Imperva has warned Australian enterprises need to swiftly grasp their data footprint and work towards reducing it in response to the Privacy Act Review Report.

A series of high-profile breaches in the second half of 2022, affecting millions of Australian citizens, prompted government authorities to review the Privacy Act of 1988 and increase the maximum penalties for data breaches from AU$2m to AU$50m.

Implementing all 116 transformative proposals would mark the most significant overhaul of the country’s privacy and data protection landscape since the inception of the Australian Privacy Principles.

“Companies that start eliminating unnecessary data from their environments now will gain a distinct advantage in responding promptly once all changes are finalized,” says Reinhart Hansen, Director of Technology, Office of the CTO at Imperva.

Previous research from Imperva found that the predominant data type that cybercriminals are stealing is Personally Identifiable Information (PII), which comprised 42.7% of data taken.

“In the context of data breaches, leaked information frequently dates back decades and lacks any valid reason for organizational retention. As data privacy regulations become more stringent and data storage costs rise, reducing data footprint has taken precedence in many organizations. Proactively identifying and eliminating unnecessary data reduces operational security and business risk by minimizing organizational exposure to breaches. In addition, it also reduces costs, financial penalties, and strengthens data security.”

Yet, navigating this path to streamlined data presents a challenge for many. The expansive data landscape in modern enterprise environments makes it difficult to determine where to begin and what to prioritize. In many cases, valuable data originates from an organization's customers (service consumers) and begins its journey as structured data within a database.

It is at this early stage in the data lifecycle that organizations must intensify their efforts in securing and monitoring data. However, attention often redirects only after data shifts from controlled realms to unstructured formats, rapidly permeating the enterprise.

A prime challenge that organizations confront in their privacy initiatives is safeguarding unstructured data – emails, messages, and conversation transcripts. A recent Gartner survey found that half of the respondents witnessed a 25% increase in the volume of unstructured data between January 2022 to January 2023.

“There's a shift in focus towards unstructured data, as businesses often have little insight into what risk exposure this type of data presents. If an organization cannot manage this data type today, the problem will grow exponentially. By connecting unstructured data sources, businesses can gain a credible inventory and discover hidden data that could put their organization at risk.”

Here are some specific steps organizations can take to have a more comprehensive and effective data-centric security ecosystem.

Data discovery and classification: Many organizations are undertaking large-scale data classification projects to ensure valuable information stored in shadow databases is maintained. By categorizing data on its sensitivity, business criticality, and relevance, initiatives can be undertaken to identify and tag data for deletion or offloading. Doing so has the net outcome of reducing the overall data risk footprint and driving down the cost associated with data storage and retention of data that no longer serves a purpose.

Data masking: In pursuit of efficiency and innovation, development teams testing applications often cause the spread of sensitive production data to non-production and staging environments. This significantly increases non-compliance with data privacy responsibilities and data breach risks. Organizations can mitigate these risks by replacing production data sets with masked and tokenized sensitive data that retains the original semantics and is equally helpful for development teams in non-production environments. This process involves creating a realistic but fake version of organizational data to protect sensitive information while providing a functional alternative when real data is unnecessary.

Unified data environment: A centralized data protection environment will streamline data management processes, enhance security and privacy measures, and ensure the application of policies to data regardless of its type (structured or unstructured) or location (on-premise and/or cloud). This ultimately leads to improved efficiency and reduced total cost of ownership.