In a year full of data breaches, ransomware, and phishing, now is a good time to put things into perspective and perhaps rethink data security for the coming year. The fact is, all cybersecurity is created equal, and not all breaches equally impact a business.

Consider a warehouse full of sparkling jewels and stacks of money in bundles in plain sight. Suddenly, that single lock on the front door becomes as easy to cut as cooked spaghetti. If the warehouse were empty, that lock is probably sufficient. And if someone does breach the lock on an empty warehouse, well, they’ve got an empty warehouse to roam. Little harm done.

Cybersecurity is the same

It’s not always about building a fortress – sometimes it is about minimizing what there is to protect in the first place.

For hackers, data is the same as bundles of money stacked in a warehouse. Data is currency. Keeping too much in plain sight and stored incorrectly is called “data toxicity,” Erick Dahan, a cybersecurity specialist in Montreal, told Smarter MSP. Personally identifiable information (PII) is the Holy Grail for hackers.

“Keeping too much PII in the wrong places is putting your organization at risk when there is a breach,” Dahan advises. “This is stuff that should not have been kept in the first place,” he says of the copious amounts of PII many businesses collect.

Dahan warns that privacy regulations and fines will only get more strict, so this will be an area of cybersecurity that falls under increased scrutiny.

Technologist Bruce Schneier addressed data toxicity in a prescient article from 2016 in the wake of some high profile data breaches:

And because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever. Figuring out what isn’t worth saving is hard. And because someday the companies might figure out how to turn the data into money, until recently there was absolutely no downside to saving everything. That changed this past year.

What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous.

What MSPs must consider

Saving data is cheap until it becomes such a target that it transforms into an expensive liability. Deciding what to retain and what to get rid of is increasingly complicated. Here are five things MSPs should be considering when it comes to clients and PII as we close out the year:

    • Conduct annual PII inventories and audits: The beginning of a new year is a great time to do this. How much of it do you need? Do you have to save the insurance data from a one-time customer for 12 years ago? Probably not. Data hoarding isn’t much different hoarding other items. If you haven’t used an old lampshade in three years, you will probably be safely getting rid of it. Data is a little different because health, home, and tax information does need to be saved for a long time, but some data doesn’t, and that is what an audit will determine.
    • Harvest data into air-gapped or off-site silos: This doesn’t solve all the problems because, after all, you are still the custodian of the data, and storing it in any capacity is an inherent liability. However, data that is not connected to the world’s cyber ecosystem is inherently safer than data that is. Still, data that is not in electronic format at all, but in physical paper format is, obviously, safe from hackers (but not burglars). So you have to evaluate the threat from hackers or burglars, but it is ironic that the throwback of paper may be the safest harbor.
    • Know the Law – Each Year: In 2020, at least 38 states, Washington, D.C., and Puerto Rico introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity. Some of the areas receiving the most legislative scrutiny include governmental preparedness, higher penalties for cybercrimes like ransomware, regulating cybersecurity in the insurance industry, and mandatory cyber education programs. Overlay this with dozens of different task forces (state and federal), panels, and working groups, and you have a hive legislative activity. And this is just the United States. Similar legislative changes are afoot everywhere, and knowing the law becomes more and more crucial. Harvesting some data may become more than an unwieldy liability; it is increasingly becoming illegal.
    • Encrypt, Encrypt, Encrypt: Data that is not usable is useless to hackers. For hackers, time is money. Just like most burglars in a home invasion are after quick cash and jewels and will likely bypass a fortified safe, hackers will go after the low-hanging fruit. Hackers would far rather deal with sloppily stored unencrypted data. You’d be surprised how many companies carelessly keep credit card numbers and other PII. MSPs need to monitor their clients’ PII habits and make managing it a part of any service package and that means extensive, sensible encryption.
    • Limit collection: With the ever-increasing web of laws and the constant threat of hackers, MSPs should encourage clients to evaluate how much PII they need to collect in the first place. If there is a work-around to collecting a social security number, consider doing so. Does a client need to keep payment information stored? Just because a business does something a certain way and has been doing it that way for as long as they can remember, doesn’t mean it has to be done that way moving forward. Look for innovative ways to replace legacy data collection methods. Ultimately, by limiting the amount of data your clients collect, their appeal to hackers diminishes.

By following the aforementioned steps and re-thinking the handling of PII, MSPs can help their clients be more prepared in the coming year to protect the security of their data.

Photo: igorfrontier / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *