What is Your Data Exposure Risk?

What would happen within your organization if it was faced with the unenviable process of e-discovery? Calm, quick assembly of relevant information, or pure chaos?  My guess is that it would lean heavily towards the latter; in fact, many companies are opting to settle out of court rather than deal with the resourcing and financial hardships which come from the process of e-discovery.

Why? Because companies are sitting on huge piles of data; sure, much of it is relevant business information, but I’d wager that a large percentage is ROT (redundant, outdated, and trivial). This type of data comes from the many versions of files created but never deleted, documents from employees who have long since left the company and are no longer useful, and the myriad of files which were once useful but have long since passed their shelf life (marketing campaigns from 6 years ago, anyone?).

E-discovery may be one of the larger liabilities associated to your data, but there are certainly other immediate realities to consider as well. First, while storage may be cheaper by the GB than it was in days gone by, we need masses more of it than we ever did, increasing capital and operational costs to IT. Additionally, if you have a mountain of data, it is easy for the sensitive information to get buried, increasing the potential exposure risk should your data be breached.

So how much are we really talking about? Well, Gartner estimates that about 70% of your unstructured data is ROT. This really creates two buckets of problems – the first being all the issues raised above, but it also creates the real risk that you’re not able to apply appropriate focus on that other 30%, which may contain your most highly sensitive information.

Now, I can hear you musing “yeah, but we can’t get rid of that data – what if we need it one day?”. Chances are you won’t. I was recently at a Gartner Security Summit where one of the analysts presented a case study about data ROT.  One organization he had come across had a few people extremely opposed to getting rid of data, so they came up with a compromise. All the data determined to be ROT was moved to a specific area on the network to which only a select few were granted access; anyone who wanted a file had to ask these people. This way, they could track the demand and use of these files. The result?  In two years, one person asked for one file. That’s a lot of risk to carry for so little a return.

What are your options then?  Certainly you can’t go and blindly delete a bunch of files.  What you can do though is apply the standard risk management approach and begin identifying your risk. You can achieve this by discovering and identifying your data – what data do you have, what is the business value of it, where is it, who has access to it, is it redundant, is it obsolete – and then classifying it based on these factors. For example, you might choose to mark anything that hasn’t been accessed or modified in over a year as obsolete and move it to a specific folder for further action; or classify files with PII, PCI, PHI or IP as highly sensitive (you may also choose to encrypt certain types of data). Once your data has been scanned, analyzed, and appropriately actioned, you can then make decisions as to what to do with it, in essence putting into motion your defensible deletion or archiving and retention strategies.

It’s important to acknowledge that seizing control of your data footprint isn’t a one-time fix. Discovering, analyzing and taking action on your current data is a vital first step, but how do you make use of lessons learned? The big win comes from combining technology with corporate strategy to enable effective data management.

Leave a Reply