Why businesses should care about unstructured data risks

Small- and medium-sized businesses are facing a big challenge: managing sensitive data stored in unsecured files, aka unstructured data. Typically stored in individual files such as documents, spreadsheets, presentations and reports, unstructured data can be as much as 80 percent of the data created by businesses. So, why should you care? Terry Burgess explains.

Controlling access to unstructured data has become a chronic challenge for businesses of all sizes and a key cause of data breaches. Professional hackers are increasingly targeting unstructured data because it’s typically easier to steal and in addition, yields a treasure trove of valuable information. 

Failure to secure unstructured data also can increase regulatory risk and result in severe fines and legal penalties. This should be top of mind for New Zealand’s business owners, partners, directors and general managers, following the news that mandatory data breach reporting will begin in New Zealand from 1 December 2020, making managing cybersecurity risks high stakes for all Kiwi businesses. Under the Privacy Act 2020, businesses will be required to report data breaches that pose a risk of harm, loss or damage to affected individuals to the New Zealand Privacy Commissioner and those affected. The new legislation also increase penalties for non-compliance from $2,000 to $10,000. 

Finally, this problem isn’t going away—it’s getting bigger. COVID-19 has, positively, made workforces more dynamic, however it’s also made cybersecurity risks like shadow IT more prevalent. Remote employees are much more likely to circumvent IT processes and policies—for example, by using their preferred cloud storage service over the business’ server—making unstructured data a greater risk. What’s more, this data is growing at a rapid rate and, unfortunately, for most SMBs, infrastructure and information management is not keeping pace.

How to manage the seemingly unmanageable 

To thoroughly safeguard the information assets and sensitive data stored in unstructured files—while also lowering the risk of data breaches and compliance penalties—SMBs should follow these three steps:

1. Know where unstructured data is: More SMBs are getting better at securing access to applications, databases and other platforms, but, without visibility, it’s easy to forget about the data stored in files outside systems. As such, the first step to securing unstructured data is identifying the data strewn about the company, in file shares, SharePoint, certain cloud services, email, etc.
2. Take control of unstructured data: While data is the focal point of unstructured data management, it can’t be managed effectively without access controls. According to CERT NZ’s 2019 Report Summary, unauthorised access was among the top three cyber incident categories last year, with reports up 48 per cent from 2018. With COVID-19, many businesses have gone down the access path, forgetting that this meant opening a whole bunch of doors without the right security measures in place to ensure people didn’t get access to the wrong doors and, in some cases, wrongly walk through those doors. Fortunately, businesses can take back control of access and hence minimise the risk of a cyber incident by asking the following simple questions: Who has access to what? Who should have access to what? How are they using that access?
3. Say no to management silos: While it’s tempting to implement a tactical tool for managing unstructured data, it’s critical to never lose sight of the need to govern and control data access across the entire organisation. Of course, investing in tools will help, but the next essential step is to assign data owners. Assigning stewards of business data is critical to whether or not an SMB can actually control who has access to it. This is because, at the end of the day, when somebody is being granted access, or their access needs to be revoked, employees have to know who to go to. Nominating a data owner can help to reduce risk as this person will have the visibility required to be able to see the big picture.

Unstructured data is a big issue that SMBs can no longer ignore. By following the above three steps, SMBs will be able to better address security threats, ensure compliance and focus on accelerating business goals with the confidence that the right people have the right access to the right information at all times.

Terry Burgess (pictured) is Vice President, Asia Pacific and Japan, at identity management company, SailPoint.