If a cybercriminal breaks into your network, what will they find? Will they find medical information, credit card data, or other forms of personally identifiable information (PII) that will create a problem for your customers and employees, or do you only keep the data that you truly need? Are there decades worth of collected data, or just what you use currently to run your business?
Keeping cyberthieves out of your system is 1 part of cybersecurity, minimizing what they’ll find if they do get in is another. To paraphrase Marie Kondo, if your data doesn’t give you a tangible business benefit, get rid of it. However, if you truly do need it, make sure you’re protecting it adequately and in-line with any applicable compliance standards. This mitigates the breadth of information cybercriminals can get their hands on when they compromise your system.
This installment of the cybersecurity best practice series focuses on strategies for assessing the information within your environment and making sure you only store customer data your company absolutely needs. We’ll provide best practices for evaluating the data you do and don’t need effectively, and for securely removing unnecessary information from your environment.
Understand the Data You’re Storing
Many companies acquire data by piecemeal and without thinking about it, as a byproduct of business operations, marketing, or customer service. It’s important to step back periodically to assess the data your company is storing—either physically or virtually. Ask yourself: Do you need it? Do you use it? How much trouble would it cause for you or your customers, employees, vendors, or other stakeholders if that data were to be hacked?
Once you understand the data you store, you’ll need to evaluate the safeguards in-place to maintain its confidentiality and integrity. In today’s era of privacy and data security due diligence requirements, understanding the current state of your stored data is a critical starting point to protecting customers, partners, and employees.
Find Out if You’re Storing Unnecessary Customer Data
Technology has made it easy and inexpensive to collect all kinds of data. It’s tempting to gather as much as possible to understand your business and your customers better. However, every piece of retained data also creates a potential risk. Retaining data you no longer need, or storing data unrequired for your business or regulatory reporting, is especially dangerous. Of course, retaining obsolete or outdated data has no benefits whatsoever.
Companies that delete unnecessary data can, in general, reduce their cybersecurity risk immediately and materially. It’s important to do this right, however, because a poorly executed data purge can increase your risk.
Conducting an Assessment
The first step toward assessing data storage involves thinking broadly about the way your company collects and uses data. The National Security Agency (NSA) provides guidelines for data assessment in its “Information Assurance Technical Framework” (IATF), recommending that your team ask the following questions:
- What kind of data do we keep? What are its characteristics?
- Who uses the data and why?
- How does the data flow within our organization? Does it flow outside the company, too?
- Where does the data reside when you’re not using it? Is it on-premises or off, or a combination?
- What are the threats to this data?
- What would happen if this data were breached? What harm would it cause?
- What security services, controls, or mitigations can counter these threats?
After answering these questions, your company can create an information/data management plan, which includes data collection and retention policies.
This plan should describe in detail what kind of data should be collected for business, legal, and compliance requirements, as well as how long and where that data should be stored. Not all data needs to be kept for the same amount of time. An organization-specific data lifecycle can outline distinct phases for managing specific categories of information.
The plan should also establish a review process for identifying and removing unnecessary and/or obsolete data. It should also create a framework for inventorying and reviewing unstructured or Dark Data. Finally, recordkeeping and monitoring procedures need to be established so your company can be assured it is addressing data assessment issues regularly.
The type of data you collect and use may change over time, so it’s critical to re-assess your vulnerabilities periodically. You can set a timeline for policy review in the information/data management plan.
Paring Back to Essentials
Storing data is critical to your business, required for tax and regulatory reporting, and provides insight into what your customers want and need. However, a lot of it may be useless or outdated. A data assessment will help you separate out the good from the bad—and get rid of what you don’t need.
When you store only necessary data, you protect customers, employees, and partners from potential regulatory, civil, and criminal penalties and lawsuits. Nearly all organizations either have or will be breached, but cybercriminals can’t steal what isn’t there. By creating and maintaining an up-to-date data collection and retention policy, your company demonstrates a material level of due diligence and due care in data security.
Getting rid of unnecessary data requires some care. Physical documents and other media must be shredded or otherwise rendered unrecoverable. Digital media must be wiped or destroyed. You may need to certify and document with witness signatures the disposal of certain categories of very sensitive data, and you’ll need to ensure all virtual and backup copies of disposed data have also been destroyed.
You’ll also need to take steps to protect and preserve the data your company is keeping. Make sure data is stored securely on storage media that is appropriate for the characteristics and sensitivity of the data. Make backup copies and ensure all data and backups are encrypted (including Dark Data). Maintain storage media in environmentally and physically secure locations and limit access to these sites to only authorized personnel. You can also implement usage and modification auditing to detect and mitigate threats to data security.
Outsourcing can simplify a complex task
Many companies simply don’t have the staff, resources, and expertise to assess and manage their data effectively, even though these procedures are critical to protecting customers, employees, partners and your company itself. If that’s your company’s situation, offsite/cloud storage provides an all-in-one solution to data protection and security needs. For more information about how Armor® can help you outsource your data security and protection obligations with custom strategies for secure data management in the cloud, get in touch with us today.
Stay tuned as we continue our cybersecurity best practice series to guide you through building a top-notch cybersecurity program.