What are data graveyards?

What is a data graveyard
Data graveyards are unmanaged digital repos filled with "ROT"—data that is redundant, outdated, or trivial—along with sensitive information.  Email inboxes are one of the most common data graveyards! 

The term “Data graveyard” conjures up images of zombies from films such as Night of the Living Dead and 28 Days Later.  Within organizations, data graveyards are unmanaged digital repositories. They’re laden with zombie data, or "ROT"—data that is redundant, outdated, or trivial—and (more worryingly!) sensitive information. While this tends to bring to mind those little-used, remote corners of Google Drive, SharePoint, or Dropbox, the reality is that one of the biggest (and most common) data graveyards is something everyone interacts with every day—their email inbox.

How the inbox became the biggest data graveyard 

The inbox became the biggest data graveyard in many organizations for a couple of reasons:

‍

• Ubiquity: Email is pervasive, email supports nearly all internal and external processes. Its outsized presence translates into an outsized contribution to the graveyard.  
• Volume and Velocity: The sheer volume of emails makes it hard for many people to keep up. Critical messages, documents, and data can quickly become buried under newer messages, where they are easily forgotten.  
• Overestimation of Value: Many people have a reluctance to delete data because they think it might come in handy at some point. And given that storage quotas have been steadily increasing, the providers make it easy to engage in “data hoarding.”
• Control (or lack thereof): Not everyone in the organization will have access to systems of record, such as the contract lifecycle management platform, because these platforms are often licensed on a per-user basis.  As a result, many people keep their own ‘private archive’ of sensitive documents in their inbox to maintain access to these documents.  
• Decentralization: Most organizations leave email management to the discretion of individual employees, leading to inconsistent practices. Some may engage in “inbox zero” and diligently delete/file old emails, while others never do, resulting in a patchwork of data management practices across the organization.
• Retention Policies: Organizations often lack clear or consistently enforced email retention policies. Without these policies, emails are seldom deleted and can accumulate over years, creating vast repositories of information.  Most of the information will be “ROT” redundant, outdated, or trivial, but interspersed will be sensitive information. 

‍

Finally, it’s worth noting that the sensitive data in the inbox is not necessarily only your organization’s. Email is frequently used to support external collaborations, so a whole host of confidential documents (e.g., contract documents) and information from customers, suppliers, partners (or any external stakeholder) end up in the inbox. And from the perspective of regulators, this is a big no-no. 

Why “old emails” about external collaborations are valuable for cyberattacks

Of all the sensitive data in your inbox, the content related to external collaborations with customers, partners, or suppliers is incredibly attractive to cybercriminals. This information is most valuable because it frequently involves financial transactions—be it sales contracts, supplier agreements, consulting engagements, or partnerships.

These threads are goldmines because they often signify readiness to transfer funds. This setup spares cybercriminals the effort of convincing someone to part with their money; they only need to misdirect these funds to their own accounts.

Moreover, the “at-arm’s-length” nature of these collaborations makes them ripe for social engineering attacks. The absence of direct personal connections, common with internal team members, leads to hesitancy in questioning requests that seem weird. Also, external stakeholders are unfamiliar with the communication style of your team members (and vice versa), making it hard for them to verify the authenticity. This all underscores why trust-building is a critical step in successful external collaborations. After all, if the teams trust each other, they are more likely to say something if they see something. 

How fraudsters use content from external collaborations (and how to mitigate risks) 

Here are a couple of ways that cybercriminals use that content from your inbox about external collaborations to facilitate their frauds:

• Improving Spear Phishing Attacks and Business Email Compromise (BEC): Getting access to old email threads helps fraudsters identify who they should target (e.g., everyone you CC’d on the latest project update). In addition, with specifics of projects, contracts, or negotiations, attackers can craft highly personalized emails to build rapport and trust with those targets. Finally, by analyzing communication patterns and style in email messages, attackers can better impersonate specific individuals by adopting their quirks, tone, and language.
• Exploiting Vendor Relationships through Enhanced VEC: In Vendor Email Compromise (VEC), the intimate knowledge of vendor-client dynamics, billing cycles, and even specific project details can be used to insert fraudulent communications seamlessly into legitimate chains. Attackers can request urgent payments or changes to payment details at moments when they know funds are expected to move, significantly increasing the chances that such requests are complied with.
• Facilitating Account Takeovers (ATO): When attackers successfully gain unauthorized access to an email account, they often obtain the ability to read sensitive communications and manipulate account security settings and recovery options for other accounts. With control over the email account, attackers can intercept or even initiate financial transactions by altering or creating new requests that seem to come directly from the legitimate account holder. 

