Article

Resources

expect

Article

Insights

Do You Know Your Data? The Dangers of Too Much Data and Not Cleaning House

By: Alexander L. Turner, CIPP/US

It is imperative that a company knows what data it holds, why it is holding it, where it holds it, and who has access to it. The old adage that information is power leads many to believe that holding on to as much data as possible is a smart institutional practice because you never know when you may need it. However, the opposite is true. The more data a company holds, especially data that it has no use for, the more at risk it is for a future data breach. Data hoarding has increased in recent years because of the low cost of storage and employees working remotely. In fact, many cloud-based data storage vendors encourage companies to keep all of their data indefinitely. Additionally, with remote work, employees may be storing company data on personal devices that are less secure.  

Data hoarding puts a company at risk because it creates a larger attack vector that is difficult to protect. This is especially true if you have forgotten what data your company is actually holding because if you do not know if you have it, then you may not know that you lost it. There are several steps a company should take to cull the amount of data it is storing and lower its risk in the event of a breach. The first thing that should be done is to catalogue all of the data that the company is holding. Then, the company should review that data and determine what data it requires and what data it no longer needs and is just holding onto. All data has a lifecycle, and data that has reached the end of that lifecycle should be discarded. The remaining data should then be categorized and segregated by sensitivity and importance. Then, the company should determine who needs to have access to each category of data, and ultimately limit access to the most sensitive data.

Once the data the company is holding is determined, the company should institute a data retention policy that outlines the lifecycle for all of the company’s data. A primary problem related to the retention of data is not necessarily how much a company is holding, but the visibility of that data. As part of the data retention policy, the company should conduct an annual review of the data it is holding in order to know exactly what data it has, and whether it is complying with its own data retention policy. These practices of data security are incorporated in CISA’s Cybersecurity Performance Goals to raise cross-sector cybersecurity. These cybersecurity goals include:

Security Benchmark

Cost

Complexity

Impact

Detection of unsuccessful (automated) login attemptsLowLowHigh
Changing default passwordsLowMediumHigh
Mutlifactor authentication (MFA)MediumMediumHigh
Minimum password strengthLowLowHigh
Separating user and privileged accountsLowLowHigh
Unique credentialsMediumMediumMedium
Revoking credentials for departing employeesLowLowMedium
Hardware and software approval processMediumMediumHigh
Disable macros by defaultLowLowMedium
Asset inventoryMediumMediumHigh
Prohibit connection of unauthorized devicesHighHighHigh
Document device configurationsMediumMediumHigh
Log collectionMediumMediumHigh
Secure log storageHighLowHigh
Asset inventoryMediumMediumHigh
Secure sensitive dataMediumMediumHigh
Organizational cybersecurity leadershipLowLowHigh
OT cybersecurity leadershipLowLowHigh
Basic cybersecurity trainingLowLowHigh
OT cybersecurity trainingLowLowHigh
Improving IT and OT cybersecurity relationshipsLowLowMedium
Mitigating known vulnerabilitiesLowMediumHigh
Vulnerability disclosure/reportingHighHighLow
Deploy security.txt filesLowLowHigh
No exploitable services on the internetLowLowHigh
Limit OT connections to public internetHighMediumMedium
Third party validation of cybersecurity control effectivenessHighHighHigh
Vendor/supplier cybersecurity requirementsLowLowHigh
Supply chain incident reportingLowLowHigh
Supply chain vulnerability disclosureLowLowHigh
Incident reportingLowLowHigh
Incident response plansLowLowHigh
System back upsMediumMediumHigh
Document network topologyMediumMediumMedium
Network segmentationHighHighHigh
Detecting relevant threats and TTPsHighHighMedium
Email securityLowLowMedium

If you need assistance in implementing CISA’s Cybersecurity Performance Goals, or developing cybersecurity policies and procedures for your company, please contact one of Spilman’s Cybersecurity Practice Group members for assistance.