Advanced Notice: Staying Alert and Aware of a Security Breach


Locking your digital doors is the most important thing your organization can do—a cybersecurity system is crucial in today's hack-happy world.

Recognizing what a picked lock looks like is the second thing. Cyberattacks do come with warning signs, and your team needs to know those signs so that you can stop a security breach before it's too late.

We hear stories all the time about how a proactive approach to cybersecurity makes a breach less catastrophic. Here's a hypothetical business and name, but the scenario has happened many times.

Jay Duncan and his team learned this the hard way. Jay is the IT director for Sew Clean, a chain of alterations and dry cleaning stores. He has pushed his senior management to move towards a completely digital point of sale system, so their customers' information is stored in their network. Jay installed Intrusion Detection Software (IDS) in the network when they installed the new POS software, thinking that with all that customer data they needed bigger firewalls. The IDS he chose is antivirus software that monitors incoming network traffic.

So far, it's worked out well. Not only are customer's starch choices in the system, but so are their measurements, so they can just drop off basic alterations like hemming. During the pandemic, this full curbside service has boosted Sew Clean's business while their competitors are struggling.

Sew Clean has several branches in the metropolitan area, and Jay oversees a team of six administrators. Together, they keep customer data secure and manage the business operations. 

A Series of Peculiar Events

One day, a branch manager mentioned that she had been locked out of her account when she tried to log in. She hadn't said anything about it because she assumed she had missed a capital letter on her password. Jay didn't think much about it; Susan was new and he figured she had just forgotten the sequences.  He had also added email encryption to the system for an added layer of security. That afternoon, the operations manager said that the network seemed slow, and some of the computers were inexplicably crashing. Jay immediately shut down his computer, only it would not cooperate and kept running. Jay's suspicions of a security breach were confirmed when a ton of pop-ups started doing just that—popping up exponentially.

Jay realized that a data breach was in progress. He had been discussing plans for an emergency recovery with his IT admins since his first day, so he called his lead engineer and told her "we're hacked, get everyone on site and start working through the plan." Then he called the CEO with the news.

While Jay was having an uncomfortable discussion with the CEO, his lead engineer Jane had shut down all company routers to limit the spread of the hack, and had begun shutting down all servers. Her staff were calling branch managers to tell them to run through the instructions in the red 3-ring binder labeled "Emergency Recovery Plan."

By the time Jay got to the data room, Jane and her staff were almost finished rebuilding the desktop computers in the office. "Jay, I'm glad you made us practice this last month. I've put all the main servers in quarantine, and Tom's signed off on the checks. I'm sending the guys out to the branches to make sure they're all clean. Once that's done, we'll be back in business within an hour".

How Jay Prepared for a Data Breach

Jay and his team knew the signs of a security threat, but the initial signal—a new employee couldn't log in right away—was so subtle that he and Jane dismissed it at the outset. His CEO was grateful that Jay had insisted on additional email security as well as security audit software, although he had grumbled a bit about the cost at the time.

Fortunately, he and Jane both had that emergency plan in place, so they had minimal downtime and no loss of data.

Major Signs a Data Breach is Underway

Jay and Jane knew the warning signals for a data breach and had trained their staff to look out for these signs.

  • Users locked out of accounts—Susan couldn't log in because a phisher was interfering
  • Slow hardware and software performance–systems freeze and crash without reason
  • Abnormal system behavior—lots of pop-up and virus detection messages are a sure sign that malware is worming its way into your network

A security breach attack can even take the form of targeted campaigns that are customized to spoof legitimate notification messages.

More subtle changes to the system are sudden file changes and unusual activity on an administrative account. When Jay realized a cyberattack was underway, he was able to confirm through his security audit software that his admin account was secure and that the malware had not infected the company files.

Your data security should have built-in updates

Data security tools are constantly evolving to keep up with the bad actors in cyberspace. Jay had already installed Microsoft 365 Security Audit software that continuously monitors his email system for vulnerabilities. Hackers are always looking for a way in, and emails are a popular delivery vehicle for testing the waters. Phishing attacks are typically the first breach in a network. The security audit analyzes all network mailboxes for permissions, passwords, MFA, and forwarding settings so that any attempt at breaking in is automatically rebuffed.

Phishing is a highly profitable attack vector

According to an IBM study on overall costs of a data breach, a successful phishing attempt accounts for the second costliest type of attack. Phishing accounts for 17% of all data breaches, and costs companies an average of $4,65 million. Compromised email credentials—when the malware fools the active directory into thinking a request is valid—are responsible for 20% of security breaches. These incidents, however, are less expensive to clean up than a phishing hack.

Phishing breaches that wormed into business email, however, cost an average of $5.01 million in recovery. What's worse, IBM found that phishing only accounts for 4% of data breaches, and takes almost a year—317 days—to identify.

Modern IDS Keeps Up with the Bad Actors

The days when Jay and Sew Clean could keep their data secure with anti-virus software are long gone. As businesses are networked, security levels need to meet that risk by providing safeguards for the entire system. An IDS acts as that gatekeeper, with highly adaptable technologies that keep all your systems secure against consistently more sophisticated cyber threats.

Signature-based IDS takes off from antivirus software, which searches for patterns in byte sequencing—signatures—or known malware instruction sequences. The problem with signature-based IDS is that it cannot identify new attacks as there is no pattern precedent.

Anomaly-based IDS goes a step further and uses AI to identify odd patterns of behavior against a predefined trust model. The downside to this IDS is that fake positives are a possibility; in some instances new legitimate activity gets flagged as malicious.

Until this attempted data breach, Jay and Jane were having a hard time convincing their team and CEO that modern security software was critical for their company and customer information to remain safe and secure. Once the  crisis had passed, they were fully on board with learning and staying up to date on  security protocols.