Learning from Cybersecurity Stats: What’s the Best Way to Limit Your Data Exposure?

Written by Doug Austin, Editor of eDiscovery Today

Earlier this month, I presented a webinar for ACEDS titled Ten Recent Cybersecurity and Data Breach Trends You Need to Know with Debbie Reynolds, who is known as the “Data Diva”. It was a fun and informative webinar where we introduced 10 eye-popping statistics related to cybersecurity and data breaches and then discussed how individuals and organizations can avoid becoming a statistic themselves.

One of the 10 statistics we presented stands apart from the rest as perhaps the most important cybersecurity statistic I’ve seen in a long time – because it reflects just how long it takes us to realize when we’ve actually been hacked.

The Most Important Cybersecurity Statistic

According to IBM’s Cost of a Data Breach Report for 2020 (available for download here), the average time to identify and contain a data breach is 280 days.

To put that into perspective, if you experienced a data breach today, the average date in which you would identify and contain it would be after Halloween this year, on November 2, 2022. To repeat, that’s the average, not the worst-case scenario.

That means that many of you out there may have already suffered a data breach that you don’t know about yet. Scary, huh?

Perhaps the Best Way to Limit Exposure to Cyber Attacks

One of the biggest challenges of identifying and containing data breaches and other cyber attacks is having so much data to protect these days, so it’s no wonder that organizations may not realize when they’ve been hit with an attack!

As I discussed in this blog post, Big Data is a challenge for all organizations, and the enormous growth of data is making it more challenging than ever for them to not only protect against data breaches, but also to realize when they’ve experienced one.

So, how do you make Big Data less…big? Through data minimization.

A lot of data within organizations is either: Redundant – duplicate data stored in multiple places within the same system or across multiple systems, Trivial – data that doesn’t contribute to important business objectives or record-keeping requirements, or Obsolete – data that has outlived its useful purpose. Data minimization of Redundant, Obsolete and Trivial (ROT) data makes it easier for organizations to protect the useful data they have, while also reducing the risk for not only experiencing a data breach but also reducing the time it takes to identify one.

For example, if an organization has a collection of data about individual customers, after a few years, some of those individual customers invariably become former customers for most businesses. How long should that organization keep data around for those former customers when that data becomes obsolete? Not very long.

GDPR Requirements for Data Minimization

Article 17 of GDPR states: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. So, data minimization for data involving individuals is not just a good idea, it’s required for individuals who are data subjects within GDPR.

Data minimization best practices eliminate data that’s no longer useful to the organization (but, in many cases, still detrimental to be made available to hackers) from potential data breach, making it easier for the organization to protect the useful data that remains.


280 days is a long time to wait to identify and contain a data breach! Yet, for many organizations, it takes that long to do so and, for some, even longer!

One of the best ways to reduce that timeframe is to reduce the amount of data you need to monitor and protect. Data minimization of ROT data is one of the best ways to limit the potential exposure of those data breaches; after all, they can’t breach that data if it isn’t there, right?

Keep in mind that the clock is ticking – your organization may have already suffered a data breach that you don’t know about yet!

Learn more about IPRO solutions that can help your organization minimize data.

And for more educational topics from me related to eDiscovery, information governance, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!