When you have the results back from your uBreach assessment, it might be time to speak to your user base about what this means. So, what does it mean?
Firstly, what is uBreach?
uBreach is the usecure integration with the https://haveibeenpwned.com/ service which was created by Troy Hunt. This is a collection of data composed from breaches which have made their way onto the internet. usecure leverages this data and displays the information in an easy-to-consume format.
What type of data can be found in uBreach?
This can be any data which was present in the breach information. Typical examples include "username", "password", "date of birth" and others. Essentially, any data that was present during the sign up process and account page can make its way into a data breach.
What are the implications of data being found in a known breach?
If data is available online and is included in uBreach, this means that anyone can get access to it. It is also common that if an employee has used their work email to sign up for an account, then they will use the same password associated with that email address, essentially giving anybody the credentials to access work systems and data.
The other implication is that if someone was to look at launching a phishing attack on the business, the available data would provide the attacker with the intelligence to present a phishing attack from a service which the staff member would be expecting to receive communication from. This would make the attack much more likely to succeed.
What should I do if my employees data is caught in uBreach?
When this happens it is important to see this as an opportunity to strengthen your security profile and help your employees understand what the implications are. For most businesses and employees they will have been totally unaware that this information was available on the internet to begin with, also lots of people use their work email address to sign up to services (think Netflix - using a different email account can get you a free month of TV).
The first step is to notify your employees that company data has been found in known breaches, you can reference the breach but not include the user information, this can be done one-to-one.
Following this you should reference the company policy on email use, which should include the prohibiting of employees using their work email address for anything outside of work purposes. It may be a good time to revisit the policy, harden it if necessary and then distribute asking your staff to read and sign. You can use uPolicy for this and our template policy includes the terminology aligning to the above.
If the data breach is recent and falls within your password change policy time-frame, then you should request that users update their passwords immediately, this will limit the potential impact of an incident should someone get hold of the breach information.
Finally you should communicate to staff what the company policy is should they fall foul of this in the future. This is something that usecure cannot provide guidance on and is dependent on the company culture and tolerance for security.