Data context drives better ransomware decisions in multi-cloud crises

At a glance

What this is: Cyera’s live ransomware simulation found that security leaders changed decisions materially once data context clarified what was actually at risk.

Why it matters: For IAM and NHI practitioners, the lesson is that access decisions, containment, and notification scope all depend on trustworthy identity and data context, not just alert volume.

By the numbers:

• 96% of respondents chose to isolate affected systems and disable cross-account access when attackers encrypted critical systems simultaneously.
• 94% chose to suspend outbound access and begin forensics when a suspicious outbound spike appeared.
• 84% chose to notify only the affected customers after Cyera identified that 24% had regulated PII, cutting projected costs by $17M-$25M.

👉 Read Cyera's analysis of the DataSecAI 2025 cyber crisis simulation

Context

Data context is the difference between reacting to noise and responding to a real exposure. In multi-cloud environments, security teams often see suspicious activity before they can tell whether the traffic, data, or identity involved is actually high risk. That gap becomes an NHI governance problem because service accounts, tokens, and cross-account permissions can expand the blast radius faster than a human responder can manually verify.

Cyera’s live exercise used 100 security leaders and seven crisis modules to show how decisions shift when teams get clearer data about encryption, exfiltration, and affected records. The starting assumption was not unusual. Most enterprises now face the same combination of cloud sprawl, hidden sensitive data, and overextended access paths that makes incident response slower and less precise than policy assumes.

Key questions

Q: How should security teams use data context during a ransomware incident?

A: Security teams should use data context to determine which identities, systems, and records are actually exposed before choosing broad containment or notification actions. That means linking classification, lineage, and access telemetry so responders can narrow scope with evidence instead of assumption. In NHI-heavy environments, this is the difference between disciplined containment and avoidable overreaction.

Q: Why does non-human identity governance matter in ransomware response?

A: Non-human identities often control the paths that let ransomware spread, encrypt, or exfiltrate data across cloud environments. If those identities are not inventoried and bounded, incident response can miss the real blast radius. NHI governance matters because access decisions, not just malware containment, determine how far the incident moves.

Q: What is the difference between containment and recovery in an incident response plan?

A: Containment stops the attack from spreading and preserves evidence, while recovery restores business operations after the environment has been stabilised. The two need different triggers, owners, and timelines. Teams that blur them often damage evidence or restart systems before they understand what was touched.

Q: When should organisations narrow customer notifications after a breach?

A: Organisations should narrow customer notifications when telemetry and classification show that only a defined subset of records was exposed and that the evidence is strong enough to support the decision. Precision matters because over-notification increases cost and confusion, while under-notification creates legal and reputational risk. The right answer depends on defensible scope, not speed alone.

Technical breakdown

Why data context changes ransomware response in multi-cloud environments

Ransomware response often fails at the point where incident data and access data meet. If responders cannot quickly determine which systems hold regulated data, which identities can reach them, and which paths are cross-account, they tend to over-isolate or under-react. Data context means linking classification, sensitivity, and location to the identities and workloads that can move or encrypt that data. In NHI-heavy environments, that also includes service accounts, API keys, and automation that may be invisible in standard user-centric access reviews. The practical result is faster containment with fewer false escalations.

Practical implication: Map sensitive data to NHI access paths before an incident so responders can scope actions without guessing.

How containment, forensics, and legal timelines intersect

The first technical decision in a crisis is usually containment, but containment is not the same as cleanup. Security leaders must decide when to isolate systems, preserve evidence, start legal clocks, and avoid destroying artefacts that support investigation. In cloud environments, disabling cross-account access can stop spread, but it also changes logging and recovery options. The simulation’s pattern shows that mature teams treat incident response as a coordinated control plane across security, legal, and communications rather than a pure IT recovery exercise. That is especially relevant where identities and data move across jurisdictions and cloud tenants.

Practical implication: Build incident runbooks that preserve evidence and trigger legal review before teams begin restoration.

Why precision notifications depend on identity and data lineage

Notification scope is a governance decision driven by what data was exposed, whose data it was, and whether the exposure is legally material. Data lineage and identity lineage matter because security teams need to know which customers, systems, and service accounts were truly involved before sending broad notices. Without that linkage, organisations either over-notify and create unnecessary cost or under-notify and create compliance risk. The exercise shows that good crisis outcomes depend on classification and access telemetry working together, not in separate reporting silos.

