How to prevent and deal with big data breaches
On average, every data breach affects about 25,000 records and costs the affected organization almost $4 million. This cost comes in the form of brand damage, loss of customer trust, and regulatory fines. As data increases, so does your liability should a breach occur. More data also means that your systems become more valuable and appealing to potential attackers.
Since no system is 100% secure you should prepare yourself for the inevitable attempted or successful breach. In this article, you’ll learn how big data is vulnerable. This should help you keep your data safe. You’ll also learn some best practices for handling any breach that does occur and how to minimize the damage caused.
How is big data vulnerable?
Generally, big data is as vulnerable as the system it’s stored in. It is also vulnerable due to the ways it is collected, stored and accessed, and also because of the personal information it often contains.
Poor data validation
Big data is collected from many sources, some of which may be insecure. The speed and quantity of data ingestion present many opportunities for attackers to tamper with data or introduce malicious data or files. When collecting data, you open yourself to risk if you do not verify where your data is coming from or ensure that it is safe and reliable. This includes verifying that it is transferred securely.
Big data tools, particularly open-source tools, often don’t have native or comprehensive security features. So, you must extend security from your existing tools and services. This 'bolted on' security may not interface well with your tooling and can leave gaps that you’re unaware of.
Lack of data masking or encryption
You often need to manipulate big data to use it in analyses. The access required for this manipulation creates times when data may not be masked or encrypted. Data masking is when you obscure identifying details from users and interfaces. During access times, data is vulnerable to breach, tampering, or corruption.
Big data may be accessed from a variety of interfaces, including web consoles, cloud portals, and third-party integrations. These interfaces enable potential attackers to view, manipulate, and manage data. Vulnerabilities in these interfaces can provide direct access to your data and your systems.
Big data is often stored in multiple locations, such as across distributed databases. While this creates redundancy and availability, storing data in multiple locations also makes it difficult to monitor and secure. Multiple storage locations provide a broader attack surface and increase the chance that attackers can access data through other parts of your system.
Best practices for dealing with a big data breach
Big data breaches often involve both data loss and compromised privacy. Both present a significant risk to you and your customers. The following best practices can help you deal with breaches appropriately and, hopefully, reduce these harms.
Be transparent and notify all relevant parties
When you discover a breach, it is important to be transparent and timely with your disclosure. This includes informing stakeholders, authorities, regulatory boards, and customers. You should also keep in mind that many regulatory agencies require notification within a specific period. In general, try to notify within 24 to 48 hours.
In your notifications, you should include known facts about the breach and the steps you are currently taking. It is better to prepare your shareholders and customers for the worst case than to understate the situation. This will improve your thrustworthiness. On top of that, if you discover that the breach is less serious, it will be a relief for stakeholders and customers.
After the breach is contained and recovered from, you should share what steps were taken and what will be changed to prevent future breaches. You should not provide the specifics of actions taken throughout the response and recovery processes. Doing so can undermine your efforts by sharing information with attackers. Rather, provide clear, general statements about what is known and how you are taking action.
Follow your Incident Response Plan
You should already have an Incident Response Plan (IRP) in place. This plan outlines the responsibilities of your responders and how procedures should be followed and provides information on response priorities. An IRP ensures that your security team can carry out an efficient and effective response.
Make sure to follow this plan and the procedures it outlines. If you deviate from the plan you are likely to overlook steps or contaminate evidence. Following the processes that you have already created and practiced can help reduce stress on responders and prevent them from making mistakes. Following your IRP also can ensure that responses are comprehensive and that actions are documented appropriately.
Maintain privileged documentation
Maintaining consistent documentation of your response measures is often necessary for regulatory compliance, and auditing after a breach. Document all actions you take, including who is performing the action and the tools and methods they are using. Include any approval of processes and the time and date of all related communications.
As part of this documentation, make sure to keep a secure chain of custody of any breach evidence found. A chain of custody helps ensure that you can prosecute the responsible parties if they’re found. If you fail to document evidence or who has handled it, you risk losing valuable threat information and proof of the attacker’s actions.
Learn from your mistakes
While you cannot undo a breach, you can learn from your mistakes. It is vital to analyze data from the breach itself as well as your response to the breach. Refine your IRP and security policies and procedures based on your evaluation.
Your first priority should be addressing vulnerabilities that were uncovered in the breach. This includes vulnerabilities that an attacker discovered but did not successfully exploit. Often attackers will return and attempt to infiltrate systems again and there is no excuse for their being able to reuse the same exploits.
If you uncovered vulnerabilities during your response that were not associated with the breach, you should address these as well. Likewise, you should use the breach as an opportunity to discuss security with your teams, shareholders, and customers. Reinforce proper security measures and practices with training and information that they all can apply.
Despite your best efforts, at some point or another an attacker is likely to infiltrate your systems and data. When this happens, you need to respond quickly and efficiently. The sooner you can detect and contain an attack, the less data an attacker can steal.
Hopefully, this article helped you understand how big data is vulnerable and the steps you can take to ensure an effective response. To reduce your chances of having to deal with a breach in the first place, take the time to properly secure your system. You can start by performing a vulnerability assessment to identify where your weaknesses are.
Author: Gilad David Maayan