Do You Know Your Data? The Dangers of Too Much Data and Not Cleaning House 

April, 2023 - Alexander L. Turner, CIPP/US

It is imperative that a company knows what data it holds, why it is holding it, where it holds it, and who has access to it. The old adage that information is power leads many to believe that holding on to as much data as possible is a smart institutional practice because you never know when you may need it. However, the opposite is true. The more data a company holds, especially data that it has no use for, the more at risk it is for a future data breach. Data hoarding has increased in recent years because of the low cost of storage and employees working remotely. In fact, many cloud-based data storage vendors encourage companies to keep all of their data indefinitely. Additionally, with remote work, employees may be storing company data on personal devices that are less secure.  

Data hoarding puts a company at risk because it creates a larger attack vector that is difficult to protect. This is especially true if you have forgotten what data your company is actually holding because if you do not know if you have it, then you may not know that you lost it. There are several steps a company should take to cull the amount of data it is storing and lower its risk in the event of a breach. The first thing that should be done is to catalogue all of the data that the company is holding. Then, the company should review that data and determine what data it requires and what data it no longer needs and is just holding onto. All data has a lifecycle, and data that has reached the end of that lifecycle should be discarded. The remaining data should then be categorized and segregated by sensitivity and importance. Then, the company should determine who needs to have access to each category of data, and ultimately limit access to the most sensitive data.

Once the data the company is holding is determined, the company should institute a data retention policy that outlines the lifecycle for all of the company’s data. A primary problem related to the retention of data is not necessarily how much a company is holding, but the visibility of that data. As part of the data retention policy, the company should conduct an annual review of the data it is holding in order to know exactly what data it has, and whether it is complying with its own data retention policy. These practices of data security are incorporated in CISA’s Cybersecurity Performance Goals to raise cross-sector cybersecurity. These cybersecurity goals include:


Security Benchmark




Detection of unsuccessful (automated) login attempts Low Low High
Changing default passwords Low Medium High
Mutlifactor authentication (MFA) Medium Medium High
Minimum password strength Low Low High
Separating user and privileged accounts Low Low High
Unique credentials Medium Medium Medium
Revoking credentials for departing employees Low Low Medium
Hardware and software approval process Medium Medium High
Disable macros by default Low Low Medium
Asset inventory Medium Medium High
Prohibit connection of unauthorized devices High High High
Document device configurations Medium Medium High
Log collection Medium Medium High
Secure log storage High Low High
Asset inventory Medium Medium High
Secure sensitive data Medium Medium High
Organizational cybersecurity leadership Low Low High
OT cybersecurity leadership Low Low High
Basic cybersecurity training Low Low High
OT cybersecurity training Low Low High
Improving IT and OT cybersecurity relationships Low Low Medium
Mitigating known vulnerabilities Low Medium High
Vulnerability disclosure/reporting High High Low
Deploy security.txt files Low Low High
No exploitable services on the internet Low Low High
Limit OT connections to public internet High Medium Medium
Third party validation of cybersecurity control effectiveness High High High
Vendor/supplier cybersecurity requirements Low Low High
Supply chain incident reporting Low Low High
Supply chain vulnerability disclosure Low Low High
Incident reporting Low Low High
Incident response plans Low Low High
System back ups Medium Medium High
Document network topology Medium Medium Medium
Network segmentation High High High
Detecting relevant threats and TTPs High High Medium
Email security Low Low Medium

If you need assistance in implementing CISA’s Cybersecurity Performance Goals, or developing cybersecurity policies and procedures for your company, please contact one of Spilman’s Cybersecurity Practice Group members for assistance.



Link to article


WSG Member: Please login to add your comment.