Op-Ed: Why businesses should embrace ‘data minimalism’ amid ongoing cyber attacks

However, recent high-profile cyber attacks have served to highlight a troubling reality. Data that was once considered an asset may now actually be a liability. Client records held for longer than required can be misappropriated, causing anything from embarrassment to costly losses.

During the past few years, there have been a range of incidents in which financial and personal customer data were stolen during a cyber attack. In Australia, cyber criminals successfully gained entry to the IT infrastructures of companies such as Optus, Latitude, and Medibank.

Incidents such as these have raised a critical question: is the large volume of data businesses accumulate worth the risk? The answer, increasingly, appears to be no. Rather than viewing this data as a valuable asset, businesses must now see it as a potential liability and a treasure chest that malicious actors are constantly trying to crack open.

Taking a ‘minimalist’ approach

The idea of data minimalism – holding only data that is necessary for immediate business functions – is gaining traction as a pragmatic approach to addressing this growing concern. The benefits that data minimalism can provide include:

• A smaller attack surface:
  Every piece of data held by a business is like a window into its operations. The more data that are held, the larger the attack surface for cyber criminals to exploit. By retaining only essential data, companies can significantly reduce their exposure to such risks.
  
  
• Simpler data management:
  Managing data is a costly and time-consuming process. Businesses must ensure data is held securely and is only made available to those with the authority to view and use it. By adopting data minimalism, businesses can streamline their data management processes, which, in turn, reduces costs and frees up resources for more strategic initiatives.
  
  
• More easily meet regulatory requirements:
  With the increase in data breaches, governments around the world are tightening data protection regulations. Failing to comply with these regulations can result in hefty fines and damage to a company’s reputation. Holding only necessary data simplifies compliance efforts and ensures businesses can meet their legal obligations without unnecessary risk.
  
  
• Enhanced customer trust:
  At a time when data breaches are becoming more common, consumers are increasingly concerned about the safety of their personal information. Businesses that adopt data minimalism can demonstrate a commitment to data security and earn the trust of their customers. Trust is a valuable commodity that can set a company apart from competitors.
  
  
• The mitigation of insider threats:
  Insider threats, where employees or contractors misuse or steal data, are a significant concern for businesses. The more data a company holds, the greater the potential for insider threats. Adopting data minimalism reduces the opportunities for such threats to occur, as there is less sensitive data available to exploit.
  
  
• A reduction in costs:
  The cost of data storage has declined in recent years; however, it is far from free. Businesses often invest substantial resources in building and maintaining data infrastructure. By holding only necessary data, companies can reduce their storage costs and reallocate those resources to areas that drive growth and innovation.

Making the journey

To achieve effective data minimisation, a company should begin by undertaking a process of discovery. A thorough audit of all stored data should be conducted to determine exactly what is being held and where.

During this stage, an index of the data can also be created that provides metadata, which can aid in future management. This metadata can be used to quickly determine data types and whether they remain of use to the company.

VIEW ALL

The second step is to develop comprehensive data retention policies. The company should determine precisely how long different types of data should be retained and when they should be securely deleted.

The next step is to review all data security measures currently in place and determine whether any weaknesses exist. Additional measures can then be deployed to ensure all retained data is as secure as possible.

Finally, it is important for an organisation to regularly review and update its data retention policies. The threat landscape is constantly evolving, and what works today may not be the best practice in the future.

The recent surge in cyber attacks has underscored the need for businesses to rethink their approach to data. While it has long been considered an asset, data should now also be viewed as a potential liability.

Embracing data minimalism, holding only what is necessary and promptly deleting data when it is no longer needed, is a prudent strategy for mitigating these risks.

Tim Holden is a technical expert, APAC content and data intelligence, at Hitachi Vantara.