A lack of proper data sanitization and appropriate methods to manage the entire information lifecycle, means those same organizations are providing bad actors with the opportunity to manufacture identity. This situation of storing as much data as possible is creating an Everest-like attack surface, riddled with vulnerabilities and entry points for bad actors. In Q1 2023, IT Governance discovered 310 security incidents between January and March, accounting for a total of 349 million breached records. That represented a 12.7% increase on the number of cybersecurity incidents seen in the previous quarter.
While falling foul to a data breach can have long term consequences for trust in an organization's security posture and its ability to appropriately safeguard information, the financial implications are just as eye watering. Businesses have been forced to pay out millions as a result of being penalized by regulators for failing to comply with data privacy regulations. Coupled with the cost of investigating and addressing the breach, as well as paying out for ransomware attacks, breaches are detrimental to a business’s bottom lines.
A situation out of hand
The current state of play paints an ugly picture for existing data management practices. And a Deloitte poll released earlier this year revealed that nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations' accounting and financial data to increase in the next 12 months.
That’s not to say businesses are resting on their laurels. In fact, security is a priority for almost all organisations. Gartner forecasts spending on information security and risk management products to increase by 11.3% in 2023 to reach more than $188.3 billion. But it’s not as simple as just buying a new tool or lock for sensitive information when it comes to properly protecting your organisations perimeters. Security is and never will be a one and done approach. Moving to the cloud and the evolution of technology means organisations are now collecting and storing too much data.
Fredrik Forslund is VP and GM International at Blancco.
A breach isn’t the only concern
A breach isn’t always the route cause of regulatory violation that incurs hefty fines. A Danish bank was fined $1.5 million (€ 1.3 million) in the second case for failing to comply with the European Union’s GDPR “right to erasure” guidelines. GDPR requires personal data be erased by service providers when services end or legal agreements expire. Yet key findings by the Danish Supervisory Authority showed that the bank “has not been able to document whether rules have been laid down for deletion and storage of personal data, or whether manual deletion of personal data has been carried out.”
While there was no breach, the bank held onto customer data longer than regulations allowed. The bank faced a challenge that many organizations encounter: A distributed network of technology systems that made it difficult to build the right functionality. The organization found itself incapable of keeping up with data destruction demands in its more than 400 individual banks.
To avoid these costs and minimize security risks, businesses need to think about the entire lifecycle of their data and IT equipment. This means developing a plan for how data will be collected, stored, processed, and disposed of, and ensuring that all equipment is properly managed throughout its lifecycle. Fundamentally, the approach must change. Proactive management of data across the information lifecycle is critical.
Why organizations store data
Companies hold on to sensitive data for too long for many reasons - despite the well documented consequences. For example, they may want to keep data for future use, even if they remain unsure what that use is. Some firms also lack the policies for employees to know that some data must be destroyed. And others simply believe that data will remain secure.
This too is costly for organisations, both from a financial and environmental perspective. A Blancco research report found that two in five enterprise IT decision-makers admitted to wasting upwards of $100,000 per year storing useless IT hardware that contains sensitive information, rather than sanitising the data and the device. There’s also the cost of storing unnecessary data in the cloud or on-prem. And that too has a negative impact on the environment with finite energy resources used to power the servers that the data sits on - contributing CO2 emissions.
Instead of taking these risks, organizations need a proactive, verifiable, and certified process to permanently destroy unnecessary data. Doing so can ensure this data is rendered inaccessible, reducing risk, maintaining customer trust, avoiding potential fines, and limiting breach exposure. Such data erasure also ensures that an organization complies with all national, regional, and market-specific regulations.
Moving towards best practices
Some steps businesses can take to improve their data management practices include:
Developing a data management plan that outlines how data will be collected, stored, processed, and disposed of. This plan should take into account any legal and regulatory requirements for data management and should be reviewed regularly to ensure it remains up-to-date.
Regularly auditing IT equipment to identify hardware that is no longer in use or nearing end-of-life. This hardware can then be repurposed, sold, or recycled in a responsible manner.
Implementing secure data destruction processes to ensure that all sensitive data is properly removed from end-of-life IT equipment. This can include physical destruction of hard drives or the use of software-based data destruction tools.
Developing policies and procedures for handling data breaches, including incident response plans and employee training programs.
By taking a proactive approach to data management and end-of-life IT equipment, businesses can reduce their financial costs and minimize security risks. It’s critical to foster an improved culture of cyber hygiene, and one that is sustainable and compliant. Constantly assessing the value of data from its creation through to its retirement is critical because it allows organizations to maintain control over their data and ensure that it is being used effectively, efficiently, and in compliance with legal and regulatory requirements. It’s vital that any organization that creates and stores data has a plan to safely dispose of it within a predefined, carefully-crafted company retention policy across all stages of the lifecycle.
The retention periods established through data classification also help to determine the suitable disposal dates. This can help organizations gain insights that would otherwise be difficult to obtain, leading to better decision-making and ultimately, better business outcomes.
And while it is best practice to follow standards and comply with data protection regulations; a standard is only a collection of guidelines laid down by a governing body, and it does not ensure regulatory compliance. This is even more important when working across borders as different countries adhere to different privacy regulations. Businesses will face severe repercussions without the proper data management practices in place across the information lifecycle.
