16 Years of Data Lost - Retention Policy, Please?
8–14–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 14, 2023 and while there’s a lot going on in the world of cyber risk, we’re going to focus a bit more tactically on some steps that you can take to reduce the impact of an incident - a hard-earned lesson from the Colorado Department of Higher Education.
16 Years of Data - Lost. Retention Policy, Please?
News broke last week of an incident out of Colorado. As details have became more clear, the Colorado Department of Higher Education “warns students that the impact of the breach reaches across programs, from public schools to adult education initiatives, over a 16 year time period.”
The official Notice of Data Incident has now been made, and it’s bad. The Department notes “some of the impacted records include names and social security numbers or student identification numbers, as well as other education records” and includes “those that attended a public institution of higher education in Colorado between 2007-2020” as well as those who “attended a Colorado public high school between 2004-2020.”
We’re talking millions of records about kids, and the offer is two years of Experian credit monitoring, which just drives me nuts. We’ve seen attacks on education rise significantly, with researchers this week noting that “more K-12 districts have been impacted this year than the whole of either of the two pervious years” — and we’ve got nearly 5 full months to go this year.
Let’s be clear about this: ransomware continues to be an epidemic, and it’s being driven by the two factors:
1: Threat actors live in geographies where they won’t face repercussions for their actions (largely Russia); and
2: Companies and institutions remain vulnerable to the types of commodity attacks these threat actors use to gain access and steal (or encrypt, or both) data.
We can’t control number one, obviously, but we can control number two. I spend a lot of time talking about the things that make a difference in defending against this threat (including having a vulnerability management and patching program, robust Identity & Access Management capabilities, solid email defenses, etc.). Plenty of these recommendations were reiterated last week by the Cyber Safety Review Board around the Lapsus$ attacks (which you should also read).
But the thing that we don’t spend enough time talking about is data retention. As the cloud was becoming a viable option 10 or so years ago, we were hearing about how “data is the new oil” - but in the last few years, I’ve seen commentators framing this as “data is the new uranium.”
What do they mean? They mean that data has become a powerful, but also potentially dangerous substance, and the danger comes in this exact form - you keep all the data you can because it’s cheap to acquire, cheap to store, and there’s a possibility that it might be somehow useful in the future.
Let’s be honest with ourselves: it’s probably not going to magically become useful someday if it’s not useful to us today. Most organizations are still struggling to derive actual value from “big data” - and the answer to unlocking value isn’t to have “more data” - because more data just means more to manage, and more that can be lost in an incident like this.
I’m not saying that there aren’t organizations who don’t have a need to build and retain large data sets, but for those that do, some segregation, segmentation, and off-line, long-term storage would really go a long way.
For the rest of us, let’s put practical Data Retention policies in place, work with the business to understand their uses of and need for data, and purge the rest. Maybe this is 30 days, 90 days, or 1 year, but it’s hard to imagine needing to keep sensitive data that’s more than 1 or 2 years old readily accessible. By all means, keep what you need, but if you don’t know why you’re keeping it, pitch it.
Otherwise, you’re just setting yourself up for a situation like the one in Colorado, where millions of kids - who are now adults - have their educational records and personal information stolen - some nearly 20 years after graduation.
Let’s not keep doing this to ourselves, or to each other.
Fundraising
From a fundraising perspective, a decently strong week totaling $11.4B, led by Blackstone’s $7.1B raise for their third energy transition credit fund.
Rumors are swirling that funds are targeting some record numbers with their next funds (I’m looking at you Oaktree, with that $18B private credit fund) - but we don’t count these numbers until they’re committed and announced.
Remember, August is a slow month in finance, both in the US and Europe. What we’re seeing now is just the prelude to the sprint to the end of the year, which starts up here after the Labor Day holiday. Stay tuned!
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://infosec.exchange/@brett/110854293872070518
https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf