There’s a good chance that someone in your organization is hoarding data.
More likely, everyone in the company is holding on to files, emails and other bits of information they don’t need now, but think they might need someday.
Data hoarding presents a huge security risk because it creates a large attack surface, which is difficult to protect. Making things even more complicated — and risky — is the issue that most hoarded data is forgotten data.
There is so much information tucked into folders across multiple devices that the average user has no idea what is stored.
When an organization has little visibility into the data in its possession, it becomes even more vulnerable to data leaks, breaches, and both insider and external threats.
There are two primary reasons why data hoarding is increasing as a threat risk: the low cost of storing data in the cloud and the hybrid/remote workforce.
Cloud computing makes data storage scalable and readily accessible. More than 85% of companies store some or all of their data in the cloud, according to a Blancco study. The research is based on a survey of more than 1,800 data retention and disposal decision makers.
And it is a lot of data they are keeping. Many organizations have long-standing policies to keep their data forever, said Russ Ernst, CTO with Blancco. It’s a move that many cloud providers encourage, and because cloud storage is cheap, it is easier than ever to store everything indefinitely.
In hybrid workplaces, employees depend on having data available to them wherever they are working and on whatever device they are using. Not only is more data being kept in the cloud for those purposes, but now corporate data is being stored on personal computers, phones and tablets, commingling with personal data.
This is causing an uptick in duplicate data stored on premise and in the cloud.
Policy changes
This move to a hybrid workforce has brought new attention to the need for updated policies around data security. The majority of organizations, 4 in 5, say the hybrid workforce increased the need for security training around the storage and use of data, according to a study by Code42.
“In the normal course of business, people are collecting and keeping more data,” said Joe Payne, president and CEO of Code42.
However, when people are working remotely, they aren’t following normal security protocols, and that includes keeping data that should be taken to the end of its lifecycle.
Having a lot of data isn’t the problem as much as not having visibility into what the data is. The reasons companies tend to keep everything is because they don’t know what value that data will hold in the future, said Ernst.
“But there’s only a small portion of that data that has value,” said Ernst. The rest is redundant, obsolete, or trivial, but it's all kept because one day, someone might need something from one of those files.
Keeping data that lacks value isn’t necessarily a bad thing, as long as you have full visibility into everything — critical data, active data, and data in long-term storage. Organizations should have policies in place to define critical data, how to determine what data to store and for how long, and what data should be disposed.
The greatest risk to data, however, is the employees. Many workers find destroying data abhorrent, said Payne, so they will hoard data outside the company perimeters.
“Most organizations don’t have good visibility to watch how data moves outside the company,” said Payne.
Managing data hoarding
The vast majority of data in any company is forgotten data, said Ernst. You might think you know what you have on hand, but as soon as you wade into the data lake, you discover it is a swamp filled with unknown holes of information.
To make sense of what you have, Ernst suggested starting fresh. “Enforce policies on new data; it is easier.”
Compliance regulations should also act as a guide on how to determine policies on how to protect the data you should have on hand and how to best discover and dispose of the forgotten and obsolete data.
What you keep and what you dispose of tends to be a mix of business policy, regulatory requirements, and best practices. To do this right, you need the right data lifecycle management strategy, according to Dimitri Sirota, CEO with BigID.
This is often easily managed with data retention strategies that will define what you should keep and what you should get rid of.
“Data hoarding makes it more difficult to protect your data, maintain compliance, and can exponentially increase risk,” said Sirota.
If you don’t have a way of identifying and finding the data that you have, you may have dark data, forgotten data, or shadow data, you are adding risks that can lead to costly data breaches and other cyber incidents.