While most enterprises have made ongoing investments in their tech infrastructure and processes to wring out vulnerabilities, many organisations are unknowingly clinging to a habit that’s quietly undermining their security posture: hoarding redundant, obsolete, and trivial (ROT) data.
This forgotten clutter—scattered across servers, cloud drives, and legacy systems—serves no business purpose. However, it does some other things exceptionally well: It expands cybercriminals’ attack surface and creates potential governance problems. Additionally, stockpiling data—with no regard to whether it’s actually needed—can rapidly balloon storage costs.
Suppose enterprises want to avoid a sprawling digital footprint that increases risk and creates challenges on multiple fronts. In that case, they need to understand the psychological and operational barriers that drive organisational reluctance to dispose of ROT data and then address those barriers head-on with a robust data governance strategy.
Why We Keep What We Don’t Need
The persistence of ROT isn’t just a technical oversight—it’s a behavioural one. Across industries, employees resist deleting files, even when they have long outlived their usefulness. The rationale is familiar: “I might need this someday.” While understandable on an individual level, that mindset becomes a liability when scaled across an enterprise.
Consider the legal sector. After a case is closed, lawyers often retain drafts, templates, and notes – not because they’re required to, but because it’s easier than starting from scratch next time. This instinct to preserve “just in case” is universal. Marketing teams hold onto outdated campaign assets. Finance departments archive spreadsheets from long-closed quarters. HR teams keep onboarding documents for employees who left years ago. And it’s not just about clinging to outdated documents, but also duplicate copies of those old documents.
The cumulative effect is staggering: ROT data multiplies, often containing sensitive information that should have been purged years ago.
Outdated perceptions of storage further reinforce this behaviour. In the days of on-prem infrastructure, IT teams had to monitor capacity closely. But with the rise of cloud services, many users now assume storage is infinite. It’s not. Enterprises routinely pay per gigabyte, month after month, for data that’s decades old and entirely irrelevant.
And unlike physical clutter, digital ROT is invisible. There’s no overflowing cabinet or dusty archive to signal excess. It accumulates quietly, tucked away in nested folders and forgotten drives – until it becomes a problem.
ROT As a Security Liability
Beyond cost and clutter, ROT data poses a serious risk from a cybersecurity and governance standpoint. Every unnecessary file is a potential vulnerability – especially if it contains personal or regulated information. The more data you retain, the more attractive your systems become to attackers and the more likely you are to accidentally run afoul of new data privacy regulations or mandates.
It’s a stark reminder: what you keep can hurt you. Even smaller incidents – like phishing attacks that exploit outdated employee records or ransomware targeting legacy systems – can trace their success to ROT. In many cases, attackers aren’t breaching your newest systems or most recent files; they’re exploiting the forgotten corners of your digital estate.
From Policy to Practice
Solving the ROT problem starts with understanding what data the enterprise possesses and establishing clear, enforceable retention policies. Organisations must define what qualifies as valid data through classification, how long it should be kept, and when it should be securely disposed of. These policies shouldn’t be buried in the depths of the company intranet – they should be visible, actionable, and reinforced through training and communication.
But policy alone isn’t enough. For many users, the idea of manually reviewing years of accumulated files is overwhelming. That’s where technology steps in.
Artificial intelligence can dramatically streamline the process of identifying and classifying ROT data. In centralised environments like document management systems (DMS), AI can scan repositories and flag documents that exceed retention thresholds – say, anything older than 7 or 10 years.
More importantly, AI can distinguish between document types. Is it a vendor contract? A real estate lease? A will? That last example matters: in many jurisdictions, wills must be retained for up to 99 years, as opposed to other documents which might be safe to dispose of if they’re older than 10 years. Blanket deletion policies won’t cut it—context matters.
AI can also detect personal or regulated data that should have been deleted under frameworks like GDPR, FINRA, or HIPAA. By surfacing these risks proactively, organisations can avoid costly fines and reputational damage.
Keep ROT From Taking Root
Managing ROT isn’t just about minimising risk but maximising operational efficiency. Strategic data governance helps organisations reduce risk, improve compliance, and focus resources on the data that actually matters to the company.
Getting to this stage is relatively straightforward: understand what data exists within the organisation, classify data by document type, define retention policies, communicate them effectively, and deploy intelligent tools to automate enforcement. Once organisations shift away from a hoarding mindset towards an intentional stewardship approach, they will position themselves for ongoing, sustainable success in today’s fast-evolving business landscape.
ROT will always try to creep back in – but with effective data governance practices, it doesn’t have to take root.
Manuel Sanchez is Information Security & Compliance Specialist at iManage with extensive professional experience in information security, governance, and compliance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.