Last Updated: 19th November, 2020
Data Footprint: We thrive on a data-driven ecosystem, with companies large and limited gathering data for a variety of purposes, whether it be streamlining business processes, optimizing customer service, or preserving confidential information. This does not, however, come without challenges. Organizations dealing with complex data sets today are undeniably challenged to handle the data in a secure environment.
The threat from malware attacks, hackers and any potential data breaches are moreover on the rise, especially in the last few months where the global pandemic and ensuing lockdown forced businesses and their employees online.
Bad actors love this altered reality, with an increased attack surface to prey upon. The combined challenge of secure data management, regulatory compliance and protecting against data harm or unlawful data access is significant for any data owner or security professional.
One essential aspect in encountering this challenge is actively reducing your organization’s data footprint. There is a common mindset that all data collected is important and should be stored, but storing data beyond its intended end-of-life increases the risk of that data causing problems.
Just as important as including efficient processes to store and manage data, organizations need to codify their data retention policy – in turn actively reducing their data footprint. Data beyond retention periods, temporary copies, data processed in home offices and inadequately managed data set just some examples of why there needs to be an active analysis around data end-of-life.
These examples are exacerbated in our current working climate, with many organizations addressing novel issues with employees working from home and accessing sensitive data – external from a core server or storage unit.
Data Footprint: Get Your Retention In Order
For any organization concerned about data security, an up-to-date data retention program should be baked into their overall data management policy. No longer are data retention programs the sole responsibility of IT departments or data specialists, they need to be understood and practiced as standard, companywide.
Regulatory compliance represents a collective goal and best practice data retention is an excellent route to achieving it. Of course, for organizations where the option is viable, hiring a data protection officer to handle your data management policy including data retention will ensure regulatory compliance. For many, however, this is not an option and the responsibility instead falls to all employees.
A comprehensive data retention program must be about more than just retention; it must cover the full data erasure process for Redundant, Obsolete, or Trivial (ROT) data to a regulatory compliant standard, with auditable processes throughout. Of course, the crux of a data retention program is to categories data sets into what must be retained and protected for specific periods and what must be erased.
Organizations also need to consider the legal implication of how data sets, or sensitive documents, should be categorized. What happens if sensitive data sets migrate across categories? As a file reaches the end of its required retention period, should it be reassessed or erased immediately?
These are issues which vary between organizations and your retention policy should reflect your unique collection of data and on data erasure process. If these issues are considered in the initial policy, they won’t cause problems in the future.
Data Footprint: Sanitize For Security
The business value of retaining data indefinitely must be weighed against the risk of losing control over it – the latter will frequently come up trumps. From a cybersecurity perspective, to state the matter plainly: information that has been appropriately and permanently erased cannot be stolen by bad actors.
Neither malware nor an attacker can recreate or retrieve properly erased data from an IT asset – even if a successful intrusion has occurred. Maintaining data security is an ongoing process and a mixture of many necessary components, but active data footprint erasure is one aspect that is essential.
At long last, it’s substantial to recognize that in this “new normal”, remote working environment, that employees’ habits will have changed, and employees working remotely may have relaxed their approach to data management. It is likely sensitive company data will be saved to a home desktop and employees will also likely be interfacing with cloud-based workspaces.
The split between local and remote storage can cause a headache for data management and security, but it’s important that organizations and employees know how to actively clean up this environment. For all data distributed between a remote workforce, comprehensive annual audits of company data, monitoring and accounting.
Education in best practice data sanitization is key to ensuring these modern workspaces do not lead to a leak or breach. Modern tools like remote erasure solutions should be explored – you must adapt to the new environment, or risk leaving data exposed.
So, when looking to reduce your organization’s data footprint proactively and securely, firstly you must define your data retention policy. This involves deciding what information must be retained (for legal, regulatory, and business purposes) and for how long, and alternatively what data should be erased.
In the second place, you must track all data from creation to end-of-life with a full audit trail. This is a continuous process that cannot be neglected.
Eventually, upon end-of-life or at the end of the data retention period, all data should be subject to secure and auditable data erasure. Reduce your organizations data footprint, and you subsequently reduce the risk of a data breach, improving your overall cybersecurity.