IDC Names Securiti a Worldwide Leader in Data PrivacyView
Data breeds growth and, most importantly, innovation. How does Generative AI (GenAI) do all the wonders? It is the data- the crown jewel that makes machines talk human language but in a smarter way.
But, when data is left unchecked, it can pose significant risks to organizations. Studies estimate that many large enterprises spend as much as $34 million dollars on redundant, obsolete, and trivial (ROT) data that could safely be deleted.
Useless business data doesn’t cost organizations only money. It puts them at risk of operational inefficiency, unauthorized access, data breaches, and legal penalties, particularly due to prolonged data retention.
Organizations are now shifting from a “collect it all” to a more proactive approach, i.e., Data Minimization, to address this challenge. The approach involves more than just reducing ROT data.
Continue reading to learn more about ROT data and how data reduction helps eliminate ROT to reduce attack surface and cost.
Reducing ROT data is crucial for businesses aiming to bolster their data security posture and streamline data management practices.
The acronym (ROT) encapsulates Redundant, Obsolete, and Trivial data. ROT is any piece of information that organizations continue to retain even after it has served its purpose or has no operational or legal value. To put things into perspective, it is estimated that over one-third of the data that organizations store is either Dark or ROT.
Dark data may be useful to an organization but hasn’t been used to its maximum potential for any decision-making or operational task. It is called Dark Data because the organization doesn’t know what information it is that exists in its environment.
Whereas ROT is concerned, it refers to:
Redundant Data: When redundant data is mentioned, it gives the idea of data that is used for backup or recovery purposes. However, it is not redundant data since it is useful. The R in ROT refers to the unnecessary or purposeless duplication of data. Redundancy is one of the primary causes of ROT accumulating in an organization’s environment.
One example of redundant data is an employee handbook that may exist in different directories across a corporate server.
Obsolete Data: Organizations accumulate data over time and retain even older data for later use, such as compliance or audit. However, most data tends to lose its value over time. Hence, data that is no longer required or that is replaced with an updated version is referred to as obsolete data.
Imagine a manufacturing company has stored some product designs that it no longer produces. Eliminating outdated designs that aren’t required anymore may save storage space if deleted.
Trivial Data: As the name suggests, any piece of information that has no value to the business is called trivial data. For instance, brainstorming notes or casual ideation sessions that are no longer required can be deemed trivial.
ROT data doesn’t accumulate in an organization’s environment overnight. It racks up somewhere in the databases, on-premise data servers, or cloud storage over time because of the assumption that the “data might be beneficial in the future.” However, it is imperative to understand that retaining ROT is detrimental to businesses in numerous ways.
Depending on an organization, the cost of a breach may be minimal, but the cost of a tarnished market reputation and deteriorated customer trust may be fairly significant.
Data retention is one of the core provisions among numerous data privacy laws across the globe. Take, for instance, the European Union’s General Data Protection Regulation (GDPR), which requires that organizations should delete personal data that has served its purpose and is no longer required. Similar data retention provisions can be found in the US privacy laws, such as the Consumer Privacy Rights Act (CPRA).
Similarly, the Health Insurance Portability and Accountability Act (HIPAA) also has a data retention policy. HIPAA requires that an individual’s personal health information (PHI) can only be retained for at least six years.
ROT also incurs high risk in terms of data security. According to a global study, organizations are forecasted to spend a whopping £1.30 trillion on cybersecurity by 2025. Data protection requires using numerous security tools, such as DSPM for data security, CSPM for cloud security, etc. When organizations keep unnecessary data, an unnecessary amount of cost also goes into protecting and managing it.
These risks underscore the significance of leveraging a robust data minimization strategy. By actively minimizing unnecessary data, organizations can proactively reduce the attack surface, streamline their compliance efforts, and focus their resources and costs on managing only the required data.
Security professionals face many challenges in cybersecurity. It all starts with the lack of understanding of what data exists in the environment and where it is. When organizations indiscriminately accumulate high volumes of data, it is difficult for security teams to discover, manage, and protect the data.
As data exists in large volumes and different formats, it increases threat surfaces, opening backdoors to malware attacks, ransomware attacks, insider threats, unauthorized access, and data breaches. This situation can best be handled with a data minimization strategy.
In its simplest definition, data minimization restricts data collection, storage, analysis, and processing to what is necessary or useful. It should be discarded if data isn’t useful or no longer serves any purpose. However, distinctions in some aspects may arise when the term is explored under the separate lenses of security and privacy.
The Data Minimization requirement is defined under most of the data privacy laws across the globe. Take, for instance, the European Union’s General Data Protection Regulation (EU GDPR).
Under Article 5 of the regulation, organizations must adhere to six principles for processing personal data. Among those six, two provisions explicitly talk about minimization and retention.
“Personal data shall be:
Similarly, the United State’s California Privacy Rights Act (CPRA) also prohibits businesses from collecting data that has served its purpose and is no longer required. Section 1789.100 states, “A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”
In privacy, data minimization starts much earlier during data collection. It helps organizations streamline their data management and compliance efforts by defining clear purposes and establishing retention and sharing policies.
Traditionally, data minimization is seen as a core component of data privacy and responsible data management practices. However, data minimization can equally be considered a critical imperative in fighting against the ever-growing cyber threats.
In the context of cyber security, data minimization, or data reduction, is the practice of identifying and reducing unnecessary (ROT) data and enforcing retention policies and controls. By limiting the data to what is necessary for business objectives, data minimization helps reduce potential attack surfaces that may lead to unauthorized access or misuse of sensitive data.
Data minimization has gained more traction as new technologies surface and, along with them, new attack surfaces. Take, for instance, Generative Artificial Intelligence (GenAI). The disruptive technology has introduced new cybersecurity risks that, if not handled appropriately, may result in data breaches, financial damages, and loss of customer trust.
The strategy adopts the concept of quality over quantity. This approach helps streamline data management efforts and limits the data footprints that may attract threat actors. Apart from risk reduction, it also helps reduce security efforts. It means fewer data systems to monitor for security, less data to classify, and no need to manage access to those systems.
On the financial front, minimization significantly contributes to cost savings. Take, for instance, multicloud environments. Data reduction helps organizations reduce their storage expense since the less data they have, the less storage space it would require. Similarly, ROT data minimization also reduces the complexity that organizations usually have to deal with data transfers and interoperability.
Discover and reduce redundant, obsolete, and trivial (ROT) data while minimizing accidental data loss with Data Security Posture Management- an integrated module within Securiti Data Command Center.
The Data Command Center enables organizations to discover all the native and shadow data assets and classify sensitive data accurately, enabling teams to efficiently operationalize their data minimization strategy.
Here’s how a Data Command Center helps you streamline your data minimization efforts:
Interested in learning more? Request a demo now to see how Securiti can help you minimize ROT data for enhanced data protection.