Instead of Crying Over Spilled Data, Shore up Your Governance Practices

When you hear the word “spillage,” most likely, nothing good springs to mind. And when it comes to one of a company’s most valuable assets — the sensitive customer data it processes, collects and manages on a continuous basis — spillage is not a word you want to see flash across your screen.

A recent survey by Microsoft found that 73% of chief information security officers (CISOs) indicated that their organization encountered leaks of sensitive data and data spillage within the past year. And as we’ve come to appreciate, the cost of a data leak extends far beyond the bottom line — from the actual cost of dealing with the leak or fines resulting from compliance failures, to the untold reputational damage a data spill can wreak on your brand.

Unlike a data breach, which is typically the intentional result of a threat actor, a data spillage event is all too often the byproduct of a seemingly innocuous mishap — a misconfigured AWS cloud bucket or in the case of one of the largest data breaches in U.S. history, an expired Apache certificate.

The National Institute of Standards and Technology defines data spillage as a security incident that results in “the transfer of classified information onto an information system not authorized to store or process that information.” 

Research has shown that in the vast majority of cases, most data spills are the result of human error, be it an employee clicking on a phishing email, a keystroke error or a bug that causes an application to inadvertently retrieve more data than it was supposed to. Gartner estimates that through 2025, 99% of cloud security failures will be traced back to preventable misconfigurations or an employee’s mistake. They’re easy errors to make, especially as more employees are logging in from remote locations.

The risk of data spillage has only grown more acute (and the consequences more dire), as the way we work has fundamentally evolved due to the global pandemic and the broad adoption of the work from anywhere movement, which, while a boon for employee morale, continues to present a host of new challenges to resource-strapped IT departments.

As Benjamin Franklin once famously quipped, “an ounce of prevention is worth a pound of cure.” The more time you can invest upfront in keeping your sensitive data secure, the less likely you’ll be sitting for a lengthy deposition with your legal team down the road.

Create a data map to gain visibility

As the age-old business trope goes, you can’t manage what you can’t see. And perhaps nowhere is that more clear than when it comes to how companies go about managing their sprawling data estate. Because most enterprise organizations store data across operating environments — from their own on-premises data centers to a rotating mix of public and private cloud — they often don’t have any real idea as to where all their data resides at any single point in time. 

That’s why a good first step is to build a data map to get critical visibility into both your structured and unstructured data, whether you use the traditional route of spreadsheets and stakeholder meetings or opt for a technology-aided solution. 

Don’t be a data hoarder

Because the public cloud has made it so cheap and easy to store an unlimited amount of data, it’s created a dangerous hoarder mindset that data never needs to be erased because after all, who knows when we might need it? 

Instead take a cue from Marie Kondo, who tapped into the cultural zeitgeist by challenging people to consider the belongings in their home and to ask themselves whether a particular item sparks joy. In a similar fashion, good data governance begins by reducing your data stores to essentials and nothing more. For all the potential value that data holds, archived data also represents a minefield of potential risk and liability that can be best avoided by not putting it in the direct sights of a threat actor or a careless employee.

Whenever possible, encrypt your data

According to the 2021 Verizon Data Breach & Incident Report, 94% of all malware is delivered by email, demonstrating once again why humans will always be considered the weakest link in the security chain. Because most network incursions are the result of an authorized user willfully handing over their secure credentials — or worse still, an aggrieved employee with an ax to grind — ensuring that sensitive data repositories are being encrypted is an essential safeguard that should not be underestimated. 

Invest in data governance automation

Data volumes will continue to grow at exponential rates and are now measured in petabytes and zettabytes. Beyond the mass quantity of data being produced on a daily basis, we are now also creating new types of data that need to be monitored and protected, be they text messages, video files or collaboration messages. That’s why an automated data governance platform, which can proactively monitor the quality and compliance of your data, enforce retention policies and address legal and regulatory requirements, has become table stakes for high-performing data security teams. 

Plan for the best, prepare for the worst

As history has shown us time again, even the best-laid plans can go awry. That’s why even the most well-funded security teams have a vetted incident response action plan at the ready. But it’s not enough to just develop a playbook and wait for something to happen. As anyone who has lived through the experience of a leak knows, it’s essential that your team has dedicated time to running through all the procedures to ensure that everyone understands their roles and responsibilities inside and out. Tabletop exercises are another good way to make sure everyone’s on the same page and knows what to do.