Imperva warns Australian enterprises to work towards reducing their data footprint in response to the Privacy Act Review Report.
A series of high-profile breaches in the second half of 2022, affecting millions of Australian citizens, prompted government authorities to review the Privacy Act 1988. The government increased the maximum penalties for data breaches from AUD $2 million to AUD $50 million.
Implementing all 116 transformative proposals would mark the most significant overhaul of the country's privacy and data protection landscape since the inception of the Australian Privacy Principles.
Reinhart Hansen, Director of Technology, Office of the CTO, says: "Companies that start eliminating unnecessary data from their environments now will gain a distinct advantage in responding promptly once all changes are finalised."
Previous research from Imperva found that the predominant data type that cybercriminals are stealing is Personally Identifiable Information (PII), which comprised 42.7% of data.
Hansen continues: "In the context of data breaches, leaked information frequently dates back decades and lacks any valid reason for organisational retention. As data privacy regulations become more stringent and data storage costs rise, reducing data footprint has taken precedence in many organisations."
"Proactively identifying and eliminating unnecessary data reduces operational security and business risk by minimising organisational exposure to breaches. In addition, it also reduces costs and financial penalties and strengthens data security."
Yet, navigating this path to streamlined data presents a challenge for many. Imperva notes that the expansive data landscape in modern enterprise environments makes it difficult to determine where to begin and what to prioritise.
In many cases, valuable data originates from an organisation's customers (service consumers) and begins its journey as structured data within a database.
Imperva affirms that organisations must intensify their efforts in securing and monitoring data at this early stage in the data lifecycle. However, attention often redirects only after data shifts from controlled realms to unstructured formats, rapidly permeating the enterprise.
A recent Gartner survey found that half of the respondents witnessed a 25% increase in the volume of unstructured data between January 2022 to January 2023.
"There's a shift in focus towards unstructured data, as businesses often have little insight into what risk exposure this type of data presents. If an organisation cannot manage this data type today, the problem will grow exponentially," says Hansen.
"By connecting unstructured data sources, businesses can gain a credible inventory and discover hidden data that could put their organisation at risk."
Imperva has suggested specific steps organisations can take to have a more comprehensive and effective data-centric security ecosystem.
Data discovery and classification: By categorising data on its sensitivity, business criticality, and relevance, initiatives can be undertaken to identify and tag data for deletion or offloading.
Doing so has the net outcome of reducing the overall data risk footprint and driving down the cost associated with data storage and retention of data that no longer serves a purpose.
Data masking: Organisations can mitigate risks by replacing production data sets with masked and tokenised sensitive data that retains the original semantics and is equally helpful for development teams in non-production environments.
This process involves creating a realistic but fake version of organisational data to protect sensitive information while providing a functional alternative when real data is unnecessary.
Unified data environment: A centralised data protection environment will streamline data management processes, enhance security and privacy measures, and ensure the application of policies to data regardless of its type (structured or unstructured) or location (on-premise and/or cloud). Imperva says this ultimately leads to improved efficiency and reduced total cost of ownership.