Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Unstructured Data is a HUGE Risk to Law Firms and Others

June 8, 2022

SC Media reported on June 3 that most organizations have a ton of data that they don’t know exists. Not only does that data elevate the risk of ransomware attacks, it plays a big role in escalating cyberinsurance premiums.

Why would that be?

The answer is simple:  Businesses can’t manage risk for data they don’t know they have.

In 2021, global ransomware damages were more than $20 billion and cyberinsurance prices went up by 40 percent. According to insurance broker March, premiums in the U.S. have increased 96% year-over-year.

Many firms have a hard time even getting cyberinsurance. And those that do pay a premium but find critical coverages missing from their policies.

In 2020, 6.4 zettabytes of new enterprise data were created and captured, most of which (51%) will get stored in the cloud by 2024. This worries a lot of CIOs. Digital file sprawl has become a chief concern among privacy and security professionals because it’s becoming nearly impossible to account for all of it, particularly when it goes into unstructured territory.

Unstructured data represents approximately 70-80% of most organizations’ data by size, whereas structured data often has more elements, but makes up only the remaining 30%.

While it’s simple to locate and manage structured data, unstructured leaves organizations vulnerable to a breach. Most organizations are investing upwards of 80% in the governance of structured data though it only represents a relatively small percentage of the overall data.

It’s easier for companies to start with structured data because it lives in places that are easily searchable. This includes databases such as customer relationship management (CRM) systems, spreadsheets, inventory management software, and enterprise resource planning (ERP) management systems.

Unstructured data flows into the organization via internal logs, online chats, social media exchanges, and email. This data accumulates faster, and it can also originate from structured sources, quickly propagating throughout the organization. For instance, this happens when data gets pulled out of a CRM or spreadsheet and is shared internally in a report, presentation, or via email or internal chat. This is where it becomes hard to locate and manage.

With unstructured data soon coming under the purview of new privacy laws, privacy professionals know they need to get unstructured data under control.

With insurers cracking down on risk mitigation, it’s imperative for companies to go into the application process fully prepared and with a clear picture of their data. This means approaching applications with a comprehensive data map and incident response plan. But many organizations start the process by asking what the underwriter needs from them – and then backfilling or preparing everything from scratch. This isn’t a good approach and often doesn’t lead to a positive outcome.

Today, most insurance carriers want to see:

  • A comprehensive data map.
  • A demonstrable understanding of data usage and outflows.
  • Attestations by vendors that they are accurate and compliant.
  • A comprehensive incident response plan.
  • Proof of tabletop exercises that span all organizations to clarify roles and responsibilities in the event of a breach.

Data maps are critical to any sound data security infrastructure. They allow organizations to understand where their data resides and where it flows––insight that will inform a more comprehensive incident response plan.

AS the post points out, these data maps are often time-consuming and resource-intensive to prepare and keep current, especially when done manually. Many organizations are using technology to automatically scan their structured and unstructured systems daily to keep data maps up-to-date and automate the vendor attestation process. This gives cyber insurers a complete picture and demonstrates that the organization is competent when it comes to data and privacy protection.

Of course, that costs money. But you must start somewhere. Data maps are a good first start to reduce your risk from unstructured data.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology