The Dangers of Dark Data and How to Minimize Your Exposure

Structured data, like content in a database, is relatively easy to manage. However, confidential or sensitive unstructured information -- log archives and other untagged, non-inventoried data -- presents a real challenge to CIOs. Find out why 'dark data' can be a security risk and how you can protect your organization.

Girl looking at cloud

As "dark fiber" is to the telecommunications industry so, also, is "dark data" to many businesses and organizations. These vast pools of untapped, largely unprotected data simply sit there, doing not much of anything for the bottom line.

Isaac Sacolik's Dark Data: A Business Definition describes it as "data that is kept 'just in case' but hasn't (so far) found a proper usage."

Unfortunately, where dark fiber unambiguously represents an asset just waiting to be tapped by simply lighting it up to add bandwidth and carrying capacity, even untapped and neglected, dark data can pose security risks should it fall into the wrong hands, or range outside its owner's control.

Dark Data Holds Unfulfilled Promises But Also Poses Dark Threats

Most discussions of dark data tend to focus on its potential value and utility to an organization. Indeed, for those outfits willing to expend resources (money, tools and time) to develop and exploit the information and value locked up inside dark data, such potential is undoubtedly attractive. This also explains why many organizations are reluctant to part with dark data, even if they have no plans to put it to work on their behalf, either in the near term or further down the planning horizon.

As with many potentially rewarding and intriguing information assets, organizations must also be aware that the dark data they possess – or perhaps more chillingly, the dark data about them, their customers and their operations that's stored in the cloud, outside their immediate control and management – can pose risks to their continued business health and well-being.

[ How-to: 5 Ways to Create a Collaborative Risk Management Program ]

Such risks depend on the kinds and quality of data that a determined investigator might be able to glean from a collection of dark data made available to them. Given the kinds of data that most organizations collect, those risks might include some or all of the following:

  • Legal and regulatory risk. If data covered by mandate or regulation – such as confidential, financial information (credit card or other account data) or patient records – appears anywhere in dark data collections, its exposure could involve legal and financial liability.
  • Intelligence risk. If dark data encompasses proprietary or sensitive information reflective of business operations, practices, competitive advantages, important partnerships and joint ventures, and so forth, inadvertent disclosure could adversely affect the bottom line or compromise important business activities and relationships.
  • Reputation risk. Any kind of data breach reflects badly on the organizations affected thereby. This applies as much to dark data (especially in light of other risks) as to other kinds of breaches.
  • Opportunity costs. Given that the organization has decided not to invest in analysis and mining of dark data by definition, concerted efforts by third parties to exploit its value represent potential losses of intelligence and value based upon its contents.
  • Open-ended exposure. By definition, dark data contains information that's either too difficult or costly to extract to be mined, or that contains unknown (and therefore unevaluated) sources of intelligence and exposure to loss or harm. Dark data's secrets may be very dark and damaging indeed, but one has no way of knowing for sure. This can't cultivate complacency or indifference in those who contemplate those risks at all seriously.

Mitigating Risks Posed by Dark Data

Given that dark data poses risks that are possibly both considerable and consequential, what can organizations do to manage those risks? As it turns out, there are numerous useful strategies and technologies that can provide some degree of protection against such risks, both known and unknown.

Ongoing inventory and assessment. Dark data holdings should be recognized and subject to periodic reconnaissance. They should also drive ongoing research into new tools and technologies to help extract value from such data. Yesterday's dark data may become a shining source of insight, thanks to new tools or analytic techniques. Somebody needs to keep an eye on such things and be ready to put them to work when the benefits of their use outweighs their costs. In addition, performing a regular inventory requires understanding where dark data resides, how it's stored, how it's protected and what kinds of access controls help maintain its security.

[ Tips: 14 Things You Need to Know About Data Storage Management ]

Ubiquitous encryption. Any digital asset with potential value and possible risk must be stored in encrypted form, whether on the organization's premises and equipment or elsewhere in the cloud. No dark data should be readily accessible to casual inspection, under any circumstances. Strong encryption should make it extremely difficult for those who do manage to obtain dark data to unlock its contents, and equally strong access controls and monitoring should make it obvious who can (and has) access such information for any purposes whatsoever.

Retention policies and safe disposal. It's always worth considering if and how dark data should be retained or properly disposed of, subject to Department of Defense-approved methods of erasure or destruction, depending on whether only contents or both contents and media must be done away with. IT and executive management should work with organizational units or divisions to decide if dark data should be retained and, if so, how best to maintain security and manage risk. Carefully considered data retention policies can help guide and drive such decisions and should be formulated, promulgated and maintained.

Auditing dark data for security purposes. Most organizations of any size conduct periodic security audits, evaluating risks, exposures, incident response and policy. Dark data needs to be folded into this process and visited sufficiently often to manage risks of exposure as well as potential loss or harm.

Perhaps It's Not So Dark After All?

Given the right appreciation for both potential value and possible risk, organizations can deal with dark data to balance one against the other. Only by taking stock of what's out there, though, and only by employing a dispassionate and thorough approach to risk and exposure management, can an organization get a rope around its dark data holdings.

By digging into its dark data collections, keeping those holdings whose potential value outweighs its risks and deleting those whose risks outmatch its potential returns, an organization can be sure it's proactively keeping what may prove worthwhile in the future while jettisoning what may poison future productivity or profitability.

New! Download the CIO March/April Digital Magazine