Corporate data governance programs are difficult to establish and enforce. For the most part, these programs lack the necessary people, processes and technology to effectively fend off security threats, data breaches, regulatory fines and lawsuits.
The two weakest links in a company’s data governance program are uncontrolled user access to data (53 percent) and managing where data is stored (43 percent), according to a new research study released by Blancco Technology Group.
Data protection and regulatory compliance are further complicated by the fact that organizations are often too lenient in allowing employees to transfer data inside and outside their organizations. For instance, 69 percent of the surveyed IT professionals admitted they allow employees to transfer data onto their personal mobile devices with only minor limitations and 33 percent allow employees to move data to cloud providers, such as Dropbox, without any restrictions at all.
On top of this, 47 percent of organizations either have limited visibility or no visibility at all into how employees move data offsite.
Organizations are more concerned with protecting corporate reputations than passing audits and avoiding regulatory penalties. 48 percent of organizations said their biggest concern with data protection regulations is protecting their reputations, while only 38 percent are worried about passing audits and 40 percent are concerned with avoiding penalties.
Unstructured and dark data are growing liabilities for organizations. Despite IDG’s prediction that 93 percent of digital data will be unstructured by 2022, only 41 percent of organizations have a central repository for managing unstructured data. Meanwhile, 34 percent either don’t have any tools in place to manage unstructured data or are in the process of investigating the necessary tools.
Data classification is an important step in laying the foundation for data protection and regulatory compliance. 58 percent classify data according to legal requirements, while 56 percent classify data based on how sensitive it is to unauthorized disclosure/modification and 43 percent classify it according to its perceived value to their organization. However, 5 percent don’t know how data is classified inside their organization, while 13 percent either don’t classify data or don’t know if they do.
The absence and non-enforcement of data removal policies conflicts with EU GDPR’s ‘right to erasure.’ 13 percent of organizations don’t securely erase digital files and folders that are no longer needed or used. On top of this, 16 percent don’t have a data removal policy for when data is no longer needed and 22 percent don’t have written data disposal/destruction policies to handle data that’s no longer needed.
Overall, the study highlights a common, yet unfortunate reality in most enterprises today – what you don’t know can hurt you. One such unknown is the amount of time that data should be retained. In particular, 22 percent of the surveyed IT professionals admitted they keep data forever, while 18 percent said they keep data for a set amount of time regardless of data type.
“The reality is that many organizations adhere to a ‘storage is cheap, keep everything’ mentality,” said Richard Stiennon, Chief Strategy Officer, Blancco Technology Group. “Data hoarding as a practice can be dangerous, as we saw during the Yahoo hack last year when hacker ‘Peace’ leaked four-year-old data from 200 million Yahoo accounts onto the dark web. Organizations need to learn that, as data ages, its usefulness declines. In actual fact, all retained data is a liability for discovery, breach, theft or loss. When its value is less than the liability, when customers demand it (i.e. closing out accounts) and when regulations require it, organizations need to permanently erase the data so it can never be recovered and result in another situation like the Yahoo breach.”