To keep or not to keep, that is the question, whether you celebrate National Spring Cleaning Week (UK: March 4 to March 10), or National Pack Rat Day (US: May 17), or National Cleaning Day (Sierra Leone: monthly). Whether a day, a week, a month . . . the point is to start changing behavior so that making choices about what we stow and what we throw becomes easier, more autonomic, like riding a bike or buckling your seatbelt before starting the car engine.
The Japanese-inspired Kata technique for making incremental changes to learn a new skill or mindset can be applied to our data practices. The objective is to find the balance between change that is meaningful and sustainable—and change to address a compliance need or auditing critique but that is only superficially adopted (and quickly abandoned). One expectation of Kata is to “fail early/fail cheap”: Try a fix, learn from the results, and then continue to adapt that fix so that it truly fits the business culture, business model, and operating environment. Another expectation is that the four steps (articulate the challenge, define the current condition, launch experiments, identify next target) guide the behavioral change process. The questions posed below outline—no real spoiler alert—an adaptation of Kata to promote “cyber spring cleaning.”
What—and where—are your data objects?
During a recent cyber workshop with a client company, staff members wrote down the data objects that were specific to their job role that they use regularly on individual sticky notes (one data object to a sticky note). They then classified those objects as to where they were stored: email, shared drive, ERP, CRM, SolidWorks, hard copies, and so forth. We captured the information on the sticky notes into a spreadsheet along with the classification. Just like dust bunnies that seem to multiply furtively under the bed, we could see how the storage repositories replicated content—especially when we started to discuss backup, copying, and printing practices. The good news about such replication is that you will likely never permanently lose one of those data objects; however, you might not be able to find it when needed—or might not be able to find the most recent version.
What are your data boundaries?
The next step in the exercise would be to identify the “expiration date” for a given data object; who has access to it; its classification (client proprietary—including CUI/CDI; company proprietary—including employee PII, NDAs, intellectual property, customer/pricing lists); its distribution; impact of its loss, compromise, or inaccessibility on business operations and/or legal liability; and appropriate destruction or “decommissioning.” These data boundaries help define a company’s data governance strategy and respond to the following questions:
• What data objects must we protect?
• How long should they be retained?
• Who should be given access to them and with what limitations?
• How can we control risk and detect change in their condition (i.e., loss, compromise, or inaccessibility)?
• How do we manage data object “end of useful life” (e.g., destruction, disposal, archival)?
How do you prioritize resource investment?
Developing the action plan for bridging data boundary gaps is highly dependent on your company’s risk profile and appetite (paranoid, prudent, permissive, promiscuous—and even perplexed or paranoid). Your target condition should be realistic, and your approach to achieving it, defensible. One exercise is based on the quadrant exercise: position the data object sticky notes along the X-axis denoting effort required to implement protection (low, medium, high) and along the Y-axis denoting business impact of the protected data object (low, medium, high). Consider the people/process/technology resources needed to protect various data objects. The biggest returns for effort expended, based on results in the 2019 Data Breach Investigations Report (released 8 May 2019) are enforcing robust password and credential protection practices—and user training. The report showed that 93% of malware is delivered via email, and that for manufacturing industry breaches, 71% involve privilege misuse and web apps.
How do you sustain your cyber spring cleaning habits?
• Maintain evidence that you are selective about what you keep and choose to protect.
• Revise your system security and incident response plans as well as your employee policies and handbooks.
• Accept that “risk-free” is a marketing concept, but that “risk-averse” is a state of mind and habit, observation and detection.
Happy spring cyber cleaning!
[1] Thank you to Doug Kimball and his excellent article in Company Week for inspiration and National Pack Rat Day information. Who knew? The article contains many good ideas. <https://companyweek.com/articles/industry-voice-why-companies-become-data-pack-rats-and-how-to-declutter-your-business>
[1] Also, it appeared that, among manufacturing sector breaches investigated, financial motivation for hacks outpaced those for intellectual property theft by 68% to 27%. <https://enterprise.verizon.com/resources/reports/dbir/>