Data breaches are growing more common, and more damaging. While they are often seen as a data security problem, I would argue that this lets organisations off the hook for their poor data management practices. We always ask, “how did they get in?”, but never questions like, “why does this organisation still have this sensitive data from former customers?” or “why didn’t the company know they had all of this data?” By focusing on the breach, we’re missing a much larger problem.
If organisations want to withstand a major data breach with minimal impact to their customers or stakeholders, they don’t need higher walls, they need to ensure they have control over the data they do have. The solution to surviving damaging data breaches happens before the breach occurs.
High profile data breaches continue to make headlines
We are all growing familiar with the steady drumbeat of major data breaches appearing in the news. It is no longer particularly surprising to read a news report detailing a new hack, or to receive an email from a product or service informing you that your data may have been compromised.
According to the Office of the Australian Information Commissioner (OAIC), in the period of July to December 2022, there were 497 breaches notified, a 26% increase in the number of breaches in the previous six months. Five of these were classified as major breaches affecting more than one million Australians, including the infamous Medibank and Optus hacks. The pace of these hacks shows no sign of slowing down. The recent Latitude Financial breach was the largest so far, affecting 14 million customers, many former customers or “indirect customers”, whose data was added to the company’s collection during an acquisition.
These attacks are costly for organisations, with IBM’s annual Cost of a Data Breach Report putting the average total cost of a data breach at US $4.35 million, or $164/record, an all-time high. This is to say nothing of the impact a data breach has on an organisation’s reputation and, in the case of the private sector, share price.
Why do data breaches continue to happen at scale?
According to the OAIC report, 45% of breaches resulted from cyber security incidents, a mixture of ransomware, stolen credentials, phishing and brute-force attacks.
The natural response from organisations and the media has been to suggest this is a data security problem, as if better malware protection and training employees to spot phishing attacks were the only steps needed to fully protect all your data from these attacks.
Indeed, the federal government is working on an overhaul of a cyber security plan, with plans to establish a national cyber office to lead the strategy. This is in addition to the long-awaited revamp of the Privacy Act.
To make good privacy decisions, you need to understand the data you are responsible for governing first: what data you have, where it is, and the risk it poses if it is exposed.
In my view, while these cyber security measures are important, they address only a small aspect of the problem, the core problem here is that of data management. Data security is only one way to ensure individuals’ privacy is protected. Data privacy must be addressed in the context of the entire data lifecycle, as part of a broader information management program. Higher walls are not the answer, and neither is putting the problem in the hands of the IT security team.
Large-scale data breaches continue because organisations fail to manage their data correctly and are poorly prepared to weather a breach. They collect too much data from customers and stakeholders, they fail to secure and restrict access to the most sensitive data, and they hold onto it for too long. When they conduct a merger or an acquisition, or there is a Machinery of Government (MoG) change, this data is forgotten about or ignored. When the inevitable breach happens, a far greater volume of data is exposed than necessary.
To illustrate this, let’s circle back to the Latitude Financial incident. Once the dust settled following the breach, it emerged that some of the data had been in the company’s hands for 18 years, having been added to the company’s collection following the acquisition of GE Money.
A lot of these recent examples of data breaches are based in the private sector, but I know from deep experience consulting in the public sector that similar caches of data exist across the public sector. You can’t stop a data breach, but you can minimise its impact.
Understanding your data is the first step
When companies are hit by a data breach, there is often a lag between when the initial breach is reported and when affected customers are notified. In many cases, this lag is a sign the organisation does not know the scope of the breach, including what data was accessed, and who it belongs to.
To make good privacy decisions, you need to understand the data you are responsible for governing first: what data you have, where it is, and the risk it poses if it is exposed.
You need to identify where all your data is, whether in an on-premises file share or application, or a cloud-native SaaS like Salesforce. According to one report, about 55% of the average organisation’s data is “dark data”, data that is unknown, undiscovered, unquantified, underutilised or completely untapped.
Once you have a clear idea of the systems that contain customer or stakeholder data, you need to know the sensitivity of the data they contain, and whether it contains personally identifiable information (PII), or payment card information (PCI). Armed with this knowledge, you can then secure the most critical data ahead of time, putting it in the most secure storage and restricting access.
A side-effect of doing this: you’ll be able to remove a lot of garbage data: the redundant, obsolete and trivial data clogging up your servers and applications, increasing storage costs and lowering productivity.
Then, when a breach occurs, you will be able to quickly assess the scope of the attack, and ready to target your response to those areas with the most sensitive information. This will feed into your incident response plan, and communications strategy, so you can better notify those affected of the breach and what you will do in response.
Remove what you don’t need
Let’s take a step back. Why are these breaches so impactful? Arguably, it’s because organisations are collecting too much data from individuals and keeping it for too long.
Remember, there is no exposure risk for data you don’t have. The best way to prepare for a data breach is to collect only the data you need, and to remove the data you don’t need, and aren’t legally obligated to retain, as soon as you can. A common thread running through many recent data breaches is that organisations hang on to data much longer than they should. When the breach occurs, individuals whose data should have been removed, like former customers, find themselves impacted.
It is vital organisations have proper retention schedules and disposal processes so they are removing data as soon as they are permitted, so the impact of the data breach is as small as possible. Such an approach also minimises storage costs.
Data modernisation is the key to controlling a data breach in 2023
In order to follow these steps, organisations need to establish control over their data, wherever it is kept. They need to invest in solutions that provide consistent data management and classification across their entire data estate.
Yes, by doing so they can be more prepared for a data breach but they can also gain something else: control. They can treat their data as an asset, not merely a liability.
Interested in learning more about this subject from those who have experience managing data breaches? Watch my discussion with my colleague, RecordPoint VP of engineering Josh Mason.
