By Linda Rosencrance
Over half of the data that companies collect is for single-use purposes. We give companies Social Security and credit card numbers, addresses and phone numbers, emails, and health data. That information, called “dark data” in internet circles, generally sits stored away, long forgotten by users. Dark data comes from many different sources: when a company declines to delete a former employee’s information, for example, or when a company is acquired but declines to wipe its existing user base.
“It’s like packing away some clothing or jewelry in the attic for future use and forgetting that it was there,” says Todd Moore, vice president of encryption products at Thales Group.
Unfortunately, though, sometimes cybercriminals get to the data first.
Dark data that contains personal identifiable information (PII) is definitely a problem that literally multiplies by the day in many enterprises, so it’s absolutely vital that companies identify the PII elements stored across the entire business, says Sharad Varshney, CEO of the data governance consultancy OvalEdge.
Half the battle in dark data vulnerabilities is an enterprise’s inability to perform complete data discovery, he says.
“You can’t protect what you don’t know about, but as we’ve seen in the countless data breach headlines, you can certainly count on cybercriminals to find and exploit every shred of PII if they are able to gain access to your company’s data stores,” Varshney says.
Here are four steps you can take to prevent the theft and misuse of your dark data.
Don’t store everything
First and foremost, don’t store all your information online, says John Hendley, head of strategy at IBM X-Force. For a while now, proponents of the “collect everything” mindset have said that data is as valuable as oil. While this viewpoint considers the value and benefits data can bring, it misses the risks of collecting, handling, and storing that data.
“A more accurate mindset would equate data to radioactive material: In the right hands, it can be extremely valuable, but if it falls into the wrong hands, it can be disastrous,” Hendley says.
And not all data is considered equal. IBM Security’s 2023 X-Force Threat Intelligence Index report found that criminals are going after personally identifiable information more than ever. “Names, email addresses, physical addresses, phone numbers, and passwords are increasingly valuable,” Hendley says. “You must also employ aggressive monitoring to secure your collection of high-value data.”
In general, companies must take extra care to collect and handle only the information required for functionality or regulation and nothing more, says Jamie Boote, associate principal security consultant at Synopsys Software Integrity Group.
“When building applications that collect, access, and store the data, traditional application security principles should be followed to ensure that it’s not subject to vulnerabilities like those listed in the OWASP Top 10, which can disclose dark data,” Boote says.
Identify/classify all the data
The hardest part of protecting dark data is finding it all, says Ryan LaSalle, North America security lead at Accenture.
Organizations need to figure out the type of data that they’re storing (Social Security numbers versus customers’ personally identifiable information versus health information), where it is, and who needs access to it. That data could live in business systems, in the cloud, in employees’ workstations, LaSalle says. “Then they need to figure out what data they really need and the way to do that is by labeling it. And then they have to get rid of the stuff that they don’t think they’re going to need,” he adds. “And that’s typically a judgment call. For one of our clients, we found billions of customer records inside their environment—multiple copies of the same data all over the place.”
Understanding where your dark data is stored is crucial to protecting it, says Kayla Williams, chief information security officer at Devo, a cloud-native security analytics platform.
According to Williams, internal audit and compliance teams that have access to employee-sensitive data should document and maintain an inventory of their data flows, which is also required by many privacy laws. “These data flows need to be reviewed periodically as ingress and egress points for data flows and in-scope data types can change,” she says.
Companies should put policies in place to ensure that data they no longer need can be destroyed, ensuring that they only retain necessary data, according to Andrew Pierce, founder of Real Estate Holding Company. Pierce is responsible for his company’s cybersecurity.
Implement access management controls
Often the copies of the same data that exist aren’t masked or encrypted and there aren’t proper controls around the data. Consequently, every one of those copies presents a risk to the organization, says Accenture’s LaSalle. To limit who has access to what data, companies need to put the right levels of control around those different data sets.
LaSalle says it’s up to the people who understand the real risk (i.e., the general counsel, the chief privacy officer, and the chief information security officer) to reduce the organization’s exposure, reduce the risk, and control the data appropriately as well as figure out how to enable the business to use that data effectively.
Access management controls, based on roles and responsibilities, are great tools for protecting dark data from theft, misuse, unauthorized access, and modification, according to Williams.
“For example, internal auditors who have access to evidence submitted to them, such as HR files [onboarding letters, background check results, W4s, 1099s for contractors, etc.] that contain highly sensitive personal information, should store that data in a secure file/drive location with strong access controls, i.e., deny access by default, multifactor authentication,” she adds.
Permanently delete dark data
It’s also critical to establish a mechanism that will regularly delete data that is no longer needed, unusable, or out of data, according to an organization’s data retention policy.
“Ideally, you have a policy—approved by your legal team—that specifies the type of information and how long the company must retain it in order to comply with in-scope laws, regulations, or other contractual obligations,” Williams says.
Not only does this free up space on an organization’s servers, it reduces the surface area that is vulnerable to attack, which in turn protects the remaining data from attack, says Corey Donovan, president of Alta Technologies, a buyer and seller of IT hardware.
“Dark data mustn’t collect dust; it must be subject to the same rigorous security policies, best practices, and monitoring as the data that is being actively used,” he says. “At the end of the day, any time you cut corners with data security you are leaving all of your systems more vulnerable, not just your unused dark data.”
(13)