Mitigation Strategies 

Obviously, the best approach is risk avoidance, or preventing you and your counterparties' inboxes from becoming a graveyard in the first place (skip ahead to the next section if you’re interested in one such approach). But barring that, there are several risk mitigation techniques you can use:

• Employee Training and Awareness: Regular, targeted training sessions can equip employees with the knowledge to recognize and respond to phishing attempts and suspicious emails. 
• Stringent Authentication Protocols: Implementing multi-factor authentication (MFA) for accessing email and other corporate systems adds an essential layer of security, making unauthorized access considerably more difficult for attackers.
• Regular Audits and Access Controls: Conducting periodic audits of email usage and establishing strict access controls can ensure that sensitive information is only accessible to those who genuinely need it. This limits the potential damage in the event of an account compromise.
• Advanced Email Security Solutions: Utilizing email security solutions that employ advanced threat detection, including AI-driven anomaly detection, can help identify and neutralize sophisticated spear-phishing campaigns before they reach the user.

It’s worth pointing out that some of these risk mitigation strategies—authentication protocols and regular audits—help insulate your organization from hacks. Others, such as employee training/awareness and advanced email security, help defend your organization if your counterparties' email systems are hacked and the cyber criminals are using enhanced spearphishing attacks or VEC. However, none of these strategies fully address the underlying issue: sensitive data pertaining to external collaborations remains in the inboxes of all participants well after the collaboration is complete. 

Embracing Risk Avoidance with External Collaboration Platforms

Switching from email communications to an external collaboration platform, such as TakeTurns, embodies a proactive approach to risk avoidance. This shift not only mitigates the risk associated with data breaches but inherently prevents your and your counterparties' inboxes from becoming data graveyards.

Transparency and Control

External collaboration platforms provide quite a bit more transparency and control over who is participating in your collaborations. Unlike email, where visibility ends once you hit send, these platforms allow you to see exactly who is involved at all times. In addition, most platforms provide the ability to specify roles to control how individuals participate.  

Structured Collaboration

The structure—or lack thereof—in email-based collaborations often leads to confusion, with threads branching off into sub-threads (and sub–sub-threads!), making it challenging to track content, messages, and the latest versions of documents.  While this can lead to operational inefficiencies, e.g., which one of these documents is the latest version, from a security perspective, this “document diaspora” means sensitive content gets buried in the inbox. 

External collaboration platforms address this chaos by centralizing and compartmentalizing all aspects of the collaboration. Everything from chats and messages to documents and their versions is well organized, making it easy to find everything while you’re working. and find everything to remove/archive once you’re done working.  

Formal Wrap-ups

The compartmentalization of the collaboration also helps when the work draws to a close.  External collaboration platforms facilitate the creation of comprehensive archives (i.e., closing binders) of everything exchanged during the collaboration. This capability is invaluable for formal project wrap-ups, providing a consolidated record of the collaboration that’s both accessible and secure.

Data Lifecycle Management

Finally, leading external collaboration platforms include data lifecycle management as part of the platform. Often termed 'Ephemeral Storage,' this feature allows for the automatic removal of data from the platform’s servers upon the completion of a project, following a specified grace period. This ensures that sensitive data isn’t left vulnerable on servers indefinitely, significantly reducing the risk of data breaches post-collaboration. It’s a forward-thinking feature that aligns with the best practices of data privacy and security, offering peace of mind that once the collaboration has concluded, the data is securely erased. 

Wrapping up

For those prioritizing the security and confidentiality of external collaborations,  figuring out what to do about data graveyards, especially the ones created by email, is crucial. While risk mitigation efforts like enhanced security protocols and employee training have value, it’s worth considering shifting towards risk avoidance strategies, like adopting external collaboration platforms, as they help address the root causes of graveyard creation. Moreover, these platforms address the cybersecurity requirements of your organization and your external partners, offering a comprehensive solution for everyone. 

‍