According to a Cisco study, enterprises have an average of nearly 350 terabytes of data in storage, and analysis from Statista reveals the amount of stored data that required protection grew 20 percent over a recent three year span. Now more than ever, especially given the significant rise in high-profile data breaches and ransomware attacks this year, companies need to ensure their data is properly protected.
Financial services companies are uniquely impacted by this, both in terms of the volume of data (e.g., transactions, statements, communications, etc.) and industry regulations. As risk-averse financial services companies accelerate their move to the cloud, an interesting contradiction is playing out. With costs around storing large amounts of data in the cloud decreasing, it would seem companies could keep all their files . . . forever. However, storing and maintaining those files also comes with inherent business risk—especially for files that have been dormant for years.
Organizations in general tend to keep data just in case they may need it later. And, perpetuating the problem, is the fact that data storage is inexpensive, which makes keeping data attractive because there is not a cost deterrent. However, over time, as data gets older, it represents more risk than benefit to an organization. This is because data that contains unidentified personally identifiable information (PII) could lead to fines and old document drafts could damage the organization if disclosed or breached. Additionally, there’s always the possibility of inappropriate data access by internal users as well.
To mitigate that risk, forward-thinking financial services teams are taking unusual action – proactively auto-deleting files if they have not been opened, viewed or edited in seven years or more since they represent more risk to the corporation than value. Just like most of us only hold on to our tax returns for the past seven years, the same concept can apply to companies. However, some organizations may not be comfortable doing this or need to keep some data indefinitely to comply with certain regulations, so what are some best practices they should follow?
Here are the top three tips that can help financial services companies mitigate the potential risks associated with their data:
- Data retention policies should be guided by compliance – The Sarbanes-Oxley Act of 2002 requires companies keep certain financial documents for seven years, such as receivable or payable ledgers and tax returns. However, customer invoices only need to be retained for five years while payroll records and bank statements must be kept forever. Because of this, it’s critical for companies to properly keep track of what data can be deleted and what data needs to be kept on file indefinitely to ensure compliance and eliminate fines.
- Know the type of information in all documents – Companies should have the tools to conduct sensitive data discovery because this process identifies data that is most at risk, such as PII and protected health information. It can also help remediate compliance breaches as they happen, as well as quarantine, delete or revoke access to any data that may be exposed. Classification is also a must have because it can tag sensitive information and help companies keep track of and organize their data. In addition, companies should not rely on users to enforce retention because this can lead to inconsistencies and errors—an automated process is most efficient.
- Combine classification with other file attributes – Companies should combine classification with file attributes such as creation, modification, and access so they are able to re-classify or “tombstone” data as needed. The capabilities most helpful are visual indicators or alerts that tell users data is old or about to be deleted. Companies should quarantine data as a first step before permanent deletion to make sure the data should in fact, be deleted, because obviously once it’s gone, it can’t be retrieved.
These tips apply to live data—the area companies focus on most. But companies should also ensure retention requirements for data backups because they are not covered under classification or detection. This is an area that can often be overlooked or ignored by organizations but should be given just as much attention. If organizations follow these three tips, they will be well on their way to limiting the amount of sensitive data they have and properly protecting it and can rest easy knowing that they are doing everything in their power to safeguard their organization.