We have to discuss how we increase data security risks before we can discuss how we can reduce information security risks. When we become aware of the ways that we increase our security risks through our actions, we become capable of devising plans to reduce the risks if we feel that the risks are worth our efforts and expenses for mitigation. Companies and their employees are often not aware of the common and simple causes of increased data protection risks and try to improve security before understanding what creates security risks. Just like cooking without a recipe which may lead to inconsistent foods, security risk mitigation efforts without a threat and vulnerability analysis can lead to an incomplete risk mitigation plan.
In addition, since threats and attack methods constantly change, being fully aware of all threats is a constant challenge but worth discussion and understanding for controlling security risks.
The Identity Diet concept introduced Identity Obesity which is defined as the excessive and unnecessary collection, retention, and sharing of data by individuals and companies. Data obesity has many consequences including higher data protection costs, reduced credibility, as well as lack of compliance with regulations and business contracts.
1. Collecting excessive and unnecessary data is a sure way to increase data security risks without any reward. Many companies collect data without first assessing the value of the data to their organization. Not all data are created equally and sometimes when data value is less than the cost or risk it presents, then management should assess whether that data is worth collecting.
2. Data duplication is another way that companies become data obese. Whether we are speaking about database copying or document duplication, more of the same is not always a good thing.
3. Flawed business processes also contribute to increased risk exposure. For example, some companies may acquire their customers’ credit card information for in-house processing instead of engaging third party credit card processors to avoid credit card data collection. Often this simple process also reduces compliance costs.
4. When companies retain data for longer periods of time than necessary by law, business requirements, or contractual agreements, they increase their data protection risks and costs.
5. Last but not least, companies may unnecessarily share their data with others internally or externally such as sub-contractors or unknowingly through shared folders. This also increases a company’s exposure to risks.
The above mentioned risks can be mitigated starting with awareness, education, and training programs but not before threats can be listed in order to perform a complete vulnerability assessment. For example, data collection analysis and approval, business process reviews, data retention schedules, data encryption, data transfer or duplication restrictions, data destruction methods, and periodic access reviews must be addressed.