The number 1 asset is…
The number 1 asset is not gold, oil or silver, it’s data. No data. No business. It is really that simple in today’s modern world. Now people generally think about electronic data, but this also includes data on paper. There is nothing wrong with data on piles of paper per se, but just do not forget about it.
I remember being asked to review the security of a major global coffee chain (yes, you would likely have heard about it). It is cloudy and grey over a major train station hub in the UK. I meet the manager and I review their security procedures. It turns out their merchant paper receipts (this is the receipt the merchant keeps) has the long card number and full expiry details. Once their basement storage is full, they put the receipts into bin bags and leave this in the merchant communal area in the train station, for disposal. When asked who actually disposes of the receipts, the response was they do not know, but ‘somebody’ takes all the waste away.
Another example, reviewing a major UK hotel chain. They said they place their receipts in a metal container in the back, but have a solid lock securing the container. When I went to visit, there was no lock. By the way, standard padlocks can be picked relatively quickly and easily if you know how.
Why do I tell you these stories? Because the business has some inherent issues. Not surprisingly, based on my experience, most businesses I come across have this same issue.
First, many businesses just keep storing data indefinitely. If this is you, then stop 🛑. When I speak to many businesses, when I ask why do they keep all the data until their storage areas are bursting, the reason is “just in case”. This is not good enough. Not only are you filling up areas you could reuse, but from a security perspective you are increasing risk unnecessarily. This also suggests the organisation does not understand the regulatory, legal, or legitimate business reasons for storing data.
Secondly, without understanding the reasons why data is stored, it is challenging to develop a data retention standard, and therefore retention schedules for different types of data. This leaves ambiguity and the ‘just in case’ mentality from staff because they have no guidelines. They do not want to be accountable for removing data the business may need later.
Furthermore, by not ensuring you only keep what is necessary, you are breaching industry standards such as PCI DSS, or obligations such as GDPR (note, there are some exceptional circumstances for archiving personal data for longer).
What can we do about it?
✅ Develop and maintain a storage limitation policy to retain only what is needed for business, legal or regulatory obligations, so that you can collect and use personal data fairly and lawfully.
✅ Develop and maintain data retention schedules. It is likely that different types of data or articles can be destroyed at different times.
If you don’t need it…
✅ Based on your retention schedules, remove unnecessary data. If you don’t need it, don’t store it. Check all sources including electronic storage and paper storage sources too. Removing means that the data cannot be put back together. Depending on the sensitivity, this could mean destruction, redaction (be careful as sometimes you can see the data through black marker pens) or anonymisation (form which does not reveal identification of data subjects).
👉 Like What You Read? Be a rockstar and just give me 5 more seconds by sharing this to LinkedIn.
👉 Want More Tips/Hacks To Improve Security and Compliance Faster? Then take 10 more seconds to click on my profile, connect and follow me: https://www.linkedin.com/in/mqhopewell/
#computersecurity #cybersecurity #informationsecurity #infosec #cybersec #privacy #itleaders #itleadership