Open-ended exposure. By definition, dark data contains information that's either too difficult or costly to extract to be mined, or that contains unknown (and therefore unevaluated) sources of intelligence and exposure to loss or harm. Dark data's secrets may be very dark and damaging indeed, but one has no way of knowing for sure. This can't cultivate complacency or indifference in those who contemplate those risks at all seriously.
Given that dark data poses risks that are possibly both considerable and consequential, what can organizations do to manage those risks? As it turns out, there are numerous useful strategies and technologies that can provide some degree of protection against such risks, both known and unknown.
Ongoing inventory and assessment. Dark data holdings should be recognized and subject to periodic reconnaissance. They should also drive ongoing research into new tools and technologies to help extract value from such data. Yesterday's dark data may become a shining source of insight, thanks to new tools or analytic techniques. Somebody needs to keep an eye on such things and be ready to put them to work when the benefits of their use outweighs their costs. In addition, performing a regular inventory requires understanding where dark data resides, how it's stored, how it's protected and what kinds of access controls help maintain its security.
Ubiquitous encryption. Any digital asset with potential value and possible risk must be stored in encrypted form, whether on the organization's premises and equipment or elsewhere in the cloud. No dark data should be readily accessible to casual inspection, under any circumstances. Strong encryption should make it extremely difficult for those who do manage to obtain dark data to unlock its contents, and equally strong access controls and monitoring should make it obvious who can (and has) access such information for any purposes whatsoever.
Retention policies and safe disposal. It's always worth considering if and how dark data should be retained or properly disposed of, subject to Department of Defense-approved methods of erasure or destruction, depending on whether only contents or both contents and media must be done away with. IT and executive management should work with organizational units or divisions to decide if dark data should be retained and, if so, how best to maintain security and manage risk. Carefully considered data retention policies can help guide and drive such decisions and should be formulated, promulgated and maintained.
Auditing dark data for security purposes. Most organizations of any size conduct periodic security audits, evaluating risks, exposures, incident response and policy. Dark data needs to be folded into this process and visited sufficiently often to manage risks of exposure as well as potential loss or harm.
Sign up for CIO Asia eNewsletters.