Post a comment
Print articleDo You Know Your Data? The Dangers of Too Much Data and Not Cleaning House
April, 2023 - Alexander L. Turner, CIPP/US
It is imperative that a company knows what data it holds, why it is holding it, where it holds it, and who has access to it. The old adage that information is power leads many to believe that holding on to as much data as possible is a smart institutional practice because you never know when you may need it. However, the opposite is true. The more data a company holds, especially data that it has no use for, the more at risk it is for a future data breach. Data hoarding has increased in recent years because of the low cost of storage and employees working remotely. In fact, many cloud-based data storage vendors encourage companies to keep all of their data indefinitely. Additionally, with remote work, employees may be storing company data on personal devices that are less secure.
Data hoarding puts a company at risk because it creates a larger attack vector that is difficult to protect. This is especially true if you have forgotten what data your company is actually holding because if you do not know if you have it, then you may not know that you lost it. There are several steps a company should take to cull the amount of data it is storing and lower its risk in the event of a breach. The first thing that should be done is to catalogue all of the data that the company is holding. Then, the company should review that data and determine what data it requires and what data it no longer needs and is just holding onto. All data has a lifecycle, and data that has reached the end of that lifecycle should be discarded. The remaining data should then be categorized and segregated by sensitivity and importance. Then, the company should determine who needs to have access to each category of data, and ultimately limit access to the most sensitive data.
Once the data the company is holding is determined, the company should institute a data retention policy that outlines the lifecycle for all of the company’s data. A primary problem related to the retention of data is not necessarily how much a company is holding, but the visibility of that data. As part of the data retention policy, the company should conduct an annual review of the data it is holding in order to know exactly what data it has, and whether it is complying with its own data retention policy. These practices of data security are incorporated in CISA’s Cybersecurity Performance Goals to raise cross-sector cybersecurity. These cybersecurity goals include:
Security Benchmark |
Cost |
Complexity |
Impact |
| Detection of unsuccessful (automated) login attempts | Low | Low | High |
| Changing default passwords | Low | Medium | High |
| Mutlifactor authentication (MFA) | Medium | Medium | High |
| Minimum password strength | Low | Low | High |
| Separating user and privileged accounts | Low | Low | High |
| Unique credentials | Medium | Medium | Medium |
| Revoking credentials for departing employees | Low | Low | Medium |
| Hardware and software approval process | Medium | Medium | High |
| Disable macros by default | Low | Low | Medium |
| Asset inventory | Medium | Medium | High |
| Prohibit connection of unauthorized devices | High | High | High |
| Document device configurations | Medium | Medium | High |
| Log collection | Medium | Medium | High |
| Secure log storage | High | Low | High |
| Asset inventory | Medium | Medium | High |
| Secure sensitive data | Medium | Medium | High |
| Organizational cybersecurity leadership | Low | Low | High |
| OT cybersecurity leadership | Low | Low | High |
| Basic cybersecurity training | Low | Low | High |
| OT cybersecurity training | Low | Low | High |
| Improving IT and OT cybersecurity relationships | Low | Low | Medium |
| Mitigating known vulnerabilities | Low | Medium | High |
| Vulnerability disclosure/reporting | High | High | Low |
| Deploy security.txt files | Low | Low | High |
| No exploitable services on the internet | Low | Low | High |
| Limit OT connections to public internet | High | Medium | Medium |
| Third party validation of cybersecurity control effectiveness | High | High | High |
| Vendor/supplier cybersecurity requirements | Low | Low | High |
| Supply chain incident reporting | Low | Low | High |
| Supply chain vulnerability disclosure | Low | Low | High |
| Incident reporting | Low | Low | High |
| Incident response plans | Low | Low | High |
| System back ups | Medium | Medium | High |
| Document network topology | Medium | Medium | Medium |
| Network segmentation | High | High | High |
| Detecting relevant threats and TTPs | High | High | Medium |
| Email security | Low | Low | Medium |
If you need assistance in implementing CISA’s Cybersecurity Performance Goals, or developing cybersecurity policies and procedures for your company, please contact one of Spilman’s Cybersecurity Practice Group members for assistance.
Link to article
