Data Hygiene: Essential Tips for Business Security!

Show Notes

Your digital spring cleaning is long overdue. When was the last time you thought about what happens to all those customer records from 2015? Or those staff CSV exports you created for the Christmas party three years ago? Data hygiene might sound like a mundane topic, but as our cybersecurity expert Martin reveals, it's the cornerstone of modern business security.

The fundamental principles are refreshingly straightforward: don't keep data you shouldn't keep, and keep safe the data you do need. Yet most organisations fail spectacularly at both. From businesses collecting birth dates they don't need to companies discovering they're notifying the families of deceased customers about data breaches affecting information that should have been deleted years ago, the consequences can range from embarrassing to legally problematic.

Throughout our conversation, Martin shares practical wisdom that businesses of any size can implement immediately. Learn why your recruitment process might be leaking sensitive data through carelessly discarded resumés, discover how to systematically tackle digital clutter with 15-minute daily cleanups, and understand why temporary data exports might be your biggest blind spot. With the rise of AI tools accessing your business data, clean information isn't just about security—it's about effectiveness. Whether you're just starting your data hygiene journey or looking to refine existing practices, this episode provides the actionable insights you need to protect your business and your customers.

Ready to transform your approach to data management? Listen now, then visit the Mercury IT website to connect with Martin and his team for personalised guidance on implementing robust data hygiene practices in your organisation.

Chapters

• 0:00: Introduction to Data Hygiene
• 1:38: Common Data Hygiene Practices
• 4:16: Managing Obsolete Data
• 6:43: Physical Data Security Concerns
• 9:05: Cleaning Data for AI Readiness
• 13:20: Practical Advice for Better Data Hygiene

Transcript

Speaker 1: 0:00

In today's episode, I'm joined by Martin. We're talking about data hygiene, not dental hygiene data hygiene. We'll take a deep dive into why it's important, why you can't neglect it and some tips on getting on top of it. Welcome to Tech Insights Today. I have with me Martin. Thanks for joining me today. Martin, you're welcome. So you're our Head of Cybersecurity here at Mercury IT. Yes, so you always have plenty of knowledge to share with us.

Speaker 2: 0:42

Sometimes not exciting knowledge, but yes.

Speaker 1: 0:45

But good to know knowledge. So today we're going to be talking about data hygiene.

Speaker 2: 0:50

Yes, not like dental hygiene, no, but still very important.

Speaker 1: 0:54

Yes, so can you start by explaining exactly what data hygiene is and why it's important?

Speaker 2: 0:59

So it's a term that we use to talk about how we protect data and how we keep it clean, hence the hygiene part to it. So it's really about comes down to a fundamental thing is don't keep data that you shouldn't keep and the data that you keep, you should keep it safe. So there's a couple of things around how we make sure that we are always thinking about our data hygiene, so we have to put practices in place to try and make sure that we follow good data hygiene practices all the time.

Speaker 1: 1:34

What are some common data hygiene practices that companies could implement?

Speaker 2: 1:38

What we are talking about is not collecting pieces of information that we don't need, like date of birth. A lot of companies collect date of birth and they don't really need to do so.

Speaker 1: 1:47

Yeah well, I always wonder why they're asking for my date of birth, like it's an online boutique or something, when I'm signing up for an email subscription and I think they don't need to know how old I am.

Speaker 2: 1:55

And they try to justify it on the basis oh, we're going to send you something for your birthday, but they don't really need to. Most of the time, they're only capturing it for demographic information, which you know. In the grand scheme of things, you don't need to do that, and date of birth is one of those key pieces of information that we talk about a lot when we're talking about personally identifiable information. So if you don't need a date of birth, don't capture it.

Speaker 1: 2:19

No, that's it Exactly. I do try not to fill that in now if I can avoid it.

Speaker 2: 2:24

Well, I definitely don't fill those fields in? I wouldn't believe that Some businesses have to capture that, especially when you're talking health and medical type businesses, they need a date of birth because that's one of the identifying pieces to make sure that they're dealing with the right person for that health-related process.

Speaker 1: 2:47

That they're following and that definitely does make sense and probably feel a little bit more secure handing the information over to a company like that. You're probably going to tell me I shouldn't.

Speaker 2: 2:57

No, well, there are times that you have to, but it's just about making sure that you do it in a way that you're comfortable with. But also the point of data hygiene is, if you don't need to collect, that don't. And then the other parts to that come back to is when you don't need that information anymore. If we've got old information so we've got data on customers or staff or something that's from a long time ago do you still need to keep that information? Because what we should be doing is cleansing that information back out when it becomes obsolete, because just keeping it, we just actually increase our profile for attackers. For example, we saw a data breach last year where there was personally identifiable information stolen from a company and some of the people that they had to go and notify because it was a notifiable data breach. So they had to go and notify all of the people who were impacted by the data breach. Some of them had actually passed away because the data was so old.

