The scale of the sleeping data security risk
• Sleeping data can prove a significant security risk.
• Most companies, one way or another, let their sleeping data lie.
• 40% of the security risk to such data comes from insider threat.
In Part 1 of this article, we spoke to Terry Ray, SVP of Imperva, about the corporate habit of retaining every piece of data for the rest of time, on the principle that it would either be a security risk or a value risk to let any of it go.
That attitude though is clearly the result of poor data management strategy – if you don’t know what data you have, and you can’t ascribe it any inherent level of value, or if you don’t know who in your organization has responsibility for any piece of data, you strip the data of its corporate value and it becomes the equivalent of data fluff, something you feel you have to keep – potentially several times – without any hope of ever using it again to drive value for the business.
There’s a clear link there between data that’s kept beyond its limit of corporate usefulness and unjustifiable cost – data storage is not, on the whole, a cheap proposition these days, and if you have no idea how important the data you’re storing is, the human temptation is to treat everything like it’s of maximum importance and pay the fees for long-term storage.
But Terry went beyond the cost implications. By keeping unclassified, unexamined, and potentially valueless data for too long, he said companies were running into the potential of paying to create their own potential future security risk.
We needed to know more about the mechanics of that.
THQ:
So, storing all data, unexamined and uncategorized – sure, we can see the cost implication of that. But where’s the security risk? It may be valueless, but doesn’t that mean it’s just null, rather than negative?
TR:
No.
THQ:
Oh.
TR:
Value’s not a monolithic thing, in terms of the data. There are certain pieces of information that will live on and are still valuable – to someone. Not to the organization that first harvested it, sure, but that’s not the point. There are different data buckets involved here – organizations should be saving, and securing things like regulated data.
THQ:
Because there’s every chance those who regulate the data will at some point come knocking and need to see it?
TR:
Right. And that’s the point. If it’s regulated data, it should be secured, that’s just best practice – and it lowers the organization’s security risk. If you’re paying for security, you’re at least doing “more than nothing” to make sure your duty is done by the data. But like top level storage, there’s a cost implication to that. You do it because it’s best practice, and because you’re fairly sure someone will want to take a look at the data some day, so you have that duty of care to the data.
But who’s going to assume the same bottom line expense for unregulated data? How would you explain that to your board? “We also paid out a hefty sum to secure data that noooooooobody’s going to want to see, and that nobody’s looked at in years?”
THQ:
Ah.
TR:
“Ah” is right. There’s still data that’s unregulated but is critical to the functioning of the business. But if it’s critical, the chances are someone’s looking at it on a regular basis, so it identifies itself as that kind of data.
But then there’s the third kind of data. Data that’s not – at least any longer – vital to the running of the business.
That could be anything, depending on the nature of the business. Say you’re a mining company, and you’ve exhausted the potential of a particular drill site. All the data relating to that drill site gets put on the back burner, and as the business moves forward, is unlikely to be looked at on any regular basis.
But then maybe we come back to it 15, 20 years down the road, when there’s new technology that allows me to extract even more out of the site, and suddenly that data has organizational value again.
In the meantime though, it still has potential value to someone else – maybe government organizations, maybe higher-tech, smaller operations that can make use of it.
The security risk of “valueless” data.
Now, it’s important to say that these are not organizations for which it’s worth the time and the expense of stealing your historic data.
But if they were offered the data for free, or for a consideration that stopped them having to do, for instance, their own deep geological surveys, they’d probably jump at that prospect.
And that’s the security risk. Data that’s not vital to the everyday running of an organization has significantly reduced value to the organization. That means the organization is unlikely to pay out for the kind of security systems that protect its regulated, or its daily-use business data.
Which makes it an easy target for those who might be able to monetize that data for themselves.
