It is imperative that a company knows what data it holds, why it is holding it, where it holds it, and who has access to it. The old adage that information is power leads many to believe that holding on to as much data as possible is a smart institutional practice because you never know when you may need it. However, the opposite is true. The more data a company holds, especially data that it has no use for, the more at risk it is for a future data breach. Data hoarding has increased in recent years because of the low cost of storage and employees working remotely. In fact, many cloud-based data storage vendors encourage companies to keep all of their data indefinitely. Additionally, with remote work, employees may be storing company data on personal devices that are less secure.  

Data hoarding puts a company at risk because it creates a larger attack vector that is difficult to protect. This is especially true if you have forgotten what data your company is actually holding because if you do not know if you have it, then you may not know that you lost it. There are several steps a company should take to cull the amount of data it is storing and lower its risk in the event of a breach. The first thing that should be done is to catalogue all of the data that the company is holding. Then, the company should review that data and determine what data it requires and what data it no longer needs and is just holding onto. All data has a lifecycle, and data that has reached the end of that lifecycle should be discarded. The remaining data should then be categorized and segregated by sensitivity and importance. Then, the company should determine who needs to have access to each category of data, and ultimately limit access to the most sensitive data.

Once the data the company is holding is determined, the company should institute a data retention policy that outlines the lifecycle for all of the company’s data. A primary problem related to the retention of data is not necessarily how much a company is holding, but the visibility of that data. As part of the data retention policy, the company should conduct an annual review of the data it is holding in order to know exactly what data it has, and whether it is complying with its own data retention policy. These practices of data security are incorporated in CISA’s Cybersecurity Performance Goals to raise cross-sector cybersecurity. These cybersecurity goals include:

Security Benchmark	Cost	Complexity	Impact
Detection of unsuccessful (automated) login attempts	Low	Low	High
Changing default passwords	Low	Medium	High
Mutlifactor authentication (MFA)	Medium	Medium	High
Minimum password strength	Low	Low	High
Separating user and privileged accounts	Low	Low	High
Unique credentials	Medium	Medium	Medium
Revoking credentials for departing employees	Low	Low	Medium
Hardware and software approval process	Medium	Medium	High
Disable macros by default	Low	Low	Medium
Asset inventory	Medium	Medium	High
Prohibit connection of unauthorized devices	High	High	High
Document device configurations	Medium	Medium	High
Log collection	Medium	Medium	High
Secure log storage	High	Low	High
Asset inventory	Medium	Medium	High
Secure sensitive data	Medium	Medium	High
Organizational cybersecurity leadership	Low	Low	High
OT cybersecurity leadership	Low	Low	High
Basic cybersecurity training	Low	Low	High
OT cybersecurity training	Low	Low	High
Improving IT and OT cybersecurity relationships	Low	Low	Medium
Mitigating known vulnerabilities	Low	Medium	High
Vulnerability disclosure/reporting	High	High	Low
Deploy security.txt files	Low	Low	High
No exploitable services on the internet	Low	Low	High
Limit OT connections to public internet	High	Medium	Medium
Third party validation of cybersecurity control effectiveness	High	High	High
Vendor/supplier cybersecurity requirements	Low	Low	High
Supply chain incident reporting	Low	Low	High
Supply chain vulnerability disclosure	Low	Low	High
Incident reporting	Low	Low	High
Incident response plans	Low	Low	High
System back ups	Medium	Medium	High
Document network topology	Medium	Medium	Medium
Network segmentation	High	High	High
Detecting relevant threats and TTPs	High	High	Medium
Email security	Low	Low	Medium

If you need assistance in implementing CISA’s Cybersecurity Performance Goals, or developing cybersecurity policies and procedures for your company, please contact one of Spilman’s Cybersecurity Practice Group members for assistance.