How to combat the security risk of sleeping data

So, sleeping data's a security issue. What can you actually do about it?
29 December 2023

• Keeping unnecessary data can be a security risk for companies.
• A data security platform allows you to keep your eyes on your data.
• Not knowing what’s happened to any of your data is unlikley to be acceptable much longer.

We’ve been looking into the security risk of hording “sleeping data” – data that no longer has value for an organization – with Terry Ray, SVP at Imperva. It’s a chronically underexplored and misunderstood phenomenon, because it stems from a logical presumption that keeping everything is inherently safer than letting it go – and then maybe, down the line, needing it again.

In Part 1, Terry outlined the thinking behind organizations holding on to data they think they might need one day, but which then, no one looks at for years or even decades, likening it to the junk drawer we all have in our homes.

In Part 2, we took a look at the scale of the problem, with a UK Imperva study that showed practically a record lost from organizations for every human being in the country, each year, over three years (2019-22).

As the scale of the security risk of sleeping data was becoming clear, we challenged Terry with the obvious question every business would want answered: now that we understand the problem, what can we actually do about it?

The two-thirds issue.


I think of cybersecurity in general and security risk in particular as a kind of soccer pitch.


*Braces for sportsball talk.*


In soccer, your goalie is your last line of defence, the last security before (if you will) the attacker gets to the goal.

That is your data security.

But your goalie only has the ability to access one-third of the goal. The other two-thirds, they can’t go there. Result?


*Blinks in techie.*


The result is you’re not going to win the game unless you tackle your security risk.

And that’s what we’re talking about here. When we say we’re only going to protect data that’s regulated or data that’s important to the business, that’s great. That’s one-third of the job. We ignore the other two-thirds of the job at our peril, that’s really what it comes down to.


So, picking ourselves up from the sportsball references, how do we protect the other two-thirds of our data?


Well, I’m not going to be the one that sits here and says that applying data security controls is inexpensive. It’s not. But if a business has said “it’s really important that I collect all of this data,” then part of the cost of that decision is the need to protect that data. There’s a cost associated with protecting that data, and I think, unfortunately, for a lot of organizations, when they began collecting this data, that might not have been part of the equation.

But where we are today, that data is in demand by somebody. And that becomes part of the cost of storing that data and certainly part of the cost of collecting any additional data.

The point of a data security platform.


So – show me the money?


Pretty much. Organizations need to readjust their cost model of holding on to this data, because they now have to de-risk having that data in their organization.

Now you could just say, I’m going to de-risk it by deleting everything more than five years old. And going forward, I’m going to put controls on everything. Great, that’s fine, go and do that.

If you’re not going to do that, then you need to reassess your security strategy, because right now, you have a goalie that can only reach a third of the way across the goal.


So how do they get a better goalie?


They need a data security platform. What that entails will depend on the organization itself. The savvy organizations that have gotten this over the last 10 to 20 years have said, “I need to be able to determine where that data is. And what type of data I have out there.”

To mitigate a data security risk, you need a data security platform.

Got a data problem? Get a data security platform.

And if they don’t want to ask those two questions – and it’s totally fine not to – they at least need to be able to say “If anybody accesses that data, I want the ability to actively watch them do it.”

You need to know what data’s been touched, by whom, and to understand whether, say Terry, has ever touched that data before. Is it right that Terry’s touching that data, suddenly, after however long? Is that restricted data or sensitive data? And is that data that usually only apps touch, or does it make sense that Terry’s touching that data right now?

If you’re not actively watching the data, you cannot protect or classify anything.

Old ideas done new.

Data security platforms have the ability to monitor all data in the cloud, if the organization has gone that way, or all data in their Oracle MSSQL on-prem mainframe if they have them.

The goal of this strategy is to do the same thing for data security that organizations have already done for endpoint security – watch all of the endpoints. It’s already been done for network security – watch all of the networks.

A data security platform is a repetition of best practice cybersecurity – you have to have eyes on something to protect it. So put your eyes on your data.

Organizations know very well how to do this for their regulated data, because they’ve been doing it for regulators for a long time. They simply need to duplicate that effort for all of the rest of their data and stop thinking that if they’ve covered all their regulated data that they’re done with data security.

Data visibility is key – and it means being able to answer all those questions about what’s happening to you data, and whether that feels right.

Beyond that, mitigation is a whole other ball game.

But at least if you can answer those questions about what’s happening to your data, you have the intelligence to start making informed decisions. Who’s accessing the data? Are they allowed to do so? If yes, fine, if not, how are they doing it? Does that indicate a weakness in the system somewhere – and so on.

If you can answer all those questions about all your data, not only can you meet all of your regulatory requirements, you have that data for analytics, machine learning or whatever tool you have – meaning you might be able to get uses from it with new technology and analytics that you didn’t have back when you started storing it.

“I don’t know” is unacceptable.

We’re coming to a point where “I don’t know” shouldn’t be an acceptable answer when it comes to a company’s stored data.

I run regular CISO roundtables, I get a group of ten CISOs together, and the first question I ask is “Raise your hand if you know who is responsible for data security in your organization.”

Half of the room doesn’t raise their hand.

And then we go around the room, finding out why they didn’t raise their hand. There’s always the diplomatic answer, which is “It’s everybody’s job. Data security is everybody’s job.” Fine. It is. Yes, it’s everybody’s job. But what I’m asking is whose phone rings when someone says we lost a million records because a bug bounty came in? Whose phone rings, and who says “What did they take? When did they take it? What controls do we have to make sure that we monitored them or it’s not going to happen again?”

And then they all raise their hand – because it’s their phone. “So now let’s talk about the controls and the strategy that you have in place…”

Everybody put your hands up.

Everybody put your hands up.

That’s what organizations have to deal with every single day – knowing that there’ll be someone responsible for the security risk when the call comes, but not often having the factored-in budget or teams to respond with a pre-emptive data strategy.

If you have that strategy, that budget, and those teams in place to take data security seriously, you get CISOs who aren’t forced to make up their responses to crises when the crisis hits. Hopefully, they’ll have a data privacy officer to help protect their data, and respond in the event of that call coming in.

Whose head in on the line when the phone rings?