Three steps to identifying and mitigating data retention risk

AvePoint AU pty Ltd

By Max McNamara, Director of Solution Engineering, AvePoint
Thursday, 08 December, 2022


Three steps to identifying and mitigating data retention risk

Millions of Australians have had their privacy breached in the recent cyber attacks against Optus and Medibank, creating significant financial and reputational risk to these household brands. While these and subsequent incidents have been instigated by external malicious actors, it is important to take a step back and recognise that a key reason the impact and media coverage was so large was because these trusted organisations had limited visibility into both the type of data and the associated sensitive information that they have stored, in some cases, for generations.

It is now obvious that these high-profile cyber incidents have been a much-needed wake-up call for Australian executives and company boards. Unfortunately, they are just the tip of the iceberg as petabytes of hacked data is traded online every day. No business or industry is exempt from cyber risk. However, there are simple actions every business, or government agency, should take to understand the data they store and mitigate the associated risk of data retention.

Step 1 — Discovery: Understand your data and where your greatest risks lie

The seemingly obvious Discovery stage is often overlooked and undervalued by executives. As proven with recent high-profile breaches, it’s still common for organisations to lack even a basic understanding of their own data; both where and what it is. Without this knowledge, organisations can’t even start to appropriately govern or control their data (our data). Instead, most organisations take the path of least resistance and hold onto everything.

An effective Discovery phase involves asking questions that help understand where data resides, what data is being retained, how sensitive it is, whether it needs to be retained, whether parts of a record need to be retained only, and importantly what does not need to be retained and should be disposed of or redacted. This can be a very challenging process, particularly with companies using legacy systems and customer data that may have been collected by the organisation decades ago without any context.

Take the example of an application with a government agency to illustrate the complexity of the Discovery stage. When applying for a government service, such as a Medicare card, international driver’s licence, or a JobSeeker Payment, applicants are required to share personal, sensitive information. This would include passport number, bank account details, bank records, headshot photos, current and past residential addresses, and more.

For both the applicant and the government agency, it is likely this information is only required for the application process, and perhaps a few months post-application for verification purposes. However, without a thorough information management strategy, personal data will likely be stored for far longer than necessary, if not into perpetuity. That means data that can identify an individual is sitting with a third party that must be relied on to protect anonymity.

Step 2 — Classification: Classify your data accurately to take proportionate action

Once the organisation understands where data is located and what data exists, it then needs to classify and determine what information does and does not need to be retained. It is impossible to identify and tag content manually at scale. Automation tools ensure data is classified and tagged accurately, allowing for easy reviews and updates over time. Importantly, the classification of data is the input required to determine how an organisation takes action on data as an output.

Classification tags should be applied based on legislation, sensitivity risk and business rules. Actions triggered based on classification will be proportionate to the level of risk associated with the data. For example, an organisation may deem that passport numbers required from customers be reviewed every three months and disposed of (or redacted) six months after capture, compared to names and dates of birth, which may be reviewed annually, but retained while an individual remains a customer.

Every business and customer data set is unique. The classification and associated actions should be tailored to the nature of the data and the requirements of the organisation. However, best practice is to conduct reviews of your classifications and the associated actions triggered at least annually.

Step 3 — Proceed with confidence: Enforce automated actions to stay compliant with information management policy and regulations

Once an organisation understands its data, accurately classifies it and takes action proportionately, data retention decisions are automatically managed. No organisation likes deleting data, so it is important to recognise that automated actions are not limited to ‘automatic deletion’. Organisations must build business process workflows that include human intervention, encrypted archiving, redacting and/or deletion, as necessary.

Organisations need to start somewhere. Often this is with the ‘lowest hanging fruit’. Regardless of the significance of the executed actions, retaining less consumer data, particularly data classified as sensitive, is a step in the right direction. With less data comes less risk. Less risk for the organisation, and less risk for customers.

In recent years, the narrative of “data is the new currency” has become pervasive. However, if recent cyber incidents have taught executives and boards anything, it is that the wrong data can be a liability on their company balance sheet.

The more proactive organisations are in understanding, classifying, managing and actioning their data appropriately, the better chance they have in also managing their ongoing data liability.

Technology continues to change our lives, but with change comes risk. New business systems and communication channels are introduced into organisations every day. Whether data is captured and stored in legacy on-premises systems or into modern cloud-based platforms, executives and boards are now realising that visibility and control over data is non-negotiable. Start with this three-step process and ensure it is adjusted and updated to meet your organisation’s specific needs to stay a step ahead.

Image credit: iStock.com/Galeanu Mihai

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd