The Art Of Letting Go: How Data Minimization Can Improve Cybersecurity And Reduce Cost

Forbes article authored by CEO and Co-Founder of BigID

News

All NewsPress ReleaseArchive
March 29, 2023

Read the full article here

In today's digital age, data is one of a company's most valuable assets. However, while data is critical for business and innovation, it is also growing at an exponential rate—a challenge that is being exacerbated by cloud adoption—and is one of the most challenging threat vectors to address.

In fact, an organization’s data is a goldmine for cybercriminals, whether that data is customer data, financial data, regulated data or intellectual property. The more data a company has, the more attractive it is to hackers. If a breach does occur, the damage can be catastrophic. Not to mention, storing too much data can also make it difficult to comply with data protection and privacy regulations.

One of the biggest challenges organizations face when it comes to implementing data minimization is determining what data is necessary to keep and what can (or should) be disposed of. With the vast amount of data generated and collected every day, it can be overwhelming to know what data you have in the first place, what’s important (or critical or sensitive or regulated) and what data can—or should—be discarded.

By reducing the amount of data stored, organizations can decrease their risk of data breaches and improve regulatory compliance. Data minimization can also streamline data management processes, leading to increased efficiency and cost savings.

Where To Start With Data Minimization

So, how does one begin the process of data minimization? It all starts with knowing your data. Organizations need to have a clear understanding of what data they are collecting, how sensitive it is and how it is being used. This can help identify unnecessary data—often called redundant, obsolete or trivial (ROT) data—that can be safely disposed of.

Here are three steps to getting started with this process.

(1) Know your data.**

Identify, classify and tag data by sensitivity, regulation, risk and context. By inventorying your data, organizations can uncover dark data, identify duplicate data and prioritize high-risk data.

Organizations need to be able to:

• Find and inventory data of all types, regardless of if it lives in data centers or the cloud.

• Uncover dark, hidden or unknown data that you didn’t know you had.

• Identify duplicate and redundant data.

• Flag, tag and label data by type, meaning and sensitivity.

• Drill down and explore their data to understand what’s regulated, what’s at risk and what data can be minimized.

(2) Manage and derisk your data.

Once you know your data, organizations should assess the risk of that data—improving their data security posture management, understanding what data poses a risk and where the opportunity is to minimize that risk.

Organizations need to be able to:

• Manage data by policy and type: Secrets and keys in dev environments, for instance, represent one type of data risk, while PCI data (credit card data) may need to be handled differently.

• Report and map data risk by type, sensitivity and policy. It’s important to articulate, report and audit the findings.

• Investigate data risk to determine what’s critical and enable security teams to improve their security posture.

(3) Take action and minimize your data.

Now that you’ve got the scope of your data landscape under control, it’s time to take action and actually minimize your data footprint. Data lifecycle management is a key process here: understanding what data retention rules apply to what data, being able to remediate that data and consistently reporting on progress.

Organizations need to be able to:

• Manage and implement data retention policies for the data itself.

• Remediate and assign the right action to the data owner—whether that’s deleting, quarantining or tombstoning data.

• Delete the data that’s no longer necessary, including duplicate data, high-risk data that you no longer need and more.

Data minimization is an ongoing process, not a one-time event. By understanding the risks of storing too much data alongside the benefits of data minimization, organizations can take proactive steps to improve cybersecurity, regulatory compliance and overall efficiency.

If you like this article consider subscribing to our bi-monthly newsletter to get information about our portfolio, solutions, and insights delivered to your inbox.