.png)
.png)
Businesses' habit of storing excessive, unneeded data has created a situation known as "data hoarding," which, according to cybersecurity expert Tim Ayling, Vice President of Cybersecurity for Europe, Middle East, and Africa at Imperva, is ripe for exploitation by cybercriminals. Ayling highlights that approximately two-thirds of the data stored by businesses is unnecessary and should be deleted. This data hoarding not only poses vulnerabilities for cyberattacks but also leads to higher storage costs. Companies tend to prioritize sensitive data while neglecting non-sensitive information on their systems, such as old emails. Ayling emphasizes that disregarding this data can be a costly mistake. Data that may seem irrelevant to a company can be valuable to malicious actors.
One significant consequence of data hoarding is that the more data a business retains, the broader its attack surface becomes, providing hackers with multiple avenues to infiltrate an organization's computer systems. In essence, "it's like having a bigger (soccer) goal to attack," Ayling explains. This larger attack surface increases the likelihood that hackers can find an entry point, potentially leading to more extensive data breaches.
Ayling underscores the importance of tackling this issue, stating, "It's a little bit like clearing out the loft. If you can't see what's there, you don't know what you're keeping, and that can be a risk."
Therefore, it's essential for organizations to adopt a more vigilant approach to data management.
Addressing this issue requires a multi-faceted approach. Companies must start by identifying data protection and storage regulations applicable to their operations based on location, size, and the types of data collected. Ayling emphasizes the significance of adhering to these regulations, stating, "Regulators are taking a dim view of companies that hoard data."
The next step is locating data throughout a company's systems, a task that can be challenging due to the distributed nature of data storage. The COVID-19 pandemic exacerbated this challenge as remote work became more common. Messaging apps and cloud storage contributed to this data sprawl, and many businesses mistakenly assume that cloud providers handle security comprehensively, which is often not the case. Additionally, during the pandemic, security concerns were often sidelined as companies focused on crisis management.
Once data discovery is complete, the next step is classifying data by risk and determining the level of protection required. Organizations should prioritize securing their most critical data assets, adding enhanced protection to their "crown jewels." Employees across the organization must receive training on how to handle data securely.
However, the work doesn't end there. Companies must establish policies for regular data review and deletion to avoid falling back into the cycle of data hoarding. The commitment to these policies, including practices like deleting emails every three to six months, requires support from the C-suite and senior management. This level of commitment is essential, as regulators may not be lenient with companies that face data breaches and can't account for their data management practices.
In summary, data hoarding is a significant cybersecurity risk for businesses. Tackling this issue requires comprehensive efforts, including regulatory compliance, data discovery, classification by risk, enhanced security for critical data, employee training, and regular data review and deletion policies, all of which should have strong support from senior leadership.
By fLEXI tEAM