Data Deletion in a World with Endless Storage
Storing data has become so easy and inexpensive that for many organizations there’s effectively no limit to the amount of data they’ll keep. Adding more space in the data center or, increasingly, taking advantage of dirt-cheap storage in the cloud means that data is growing faster than many companies can deal with it. It’s turning many companies into digital hoarders.
Most enterprises have retention and disposition policies for how and when data should be deleted, but too many companies don’t enforce them and the data continues to grow. Data means risk, though, since anything stored that’s sensitive or valuable can be lost, or stolen and misused in the wrong hands.
Here are five ways your extra information places your business at risk.
Like the EU GDPR, the upcoming California Consumer Data Privacy Act gives consumers the “right to be forgotten” and tell companies to delete their information. The more data you retain, the harder it will be to fulfill these requests. Companies that have let their data get out of hand are more likely to overlook a Word document or an email containing personal data like PII – a simple oversight that could put your company at risk under regulations including GDPR, HIPAA, SOX, and PCI-DSS.
Ransomware — like 2017’s WannaCry that brought organizations like the UK’s National Healthcare Service to their knees – can be devastating because they work swiftly to encrypt every electronic file they can find. This could amount to thousands or even millions of files if, like many organizations, you have a lot of files exposed to any user on the network.
If an attack starts and your security measures don’t catch it quickly, you could find yourself losing years’ worth of data if just one employee clicks on a well-designed phishing email.
External Attack Risk
When outside attackers land on your network, their goal is to remain hidden, escalate privileges and hunt for information. The more old data you retain the more you have more to protect—and the higher the risk of a breach. When North Korean threat actors hacked Sony Pictures in 2014, some of the breached files containing embarrassing information were 13 years old. Your files are as valuable as money in the wrong hands. Minimize your risk by removing information that no longer holds value to your business.
Hybrid storage models that leverage both cloud and on-premises data storage are the new normal for enterprises. Storing data both on-premises and in the cloud can make it harder to secure sensitive information on a need-to-know basis. Cloud storage is convenient but often lacks the security controls organizations have grown to expect in their on-premises data stores, and once data is exposed in the cloud it’s potentially open to everyone in the world, not just your employees.
Insider Threat Risk
Extra unsecured files on your network are an invitation for disgruntled employees to snoop around and scoop up documents to a personal cloud or thumb drive.
Unstructured data, such as Microsoft Office documents, tend to multiply as employees copy and resave information where it can be open to everyone. Older files that do not seem important to you might be valuable to a company insider who is looking for information to leverage for personal, political or monetary gain.
While many companies have policies for archiving or deleting unneeded data, enforcing those policies can be a major challenge.
Here are 6 tips to enforce a data deletion policy:
- Know your risk. Many organizations don’t know the extent to which their own data is putting them at risk. Ignorance is not bliss and will not protect you in the event of a security incident or audit. Take an inventory of your data to learn what’s sensitive, what’s overexposed, and who has access. That knowledge will create a foundation for your risk mitigation moving forward.
- Get to know your company’s data. Many companies have lost track of what data they have and where it is. Map out your data stores, monitor what’s being used, and archive what you no longer need. In the event of a breach, attackers will zero-in on this content and regulators will demand answers – you must be one step ahead.
- Focus on your sensitive data. Some of your data contains PII and sensitive businesses plans. Other information holds little value. Focus on protecting the crown jewels – information that is covered by regulations and proprietary information that could put your company at risk. Delete or archive information that’s outlived its business value.
- Secure your hybrid data storage. As companies embrace the cloud they will continue to store information on physical servers. Regardless of where your information is stored, ensure your security policies and controls cover all of your data. Understand the capabilities and limitations of both environments.
- Let AI and automation work for you. You must be able to apply your data deletion policies to files across your organization. Companies that automate retention and disposition policies for their files–automatically archiving and deleting what they don’t need–will be better protected from insider threats and cyberattacks. Continuously what’s sensitive, where that data is, and what’s being used and what not gives you the ability to automatically delete what you no longer need.
- Work to a least-privilege model. You must lock down the data you do keep to a least-privilege model, ensuring that only the right people have access to just what they need to do their jobs. In a recent report we found that 41% of companies had at least 1,000 sensitive files open to all employees, which can include personal employee information, customer account information, executive emails, and more. Exposed data is what’s most likely to get lost to ransomware, stolen by an outside attacker, or misused by an insider. Lock things down and prevent disaster before it happens.
Unused data does not always get the attention it needs by IT and cybersecurity. Many companies don’t know where to begin and what they should delete because it can be difficult to know what’s important and what data is still in use. Knowing what you have, where it is, and how it’s used will go a long way toward improving your security stance and helping you get rid of what you no longer need.
About the author: Brian Vecci is a 19-year veteran of information technology and data security, including holding a CISSP certification. He has served in applications development, system architecture, project management, and business analyst roles in financial services, legal technology, and data security software organizations. Brian currently serves as a technical evangelist for Varonis Systems and works passionately to help organizations of all sizes get the most value from their data with the least amount of risk.