Practical implication: Tie identity telemetry to data classification so notification decisions can be narrowed with defensible evidence.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Data context is becoming a control surface, not just a reporting layer. The simulation shows that security leaders make materially better decisions when they can see which identities, systems, and records are actually implicated. That is an NHI governance issue because privileged service accounts and cross-account access are often what turn a contained event into a broad incident. Practitioners should treat data context as part of access control design, not an after-action luxury.

Identity sprawl weakens crisis response even when incident response maturity is high. Teams can have strong containment instincts and still lose time if they cannot rapidly determine which non-human identities touched the affected data. Multi-cloud environments multiply that problem because control boundaries differ across accounts and platforms. The practical conclusion is that NHI inventory, access review, and data classification must be joined operationally before the first alert arrives.

Precision beats blanket response when exposure is still unverified. The clearest pattern in the exercise is that leaders moved from broad defensive action to narrower decisions once they had better evidence. That is the right direction, but it requires prebuilt workflows for scope reduction, not ad hoc judgment under pressure. NHI programmes should therefore optimise for evidence quality, not just response speed.

Ephemeral access only helps if the underlying trust model is explicit. Short-lived credentials and restricted sessions can reduce blast radius, but they do not solve the problem of who or what is allowed to touch regulated data in the first place. The governance gap is not merely technical access duration. It is the absence of a consistent model linking identity, sensitivity, and response authority. Practitioners should design for identity blast radius, not credential age.

Data security and NHI governance are converging into the same operating problem. Crisis simulations increasingly show that access, classification, and notification cannot be managed in separate silos. Security teams that continue to treat data security as distinct from identity governance will keep discovering the same blind spots during real incidents. The field should expect more integrated control models, and practitioners should start there now.

From our research:

• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
• 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials.
• Top 10 NHI Issues helps teams prioritise the visibility and lifecycle controls that reduce crisis-time uncertainty.

What this signals

Data context is becoming part of incident command. With 35.6% of organisations already naming consistent access across hybrid and multi-cloud environments as their top NHI security challenge, response programmes need to assume that identity scope will be unclear when the first alert fires. Security teams should plan for access decisions that can be re-scoped quickly as evidence improves.

Identity blast radius is now a measurable operating risk. When a crisis involves service accounts, cross-account permissions, and regulated data, the team’s real problem is not the alert itself but how far the impact can travel before controls interrupt it. Organisations should use telemetry, classification, and privileged access review together so containment decisions are evidence-led.

Forward planning should focus on making the first hour of an incident more deterministic. If responders can see which non-human identities touched regulated data and which systems those identities can reach, they can avoid broad disruption while still staying inside legal and forensic requirements.

For practitioners

• Link sensitive data to NHI inventory Build a live map of service accounts, tokens, and cross-account permissions that can reach regulated datasets, then update it continuously as cloud workloads change.
• Predefine containment thresholds for multi-cloud incidents Document when teams isolate systems, disable cross-account access, and preserve forensic evidence so responders do not debate basics while an attacker is still active.
• Separate legal notification triggers from restoration triggers Align incident runbooks so legal, privacy, and insurance review starts before cleanup, especially where cross-border data or regulated records may be involved.
• Use data classification to narrow customer notifications Set rules for when notifications can be limited to the affected subset of records, and require evidence from telemetry before sending broad notices to all customers.

Key takeaways

• Security leaders responded best when they could connect incident activity to real data context, not just technical alerts.
• Non-human identities and cross-account permissions are central to blast radius, containment, and notification scope in multi-cloud incidents.
• Crisis playbooks should join identity telemetry, data classification, and legal decision points before an incident starts.

Key terms

• Non-Human Identity: A non-human identity is any credentialed digital actor used by software, infrastructure, or automation rather than a person. It includes service accounts, API keys, tokens, certificates, and AI agents. These identities often move faster and reach wider than human users, which makes governance and review harder.
• Identity Blast Radius: Identity blast radius is the amount of data, systems, and business process a single identity can affect if it is abused or misused. In practice, the blast radius is shaped by privilege scope, cross-account reach, and whether access is persistent or time-bound. It is a useful way to prioritise NHI controls.
• Data Context: Data context is the operational understanding of what data exists, where it lives, how sensitive it is, and which identities can reach it. In incident response, data context turns alerts into decisions by showing whether a system holds regulated records, test copies, or low-risk content. It is essential for defensible containment and notification scope.

Deepen your knowledge

Data context and NHI blast radius are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect incident response, access scope, and data governance, it is worth exploring.

This post draws on content published by Cyera: Data in the Crosshairs: What 100 Security Leaders Revealed During a Live Cyber Crisis Simulation. Read the original.