And if data from within an organization gets out onto the web, then we’re off to the races. Funnily enough, the data that’s not important to an organization on a daily basis becomes immediately much more important when there’s a data breach – because then they get a breach notification, and suddenly they have a world of headache and hurt, because a breach notification doesn’t say “Only notify us about data that’s important to me or to you or to somebody else,” it requires notification about all the data the company holds – and that becomes a problem for the organization in a very big hurry.
Unless you’ve applied consistent controls to all your data, that’s a big security risk.
THQ:
We were going to ask what the levels of risk were, in terms of having valueless data hanging around, potentially for decades, but that makes sense – if you don’t know its potential value to others, you don’t have the justification to take to the board to secure it, and spend the money on security it.
TR:
Right. Also, of course, plenty of organizations out there are still working in large networks with all these sub-networks and data silos. There can’t be many organizations that would say “This network over here, it’s in the old building, and it’s just the IT department, we hide them away from everybody. Anyway, we’re a financial services organization, we’ve got the suits over here in the big, pretty building, but the old ugly building over here, let’s not put a firewall on that network. Let’s not worry about it because it’s the old network, so it doesn’t matter…”
But that’s what we’re talking about here. It’s an absurd idea on a human level, you’d never do it. But plenty of organizations do it on a data level. And that right there is your security risk.
The other thing we see is that sometimes, data’s stored in an old application, or behind an old application, or an old database. It’s there for a purpose, because there’s still an organization that needs access to the new data that’s being put into that system. But there are just a few people or a small department that uses it.
And all the old data is still sitting there in that system, maybe with older controls. But there aren’t that many people that know the security that protects it. So when new people come in, they have new ideas, and technology’s moved on, and so things get changed – and nobody bothers about the old data, because there’s no reason to disturb it.
But it’s still there.
It’s a security risk that they deem to be acceptable.
We did a study from 2019 to 2022, and we looked at 99,000 security breaches. Now, a breach can be a really small loss, a couple of records, an email sent to the wrong person. The ICO in the UK said “Hey, these are all the breaches that happened.” We went in and studied it, and the number of records that were taken in that three-year period… care to take a guess?
THQ:
Let’s not be unnecessarily silly.
TR:
Around 200 million records, taken. In the UK.
What’s the population of the UK?
THQ:
67.8 million in 2023.
TR:
So that’s at least twice as many, almost three times. Give or take three million.
THQ:
Ach, what are 3 million data records lost between friends…
The data threat is inside the building…
TR:
The point being that the scale of the security risk is almost three times as large as the population of the UK. Now, not all of those breaches are big and meaningful, and probably, as we’ve said, not all of them were deliberate.
But they don’t need to be.
Do you want to know the top industries for data breaches?
THQ:
With a certain amount of bracing for impact, sure, hit us.
TR:
Education is the top number. And right below that is healthcare. And then you get to government. Finance is pretty low – which makes some sense, because it’s an industry that has the latest, most up-to-date data security.
THQ:
Meanwhile, chunks of the country’s critical national infrastructure are subject to this level of security risk.
TR:
And most people think the threat comes from outside – that’s the model we have in our heads, the attacker from without.
THQ:
We’re human beings, we love a good narrative of persecution from The Other. You may have noticed…
TR:
Ha. Yeah. But from this study, 40% of these breaches were insider threats. Insider threat does not mean Edward Snowden is inside your systems. It’s probably Terry from Accounts, he wasn’t really thinking and sent an email with an Excel spreadsheet to somebody he wasn’t supposed to. Then maybe Terry clicked on the wrong link that said “Free Oracle Training”… and it was ransomware.
There are a thousand different ways these breaches could happen. But the fact is, your firewall’s out front and a lot of the controls that organizations really rely on for the security of the infrastructure and the endpoints are pointing in the wrong direction.
And, more importantly, they’re not the right technology when it comes to protecting your data.
The real cost of data breaches.
In Part 3 of this article, we’ll take a look at what the right technology to protect your company from become one among the hundreds of millions of data breach statistics might be.