The federal government recently announced it will form a new agency, the National Office of Cyber Security, which will be led by a new cyber co-ordinator to manage major incidents across government and to liaise with affected companies during the emergency phase. In the past few months, the industry has witnessed the dire need Australian businesses have for this increased focus and collaboration to ensure businesses recovering from a cyber attack and businesses in the middle of managing an attack get the support they need.
However, while these intentions by the government are welcome, businesses cannot lose sight of the end goal, which should be to prevent attacks from happening in the first place. The only way to do this effectively is by proactively taking measures to keep only necessary data, and to keep that data safe and secure.
In many cases, businesses will resort to hiring cybersecurity experts, or investing heavily in preventative technology. But one of the most critical steps businesses need to take to stay secure is one that is too often overlooked or not understood – i.e. a mindset shift to managing the end-to-end lifecycle of data.
Less data means less risk
For years, businesses have created and stored as much data from customers, partners, and their target audience as possible. Marketing campaigns rely on demographic and buyer behavioural data to enable future campaigns to be more personalised, finance systems try to collate purchasing and payment data to offer automated payment options at the next visit, and sales teams gather intel in any way possible to build a thorough picture of how best to close a deal. These day-to-day activities have become normalised in today’s workplaces, with little thought to what happens to the data long-term.
When assessing some of the most significant data breaches and cyber attacks of the last 12 months, the data involved was often data that was not critical or legally required for the business to keep, but was highly personal and potentially damaging to the consumers involved if that data got into the wrong hands. Looking ahead, future attacks are likely to take a similar approach, targeting businesses that are becoming complacent about their data management; those organisations that in some cases are holding data for decades longer than necessary, often for individuals who are no longer customers.
This is why a dramatic yet simple shift to ‘less is more’ is urgently required for businesses, and consumers are already rapidly adjusting their expectations. Every piece of data that an organisation holds about a customer should be considered a liability. When gathering, managing, and analysing data, there needs to be recognition from the collection that the data will serve a certain purpose, and once that purpose is served it needs to be managed through a disposition process.
Managing data’s end-to-end lifecycle
Businesses should not be endlessly holding onto customer data, despite the fact this has unfortunately become common practice. The longer a business holds onto data, particularly personally identifiable information (PII), the greater the risk that business is carrying. All businesses should have a process for systematically and securely storing, recycling or destroying data. While no single action could eradicate all risk of cyber attacks and threats, this simple mindset shift from gathering and hoarding data to managing data throughout its lifecycle could not only save a business millions of dollars, but also (arguably more importantly) protect the sensitive data of millions of current and existing customers, real people, around Australia.
For example, looking at recent high-profile attacks in Australia, in many cases, they have become high-profile because of the scale of the impact. This scale was reached because the companies involved were holding onto millions of records unnecessarily, sometimes of customers from over two decades ago, that had not interacted with them since. If, in these cases, all data was managed in a way that only critical data was stored securely, and automatic processes were in place to destroy unnecessary or irrelevant data, the attacks may have still occurred but even if they were successful, the impact would have been drastically reduced.
Furthermore, World Backup Day is just around the corner, yet many businesses still do not understand the simple difference between retention, e-discovery and backup. So that the aforementioned systematic and automated processes can take place when managing the lifecycle of data, businesses need to understand what data they have in the first place, assess whether they still need to hold onto it, and be able to quickly make decisions to mitigate the risk of that data to the business. Not all data found in e-discovery needs to be retained, and not all data being retained needs to be backed up. This is part of the critical mindset shift Australian businesses can no longer afford to ignore. Unfortunately, ignorance is no longer bliss!
As the Australian government and businesses continue to collaborate to keep Australians and our data safe, we need to ensure that both preventative and reactive measures are in place to address the relentless and multi-faceted nature of today’s cyber attacks. This should start with encouraging and educating businesses around the necessary mindset shift to treating data as a liability with a lifecycle, rather than a trophy to store.