Unstructured data is a risk – are your controls fit for purpose?
The short and dare I say, most truthful answer is probably, no! The long answer probably includes soothing(?) words like, “we have a data protection and retention policy, we’re fine”. Really? It’s like throwing a dice to determine whether you have a data breach every day. Will your business accept the fine and reputational damage that will surely follow?
The data on your company’s shared drives (cloud and on-site), desktop and mobile devices is rich with personal and confidential business information, much of which is in the form of unstructured data. If it fell into the wrong hands, it could quickly be classified as a serious data breach, reportable to the regulator with potential fines and reputational damage to the company’s brand to follow! The first GDPR fine in the UK, announced just last month was £275,000 for a high-street pharmacy chain Dispensaree. A considerable sum of money, but small in comparison to the reputational damage they’re now suffering.
The most significant sources of unstructured data are emails, spreadsheets and documents that get created and saved to network shared drives. But that’s not all, what about the work-in-progress spreadsheet of clients you are going to visit next month or the staff salary download from HR or the emergency contact details for on-call staff or the zip file of customer contracts to send to a potential buyer and so on…
Official records and collections of information for regulatory reporting or other purposes are often in the form of unstructured data. This includes documents like business plans, board papers, product designs, commercial information, complaints and on occasion, customer data.
This type of data is hard to control and manage, which is why it quickly adds up and makes securing it challenging. Most data that employees create has a short lifespan of usefulness, but files can remain on shared drives and devices for years without being deleted. This clutters file servers and requires more and more resources to support (let alone the cost of storing it!). It’s an everyday struggle for organisations when it comes to managing and securing this data.
The IDC revealed that “90% of unstructured data is never analysed, organisations are in un-chartered waters when it comes to managing risk, fulfilling personal information requests under GDPR or gaining intelligence from their information.”
According to the research, 51% of respondents said that unstructured data was a security risk and 49% said it put them in danger of non-compliance.
The “my stuff” folder…
We’ve all browsed a shared drive looking for a marketing brochure that you know is in there, because “Fred” said it was. 10 layers down, you find a folder “My Stuff”, ‘Eureka! That’s it!’ However, you discover it contains a collection of downloads from the HR system and draft board papers advising of a corporate re-structure!
Fred created that folder 8 years ago as a work-in-progress and forgot to remove it!
But I hear you muttering… “we have trained our staff and we have a shiny new data retention policy, that wouldn’t happen here – (smug face)”.
Wake up and smell the coffee!!
Your staff create lots of unique documents, they decide who to share them with, when to share them, and where to store them. They then forget about them and, as months and then years pass, fail to track or secure them. Just like Fred!
Is it possible to remember all the documents we’ve created, who has access to them, and where they’re stored? The truthful answer is a resounding no. A lack of enforcement in how files are named, classified and kept, or more likely the lack of a document management and retention policy altogether, further compounds the issue.
It would never happen here…
I recently analysed a 2TB shared drive for a client. They have a retention policy and take great care in the management of their data. I found a large number of duplicate files, CSV downloads of client and employee data sets, 1800 ZIP files containing a mixed bag of goodies for a potential hacker and 1.1TB of JPG files! Interestingly, 800 or so of these had a created date in the future, Did they employ ‘Doctor Who’ as the photographer? But the best was the discovery that there were almost 5000 files dating back to the beginning of PC time (the computing epoch date on MS-DOS of 1/1/1980). It was like discovering the tomb of King Tut!
It’s hard to secure something if you don’t know you have it. Worse still rely on the existence of a data protection or retention policy that has no means of being monitored or enforced. Your customers, board, nor the regulator are likely to look favourably on you when they come to visit.
If you’d like to do something different to rolling a dice every day, then why not get in touch and ask about our unstructured data assessment on your own data and we’ll start to get you the assurance you seek around your data management and protection policies.