Health environments, devices, identities, etc.
On September 23, 2023, Rightway Health suffered a network breach, resulting in cybercriminal accessing an eligibility census file maintained for insurance provision and benefit plans. According to Okta’s report, the breach impacted a total of 4,961 current and former Okta employees, exposing their full names, SSNs, Health/Medical Insurance plans, etc.
But wait, this ain’t Okta’s company data, so why are we so concerned?
Statistically, existing security tools will not be able to protect against account takeover attacks leveraging the stolen employee information above. Safe to assume that when employee data breaches occur, a natural next step for attackers is to perform account takeover attacks through social engineering and phishing attacks - that are unfortunately highly successful.
Social Engineering ranks #1 as the top attack type in 2022 (ISACA).
- 84% of Organizations Fell Victim to a Phishing Attack in 2022 (Proofpoint).
- Social Engineering-Based Data Breaches Took 270 Days to Identify and Contain (IBM Cost of Data Breach Report 2022).
- 82% of Data Breaches Involve the “Human Element” (Verizon Data Breach Investigation Report 2022).
With SaaS account access in hand, attackers have direct access to your company data stored in common SaaS applications, such as Google Drive, Microsoft Sharepoint, Slack, Box, Salesforce, etc. From here, it comes down to how strong is your Data Security layer.
How can I protect our SaaS data if SaaS accounts are taken over?
In the event of an employee data breach, such as the one described above, you can assume SaaS account takeover attacks are going to happen if not happened already. There are 5 main things you should focus on right now:
- SaaS Data Exposure Mapping
Discover, understand, and quantify SaaS data exposure levels (internal, external, public) across Shared Drives, Personal Drives, Slack channels, Zoom recordings, etc. Breakdown exposure levels across business units and data sets to identify top exposed identities, departments, 3rd party vendors/collaborators, etc.
- Bulk Remediation to eliminate 70-80% of the exposure with zero business impact
With the quantified data in hand, perform bulk remediation to eliminate inactive sharing links, outdated permissions, former vendors’ access, former employees’ access, inactive OAuth tokens, non approved OAuth tokens, and cross-team overexposures.
- Align on remediation plans across business units
Present quantified data reports to the executive team to align on remediation plans for each specific team, to ensure business continuity with minimal disruption to employees, customers, and partners. These remediation plans could be very strict for some teams dealing with highly sensitive data, or very loose for teams distant from your core business information.
- Set up automated workflows to eliminate data access regularly
Leverage aligned remediation plans to set up automated security workflows expiring SaaS data access, OAuth tokens, 3rd party vendor access, etc. against agreed upon business rules. For example, financial information should not be shared with @gmail accounts and in general not shared for more than 90 days.
- Automated workflows to mitigate suspicious activity
Identify insider threats and 3rd party suspicious activity using AI-based anomaly detection mechanisms. Define automated playbooks to mitigate potential findings and leverage business context from multiple data points (HRIS, IDP, EDR) and stakeholders (end-users, IT, Security, Legal) to perform remediation with confidence
How can DoControl help?
DoControl serves as the ultimate SaaS Data Security layer for your organization. With 24/7 employee and 3rd party users monitoring, AI-powered threat detection, and fully granular and automated security workflows, DoControl can help reduce your SaaS data exposure levels to bare minimum so that even if SaaS accounts are taken over (for both internal and external users), your data layer exposure is going to be at minimum to reduce the potential financial impact on your business.