Out of the Shadows: Why it’s Time to Shine a Light on Unmanaged Data

Organisations can’t protect what they can’t see. So increasing blind spots are extremely concerning, reports Phil Muncaster

Despite the tens of millions UK companies spend on cybersecurity, breach volumes continue to rise. According to the UK government’s most recent assessment, 70% of mid-sized firms and even more (74%) large businesses suffered an incident over the past 12 months, up from 59% and 69% the year before. When it comes to data breaches, there’s more bad news: the costs associated with detection, response and also, lost business, are on the rise.

According to the latest IBM study, data breach volumes surged 10% annually globally and 5% in the UK. A big part of the challenge, it reveals, is shadow data.

Why are breach costs escalating?

Now in its 19^th year, the IBM Cost of a Data Breach report is one of the longest-running studies of its kind into the causes of (and potential mitigations for) rising breach costs. This year’s report is based on analysis of over 600 organisations impacted by data breaches and interviews with more than 3,500 executives. The global average cost now stands at nearly $4.9m (£3.8m), or $4.5m (£3.6m) in the UK. It rises much higher in some sectors, like healthcare ($9.8m), finance ($6.1m), industrial ($5.6m) and tech ($5.5m).

Another caveat is that these numbers are calculated only from breaches of between 2100 and 113,000 compromised records. So-called ‘mega breaches’ of over one million records are rarer and treated separately. Incidentally, these costs also rose, especially for the most significant incidents (50-60 million records), which increased by 13% annually.

“If the link is lost with this ‘metadata’ about what has now become shadow data, its value and credibility become too much in doubt, and control over its integrity is an unknown” Alan Rodger

The question is, why are costs surging across the board? IBM mentions several factors. Most directly, the increases can be explained by a rise in the cost of lost business, including operational downtime and lost customers. And also by an increase in the cost of post-breach response, such as staffing customer service help desks and paying higher regulatory fines. Dig deeper, however, and the report suggests other factors, including the growing complexity of IT systems, security skills shortages and supply chain risks. Looming large over these is a fourth consideration: shadow data.

According to the report, over a third (35%) of studied breaches involved data outside of the control of the IT or security department. The average cost of these breaches was $5.3m (£4m), over 16% higher than the average across all incidents. Breaches involving shadow data also took 26% longer to identify and 20% longer to contain, on average. The report claims that the longer it takes to discover and contain an incident, the more expensive and damaging it will be.

The shadow data challenge

Shadow data is any data that’s created, stored or shared without being formally managed or governed by relevant IT teams. That’s a risk, as it means the data will likely not be secured or managed in line with compliance requirements, argues Bloor senior analyst, Alan Rodger.

“Both data management and security are applied most readily to structured data. There are various best practices and regulatory responsibilities for some data types, such as classifying data. This can include identifying whether it is personally identifiable information about a private individual. Also, recording the agreed basis for holding the information,” he tells Assured Intelligence.

“But if structured data is migrated to some unstructured types of content, there’s a chance it is out of reach of such formalised management. Examples include spreadsheets, local copies of databases (e.g. for marketing or test data), emails, and presentations. This is yet more likely to be true of backups of any of these, for which the organisation is just as responsible and accountable.”

The growing use of AI in enterprise settings also presents shadow data risks. If corporate data is ingested into ‘public’ tools like ChatGPT when users include it in their prompts, it becomes almost impossible to track, manage and secure, Rodgers argues.

Into the light

In order to turn shadow into managed data, organisations must know its provenance, who is accountable for it, why the organisation is holding it and if it’s still valid, says Rodger.

“If the link is lost with this ‘metadata’ about what has now become shadow data, its value and credibility become too much in doubt, and control over its integrity is an unknown. In terms of provable validity, the data becomes ‘rogue’,” he explains.

However, there are things that organisations can do to shine a light on these blind spots, starting with behavioural controls backed by senior leadership.

The global average cost of a data breach now stands at nearly $4.9m (£3.8m)

“Training in best and advisable practice is an essential foundation. Anyone working with corporate data must be educated and sign up to agree that they’ve been trained, with periodic repeats of this education and user assertion,” says Rodger. “The training must be backed by policies mandating best and advisable practice, with a broad applicability across all types of data, in all situations. Behaviour that is contrary to these policies must be treated in a disciplinary context – the ethos is that abuse of data has consequences that are as serious as financial wrongdoing.”

Technology controls can also be helpful here, including Data Security Posture Management (DSPM) tools, which extend the capabilities of governance and data loss prevention (DLP) offerings. Forrester VP and principal analyst, Andras Cser, adds that encryption, SaaS security posture management (SSPM) and cloud security posture management (CSPM) can also help.

“However, we see governance processes for data onboarding, protection and retention as the starting point,” he tells Assured Intelligence. “That means mapping out document types and file extensions, using DLP tools to filter for credit card numbers, and understanding typical document relationships. It also requires understanding typical pathways of document movements to business partners and detecting anomalously large or small data volume movements.”

Time to protect

However, once you’ve discovered and classified all the data in the organisation, a decision needs to be made on what level of protection to apply. This will depend on the organisation, its risk appetite and the type of data it is.

“At the base of the protection ‘stack’, data encryption is still a basic barrier to data being compromised or misused,” explains Bloor Research’s Rodger. It’s a point validated by the IBM report’s findings. According to the study, encryption could save an average of $243,914 on the average breach cost – one of the top five most significant savings of any security control. Data security and protection software could reduce breach costs by $166,600 on average.

There are other benefits to shining a light on shadow data. It’s not just about reducing associated cyber and compliance risks. With more data to run through AI and analytics tools, organisations will arguably get more accurate and valuable insight to make business decisions. That, in turn, should light the way to cost savings, agility and sustainable growth. It’s time to step out of the shadows.