By Nigel Tozer
In a previous blog, I talked about how data breaches – possibly the biggest fears in a General Data Protection Regulation (GDPR) regulated world – don’t always happen in the data centre. In this blog, I’m taking a look at what you can do if that’s where they do happen, and how to help to reduce the risk in the first place. At this point you’re probably thinking that reducing the risk of a breach is all about security, but that’s only part of the story.
In life, we generally think we know the value and corresponding risks associated with things we own and take reasonable precaution to protect them. Unfortunately, we don’t always get things right, which is much truer of data than it is with our possessions. It’s entirely possible to let your kids play with something that looks like a piece of junk, or leave it in a poorly secured-out building, when in reality it’s actually a valuable antique. This might not be a common occurrence in our lives, but with data you can be sure of a cast-iron guarantee that this is the case, and often at an unimaginable scale.
I’ve seen many instances where companies have no clue where sensitive data is held, and are aware they don’t know, yet take no action. I have also regularly seen the complete opposite, where a business is fully aware of how important a data set is, but it isn’t secured as it should be “because it’s always been done that way,” or because an individual demands to work in a certain way (I’m looking at you, Database Administrators). With this in mind, I’m going to look at two types of data in this blog and my next one: unstructured and structured data, with a focus on unstructured data in this blog.
Unstructured data – files, media and documents – typically account for 70-80 percent of an organisations data1, and just as I mentioned above, you don’t always know its value. Or as we’re looking at it here, the corresponding risk. The problems are numerous:
- The sheer volume of unstructured data
- Ease of copying and moving it
- The myriad locations in which it can be placed
- The large number of applications that interact with it
- Poor controls due to the historical acceptance of NOT managing it in a better way
- Lack of a mandate for IT to better manage it
All of these points combined add up to big risks and possibly even bigger costs. Under GDPR, retaining data forever is off the table, and so is a failure to understand uses and locations of unstructured data that contains personal information – which, let’s face it, could be any of it.
This is why it’s important to look inside ALL of your unstructured data, even on laptops and in the cloud. So that once it is profiled it can be secured, retained for use, or disposed of appropriately. With ever-increasing data volumes, policy is necessary, education is great, but automation is critical. Having risk-based dashboards and implementing automated policies based on content means that if you are breached in systems deemed to be low risk, the actual risk of important data being compromised is minimised. If it’s a more secure location that is affected, having sensitive data heat maps – plus a content index and search tools at hand – means you can then meet the seemingly impossible 72 hour breach notification period of GDPR.
This is where Commvault can really help, and it’s one of the areas of GDPR (and many other global data-breach laws) that is almost impossible to protect against manually or by applying new working practices alone. One-off assessments aren’t suitable either; you really need on-demand dashboards, risk-based alerts and the ability to automate processes to be effective.
When I mentioned the antique in the second paragraph, I talked about value. But data breaches are really about risk. I did that on purpose. The point I’m making is that risk and value are two sides of the same coin. If you understand your risk profile, you might just also be in better shape to effectively use or dispose of that data that’s been sucking your resources for all these years.
If you want to learn how Commvault can help you to profile your data to help with GDPR or other data-governance challenges, contact us today.
1 Datamation: Structured Versus Unstructured Data