Toxic Data - How US Organizations can Lower Risk

by in Security
The 2014 Global Economic Crime Survey conducted by PwC shares a startling statistic about cyberattacks: “seven percent of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, compared with three percent of global organizations; furthermore, 19 percent of U.S. entities reported financial losses of $50,000 to $1 million, compared with eight percent of worldwide respondents.”

Toxic Data

In other words, increasingly sophisticated attackers target and breach U.S. companies more than companies in any other country. And if attackers are succeeding, there’s no reason to think they’ll stop any time soon—especially considering the amount of data typical U.S. organizations keep. For attackers, this data equates to dollars. To thwart these attacks, U.S. organizations need to reduce and protect the “toxic” data they retain.

Handling Toxic Data

Toxic data includes sensitive, private information that could cause problems for organizations and their customers if stolen, such as credit card numbers. Keeping this kind of data means protecting it, and firewalls, data-loss-prevention solutions and other standard security measures solutions are not doing enough to prevent data leakage. Luckily, additional methods of handling toxic data exist, including reducing the amount your organization keeps.

Reducing Toxic Data

We dispose of anything “toxic” for safety reasons in the physical world. Shouldn’t it be the same for toxic data? Organizations should reduce the retention of toxic data because the more they have, the harder it is to protect. Fortunately, there are methods to reduce the amount of data held.

For example, some credit card processors offer end-to-end encryption and tokenization. This means merchants never need to store, process or transmit cardholder data. If an organization used this kind of credit card processor, attackers would not have anything to steal even if they did breach security.

What about Hidden Toxic Data?

Measures to reduce retention only help with evident toxic data. Users rapidly generate unstructured data, such as spreadsheets, documents and presentations, which can also contain sensitive information. Furthermore, users share this unstructured, and sometimes toxic, data via cloud services outside of the control (or awareness) of IT.

Because unstructured data is growing exponentially, it’s impossible to establish foolproof controls for access to it. However, security teams can reduce the risk of data loss by enforcing the least-privilege principle and using access governance.

Using Data Access Governance

Organizations typically use access governance to annually certify access for users and their applications. Although these certifications are necessary to demonstrate compliance with least-privilege requirements, organizations should also use access governance to secure toxic data.

Access governance must expand to include certifications of access to both structured and unstructured data. The least-privilege principle should apply to data or information, regardless of how users access it.

To fulfill least-privilege access for data, access governance technologies will improve to identify entitlements to data stores, file shares and even locally-stored user data on laptops or personal devices.

While compliance motivates governance in general, compliance should not be considered security. Toxic data is a problem, but if organizations decrease the amount of toxic data they retain and guard access to both structured and unstructured toxic data, they will be less attractive targets, and attackers who do breach security will do less damage.


Identity & Access Mgmt