How to protect your data through its lifecycle – part one
Data is crucial to an organisation's success. But the more information an organisation manages, the more risk it carries. An organisation may hoard corporate data assuming that it's better to keep it for litigation purposes or that it's cheaper and easier to store it than destroy it. More than often, this is not the case. Most corporate data outlives its use quickly. Only a few industries need to retain data indefinitely. Once data is no longer deemed valuable, it becomes a liability, one that could expose an organisation to extreme risks.
The Radicati Group estimates that in 2021, we will be sending 320 billion emails a day. An incomprehensible amount of data. We are producing more big data than ever before and at an increasingly fast volume. Organisations should, therefore, be more aware than ever of the risks of managing data.
Digital transformation is taking hold. According to New Vantage's 2019 Big Data and AI Executive Survey, 91.6% of organisations are investing in big data and AI. Businesses today not only have tape backups and hard drives to contend with, but they also have mobile devices, memory cards and now, more than ever, virtual environments. No matter what data a company produces, managing data through its entire lifecycle is vital to ensure an organisations security and compliance.
Below are a few recent examples of organisations failing to manage their data effectively:
In 2019, a significant privacy breach occurred in Japan where 18 hard drives used by the Kanagawa Prefectural Government to store taxpayers' data were auctioned online instead of being destroyed. Sold online by an employee of a Tokyo-based recycling company, the hard drives were meant to be securely destroyed. The data on the sold devices totalled 27 terabytes and included individuals' names, addresses, and tax payment records.
Credit card company, Capital One was also hit in 2019. In this case, a hacker exposed more than 106 million credit card applications and customer accounts. The perpetrator was quickly arrested, but not before the damage was done with investigations revealing that some of the records dated back as long as 14 years.
A study commissioned by Ontrack in partnership with data erasure specialist, Blancco analysed 159 second-hand drives bought from eBay. The results were staggering finding sensitive residual data on 42% of the drives, with 15% containing personally identifiable information including passport information, birth certificates, university papers, financial records, and photos.
The dangers of data
There are three main types of data that an organisation may store:
Customer data – This will include personally identifiable information (PII) that could help to identify a specific person, e.g. name, address, bank details, health records.
Employee data – This includes personally identifiable information regarding employees but also includes information regarding salary, performance reviews and any disciplinary records.
Corporate data – This may include sensitive information such as research and development data, merger and acquisition communications, customer lists, financial records, supply chain deals and trade secrets.
As already mentioned, the more data an organisation manages, the more risk it carries. The last few years have seen a substantial increase in cyber attacks, with the main purpose to steal corporate data and set a ransom for its "safe" return. In fact, the latest report by McAfee states that in the first quarter of 2019, ransomware attacks grew by 118%. And not only was there a significant rise in the number of attacks, but there were also several new ransomware families appearing – showing that cybercriminals are using more innovative techniques to cause chaos.
Organisations should consider not only the risks of data exposure but also the cost of protecting the data in the first place. The more data you have on servers, backups tapes, and mobile devices, the more investment you need to make to ensure it's secure. Cybersecurity needs to be a top priority for businesses of any size to protect itself again the ever-evolving threat network. According to ISACA, CMMI and Infosecurity Group's "State of Enterprise Risk Management 2020" study, 53% of respondents stated that they had seen increased risk to their organisation over the last 12 months. Additionally, 29% of respondents found that cybersecurity is the most critical risk category facing enterprises today and 33% believe that information/cybersecurity risk will be the most crucial category of risk facing their organisation in the next 18-24 months.
It’s not just data security that costs
An organisation should not only be wary of the cost of cybersecurity and the potential risk of data breaches. There are also less measurable elements an organisation should consider. These include:
- The cost of procuring and maintaining data storage and backup equipment
- The cost of preserving personnel processes and software to manage short-term data storage, near-term onsite backup and long-term offsite data archiving
- The time and resources of workers who have to sift through unnecessary data to find relevant information – reduction in productivity of a workforce can cost organisations hundreds of thousands of pounds each year.
In part two of ‘How to protect your data through its lifecycle’, we’ll discuss how and why your organisation needs to put a lifecycle strategy in place.