{"id":14963,"date":"2014-06-13T18:18:21","date_gmt":"2014-06-13T18:18:21","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2027"},"modified":"2019-11-15T14:11:08","modified_gmt":"2019-11-15T12:11:08","slug":"the-three-ps-of-data-storage","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/the-three-ps-of-data-storage\/14963\/","title":{"rendered":"The Three Ps of Data Storage"},"content":{"rendered":"<p>In February of this year, University of Maryland learned the hard way that keeping data can be more expensive than we think. When they were successfully breached and 287,000 student records were stolen, the University set aside $5 million to pay the cost of credit monitoring services for each victim. The worst part is, the school only needed 63,000 of those records. Afterwards they were able to purge 78% of what they had, but it didn\u2019t help much: The University was still liable for allowing the data belonging to all those individuals to fall into the wrong hands. So what can other organizations learn from this breach?<\/p>\n<p style=\"text-align: center;\">\n<\/p><p>\u00a0<\/p>\n<p>First of all, we have to reconsider the way we\u2019ve been solving the data storage problem for the last ten years<\/p>\n<p>For quite a while now, the cost of storing data has been low enough that we no longer had to make tough choices about what to delete. It has been preferable to keep any and all data that might possibly have value someday, and as marketing techniques have sophisticated, more PII (Personally Identifiable Information) data than ever before was (and is) being accumulated.<\/p>\n<p>However, when the default decision is to keep data rather than delete it, the company probably isn\u2019t factoring in <em>all <\/em>the costs of data security. While every IT person knows that cybersecurity is expensive, there aren\u2019t enough conversations happening about the liability cost of losing PII. It\u2019s unlikely that most marketing divisions \u2013 the ones primarily responsible for gathering the data \u2013 are considering such risk in their decision-making processes. The most probable reasons the University of Maryland kept superfluous PII is either because someone decided there was no reason <em>not<\/em> to keep it or no one made any decision at all. The data aggregated over time, and the risk of protecting it, was never reassessed.\u00a0<\/p><blockquote class=\"twitter-pullquote\"><p>\u201cIt\u2019s time to reconsider data storage and perhaps enforce a little cybersecurity education.\u201d \u2013 @cjonsecurity<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FdMT8&amp;text=%26%238220%3BIt%26%238217%3Bs+time+to+reconsider+data+storage+and+perhaps+enforce+a+little+cybersecurity+education.%26%238221%3B+%26%238211%3B+%40cjonsecurity\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>It\u2019s time to reconsider our stance on data storage, and in the process, perhaps we can force a little cybersecurity education. One solution is to apply \u201cThe Three Ps\u201d to every data storage decision a company makes (at least about PII or valuable secrets). The choices are:<\/p>\n<ul>\n<li>Purge it<\/li>\n<li>Push it off-line<\/li>\n<li>Protect it<\/li>\n<\/ul>\n<p>Purging is the only option which costs nothing, so it should always be considered. The next best solution is to consider whether it can be stored off-line. As long as there\u2019s no active network or internet access to it, this can be an excellent solution for extremely sensitive information. When data owners insist that it stay online, at least they should acknowledge the risk. And when additional (expensive) security steps need to be taken to protect it, we can even consider charging those costs to the data owners\u2019 budget.<\/p>\n<p>Of course this tougher approach may be difficult for sales and marketing groups to swallow (typically the organizations who most aggressively accumulate PII). In order to educate them as swiftly as possible while provoking a speedy response, IT could send the following notice regarding valuable data that isn\u2019t being actively used:<\/p>\n<p><strong>Data Purge Notice<\/strong><\/p>\n<p>If action is not taken within 30 days, the IT department will presume the data listed below is no longer necessary, and <strong>IT will delete the data<\/strong>. As you know, significant costs are incurred by the company to maintain such data. The costs of both data protection and potential legal liability of keeping unnecessary data [which may be stolen] requires the company to take a proactive approach to reducing costs by deleting all unnecessary data.<\/p>\n<p>Then, depending upon the response, the \u201cpushing off-line\u201d option could be offered. Even if the decision is to continue to protect the data in an accessible format, this whole conversation would be a step in the right direction. That is to say, towards a world where non-IT departments begin taking more responsibility for the risk levels they blithely expose the company to on a daily basis, and for which IT continues to be fully responsible.<\/p>\n<p><em>Cynthia James,<\/em> <em>Global Director of Business Development, CISSP, spoke in April about the University of Maryland breach in her talk \u201cTakeaways from Higher Education Breaches\u201d at the ISOC Conference for University Systems of Georgia in Savannah.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s time to reconsider our stance on data storage, and in the process, perhaps we can force a little cybersecurity education. One solution is to apply \u201cThe Three Ps\u201d to every data storage decision a company makes (at least about PII or valuable secrets). <\/p>\n","protected":false},"author":392,"featured_media":12476,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[282,189,263],"class_list":{"0":"post-14963","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-data-security","11":"tag-data-storage"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/the-three-ps-of-data-storage\/14963\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/the-three-ps-of-data-storage\/14963\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/the-three-ps-of-data-storage\/14963\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/14963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/392"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=14963"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/14963\/revisions"}],"predecessor-version":[{"id":24994,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/14963\/revisions\/24994"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/12476"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=14963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=14963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=14963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}