It is imperative that a company knows what data it holds, why it is holding it, where it holds it, and who has access to it. The old adage that information is power leads many to believe that holding on to as much data as possible is a smart institutional practice because you never know when you may need it. However, the opposite is true. The more data a company holds, especially data that it has no use for, the more at risk it is for a future data breach. Data hoarding has increased in recent years because of the low cost of storage and employees working remotely. In fact, many cloud-based data storage vendors encourage companies to keep all of their data indefinitely. Additionally, with remote work, employees may be storing company data on personal devices that are less secure.
Data hoarding puts a company at risk because it creates a larger attack vector that is difficult to protect. This is especially true if you have forgotten what data your company is actually holding because if you do not know if you have it, then you may not know that you lost it. There are several steps a company should take to cull the amount of data it is storing and lower its risk in the event of a breach. The first thing that should be done is to catalogue all of the data that the company is holding. Then, the company should review that data and determine what data it requires and what data it no longer needs and is just holding onto. All data has a lifecycle, and data that has reached the end of that lifecycle should be discarded. The remaining data should then be categorized and segregated by sensitivity and importance. Then, the company should determine who needs to have access to each category of data, and ultimately limit access to the most sensitive data.
Once the data the company is holding is determined, the company should institute a data retention policy that outlines the lifecycle for all of the company’s data. A primary problem related to the retention of data is not necessarily how much a company is holding, but the visibility of that data. As part of the data retention policy, the company should conduct an annual review of the data it is holding in order to know exactly what data it has, and whether it is complying with its own data retention policy. These practices of data security are incorporated in CISA’s Cybersecurity Performance Goals to raise cross-sector cybersecurity. These cybersecurity goals include: