Are you feeling gluttonous? Bloated? Overweight? We’re not talking about your diet in the Coronavirus shutdown period, but the data on your server. For years, you could have been accumulating information on customers, partners and clients that is now bursting from your data seams.
We’ve always held data as the key to our success and to gain an advantage over the competition. The more data, the better (or so it seemed). But on its own, data is useless. It needs sophisticated data analysis tools to turn it into useful information that can really benefit the business.
New regulations, such as the General Data Protection Regulations (GDPR) also require organisations to collect and keep only data that is necessary (Article 25). Therefore, it’s no surprise that even with the second anniversary of GDPR’s implementation fast approaching, many companies still fall significantly short in their ability to meet Data Subject Access Requests (DSAR).
Also commonly known as a ‘GDPR request,’ companies need to demonstrate a clear deletion policy. Simply put, the gluttonous data diet of these organisations is posing a risk to their overall health.
Security risks
Most senior executives believe that it is nearly impossible to identify old data, ownership and what it contains. This exposes companies to serious security risks. Hackers are always looking for ways to penetrate company data. The more information that companies hold, in a multitude of places, creates additional vectors for the hackers to exploit.
Large volumes of unnecessary or stale data increase an organisation’s attack surface because hackers are not picky regarding which data they steal. Businesses are less likely to have good visibility or access monitoring capabilities set up for old data – meaning it can take much longer before IT teams identify vulnerabilities or non-compliant data management.
Breaches of the GDPR regulations also place huge strain on compliance. The EU can levy huge penalties on companies who flout the regulations. A fine of more than €14m was recently issued to a German company, for failing to abide by the principle of Privacy by Design. The fine was the largest in German history, where data policies are particularly strict. The company used an archive system that was not able to remove redundant or out-of-date date that was no longer required.
Most IT teams are over-stretched and focused on priorities other than security or data governance. They have a limited ability to apply proper policy enforcement, so many rely on end-users to manage their files correctly. But the reality is that most users do not spend any time sorting or managing their data and often keep documents or data “just in case” it will be useful at a later date. Compounding this problem is when an employee changes role and no-one is managing their data any more.
Therefore, when a GDPR request is submitted, their company responds with old data, hoping unstructured files are never exposed. It’s hardly a comprehensive approach to looking after partner and customer data.
Compliance and good practice
Most companies would like to improve the quality of their data diet, both as good business practice and to improve their compliance. However, this is easier said than done. How do you know who owns the data? When was data last accessed? What data do the files contain? Are there any “gems” of information that can benefit the company?
So much data access and ownership in businesses today revolves around personal credentials and digital profiles. One approach to consider is an identity-centric security model. This can be crucial in defining the ways an organisation collects data, defines the types of data it collects, the the retention time of any data. The organisation also needs controls to enable the IT team to monitor that the policy has been properly implemented.
It’s critical to have tools that support this approach. An organisation must have the ability to automatically and precisely discover various types of data. This is especially the case if it is personally identifiable or sensitive data, as well as duplicates, and to manage or delete it according to the policy requirements.
Having an identity-based programme to managing data stored in applications and files or folders is critical, especially with the second anniversary of GDPR. Only with a comprehensive identity approach will an organisation be able to establish what data is stored in the files and folders, who is accessing those files, what people are doing with those files, who is the proper owner and when they were last accessed. This increased visibility and traceability means that requests can be checked against ALL data across an organisation, whether structured or unstructured. Data traceability will be able to complete the task in less than 20 minutes, achieving full compliance against GDPR.
An effective identity approach to managing data is no longer just for large enterprises. With all this excess data, much of which is either old, unnecessary, or duplicated, organisations need to face the fact that they are already in breach of the regulations. With some organisation spend on data storage growing exponentially, all they are doing if subjecting themselves to a breach or large potential fine.
For many organisations, it’s time to go on a data diet, shed those excess documents and pledge to keep the data calories off in the future. With the second anniversary of the GDPR, all organisations from SMBs to multi-nationals need a thorough approach to managing ALL their data, whether it is personally identifiable or not.
EMEA Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.