With the emergence of the ‘data is the new uranium’ paradigm, there are some serious downsides to hoarding it.

We have all passed those houses in our neighbourhoods. Yards stacked to the fence line with old rusting bicycles, white goods in various states of disrepair, and other junk carefully collected, stacked, and secured over a long time.

A veritable ‘just in case’ treasure trove in the eyes of its owner, but a potential safety concern to everyone else.

In the physical world, evidence of a level 5 hoarder is clear to everyone except the hoarder themselves.

Conversely, in the world of data, the opposite can be true: an organisation hoarding data in this manner can be completely invisible to everyone on the outside.

In the aftermath of every data breach comes the inevitable soul-searching questions.

  • What went wrong?
  • What could we have done better?
  • Why did this happen to us?

But it’s the question that’s often being asked by those actually impacted by the breach that is most interesting.

“Why the hell do you have my data after all this time anyway?”

In the aftermath of the recent Latitude Financial breach, the company was heavily criticised when it was revealed that some of the data was old enough to purchase alcohol!

There are of course cases where data must be retained for a long time, for example to meet regulatory requirements relating to the storage of financial records. It’s a different story when it comes to personal data however, where the Privacy Act relies on a far more subjective concept of what is “reasonable”, so our thinking really needs to be recalibrated.

Quite frankly, it’s high time that much of the data being stored by organisations is purged, and as such it’s increasingly crucial for organisations to understand what level of data hoarder they are.

The downside of holding onto data

To many organisations, data deletion can feel like throwing golden customer or market insights down the drain – you never know when you might need it!

Regardless of the reason, many companies tend to hoard data without considering the long-term consequences. This practice creates a massive security problem, often manifested through the creation of data lakes.

Data lakes, although initially perceived as valuable assets akin to oil reserves, pose inherent risks when not adequately managed. Even anonymised data can become identifiable if enough information is available, making data aggregation problematic.

Furthermore, as individuals increasingly realise that their data has already been exposed, it becomes apparent that retaining outdated information is not only undesirable, but also poses a reputational risk.

The “data is the new uranium” paradigm

Renowned cybersecurity expert Mikko Hyppönen eloquently reframed the old adage that ‘data is the new oil’, by instead comparing it to uranium – still incredibly potent and useful, but without careful handling and disposal, the consequences can be disastrous.

Organisations must proactively address this data challenge by first effectively archiving the data they are truly obligated to keep. What follows is a structured purging of the data that does not need to be retained, in order to reduce the impact of potential cybersecurity breaches.

The process of data purging can become quite complex, setting up systems so you know which data is now old enough to delete, where that data is stored, and finally validating that the data has truly been purged.

However, companies should aim to establish a defensible position from a regulatory perspective and adopt comprehensive data management strategies, where the real risk of data loss and regulatory noncompliance is balanced against the amorphous reward of endless data retention.

For example, certain websites may request a user’s date of birth to ensure that they are of sufficient age to meet a regulatory requirement, but does that information truly need to be stored?

Could it be safely anonymised or disposed of immediately after verification?

As companies consider collecting personal data, they must establish a clear plan and retention policy, and this should be enshrined in a public privacy policy.

Identifying and securing data: A multi-faceted approach

Before implementing robust security measures, it is imperative to identify the locations where data resides. Data can be scattered across various platforms, including cloud services, backup tapes, email accounts, and shared drives.

or businesses concerned about data sovereignty (i.e., a requirement to store particular data types, typically government information, within a specific jurisdiction), understanding the geographic location of their data storage is vital.

While cloud services like Office365 offer convenience, it is essential to ensure that sensitive data is not inadvertently stored in jurisdictions with higher security risks or contrary to data sovereignty requirements.

Implementing access control mechanisms, conducting background checks, and prioritising secure data management practices are also vital steps in safeguarding valuable assets destined for long-term storage.

Transitioning from the notion of data as the “new oil” to “uranium” can help clarify the risks unnecessary retention can pose.

Purging unnecessary data, re-evaluating collection practices, and implementing robust security measures are essential steps toward mitigating cybersecurity risks.

By embracing the idea that “data is the new uranium,” companies can proactively address the challenges associated with data accumulation while still making the most of it while appropriate to do so.

Additionally, fostering an ongoing internal dialogue between data scientists and security professionals is key. While data scientists may advocate for retaining all data for future analysis, security experts must emphasise the importance of data deletion to minimise risk.

A balance of risk and reward must be achieved, and data anonymisation techniques can play an important role here.

By collectively reviewing and discussing which data attributes provide the business greatest value, it is typically possible to purge those data attributes that pose unnecessary risk (such as personally identifiable information) while retaining those that will continue to provide value (such as demographics, spending behaviours, seasonality, or other trends).

As with most business and security challenges, clarity around business objectives and open communication is key!

As businesses grapple with the mounting pressure to anticipate and prevent data breaches, a proactive approach to data management is paramount.

By adopting a mindset of purging unnecessary data, revisiting collection and storage practices, and implementing robust security measures, businesses can safeguard their valuable assets and protect their stakeholders’ trust.

Ultimately, fewer Level 5 Hoarders will lead to a more resilient Australian digital landscape.

Eric Pinkerton is a cyber security consultant and Director of NSW at Phronesis Security.

This article was developed in collaboration with Phronesis Security, a  Stockhead advertiser at the time of publishing

This article does not constitute financial product advice. You should consider obtaining independent advice before making any financial decisions.

Read MoreCyber Security

You might be interested in