Speaker 1: 4:06

That's embarrassing.

Speaker 2: 4:07

But you still have to notify someone. So then you have to go through this whole process of trying to find their next of kin to notify them.

Speaker 1: 4:16

Oh, that's awful.

Speaker 2: 4:17

That is why we want to make sure that we actually get rid of information if we don't need it.

Speaker 1: 4:22

Yeah, I definitely wouldn't want to be making that phone call, no it's not a fun phone call to be making at all. So for businesses that are sort of in that situation where they think, oh my goodness, I do have a lot of data that I don't need, what would you like? Because I guess for some people it would be I'm holding on to it because I don't really know how to destroy it correctly what advice would you give them?

Speaker 2: 4:45

So destroying it well, deleting it is a good way of doing it, but I guess, going back a step, how do you know if you don't need it anymore? You need to actually have a framework in place in your own business and understand how long you need to keep data, for it might be five years, it might be seven years. Some businesses have to keep it a lot longer. Again, the health industry. They have to keep children's data for years after they turn 18. So they could be keeping it for 20 or 30 years by the time that that child has actually matured, and then they have to keep it for a period of time after that. So you just need to understand what your requirements are. There might be legal requirements with your business or it might be just something that you can come up with yourself and go. Well, if a customer hasn't bought anything from us for five years, are they going to be buying something tomorrow? Probably not. You know, you can make determinations on how long you need to keep things based around some sort of common sense.

Speaker 1: 5:45

We always talk about this common sense, so what suggestions would you offer to businesses?

Speaker 2: 5:53

So some of the things that they can do is make sure that they only capture the information they need, that they have a process in place for getting rid of information that they no longer need, and having very strong policies for their staff so that they the staff understand the value of data and also the value of not using that data incorrectly. So a couple of things that I can give you examples of is things like we hand our driver's license over to go and test drive a car. What does that company, that dealership, do with that particular piece of information? I know in the past I've handed my driver's license over and they've taken a photocopy of it because they needed to, because we're going for a drive in their car and then afterwards they threw the piece of paper with my driver's licence on it into a drawer and I said what happens to that? How do you actually dispose of that? Oh, we just throw it away.

Speaker 1: 6:53

No, I'll take that with me, thank you.

Speaker 2: 6:55

So it's being mindful of what the value of data is, and it's not just in uh, the you know that virtual space it's not just in in hard drives, it's also data on, uh, physical pieces of paper. I've seen so often. Uh, you know, when you're going through a recruitment process, you print out all these resumes of staff and you're going through them and you might have a panel of people and they're all reading these resumes and then you see them all be bundled up at the end of it after they've chosen someone and throw them away. And the amount of information that is on a resume is a lot you know you're talking about again, sometimes out of birth don't put it on your resume, but you're talking about. You know addresses where they've worked, email addresses, phone numbers so much information. You don't want that just going into a trash bin. You know that should be shredded before it.

Speaker 1: 7:50

Yes, Well, it's someone's whole, basically their whole life, isn't it their whole profile?

Speaker 2: 7:54

It is, and it's kind of that that scenario where, uh, if the person, like the staff member, doesn't understand the consequences of that, then they're not going to handle it correctly. Um, you know, if you're talking about cash, they'll be. Oh, it's cash, you want to look after it properly. But if it's, um, someone's information on a resume, and again, it's probably someone they haven't even hired, so it's even less in their mindset that that's an important person, because, well, it's not someone they're going to see again.

Speaker 1: 8:24

Yes, well, that's it exactly, and I think it's probably an issue that we have spoken about previously is that people just don't seem to put that value on data, but it's becoming more and more prevalent. That data is very valuable and, yes, we need to make sure that we're disposing of it correctly. You sort of touched on, obviously, security breaches and that sort of thing. Is there any other like compliance or cybersecurity issues around, you know, holding onto data and having it correctly stored?

Speaker 2: 8:55

Well, there's certainly a lot of different aspects to it and we're getting to a point where you know there is the compliance aspect. So, understanding you know your legal requirement for how long you need to keep data. You know we all know we have to keep tax records for periods of time, so there are some legal requirements. So you need to know you know your own industry around, what your legal requirements are. But also, these days, we have all these folders and I know any business that's been going for a little while is going to have archives and folders of folders and they're going to have information that's everywhere all through their. You know their folder structure.

Speaker 2: 9:33

What we are seeing now because we're getting to this new world where AI and you want to start using AI on your own data as well, so to help you do a better job, so things like Copilot and you can set that up to actually access data within your own folders and files so that you can actually search for things better, so you can actually use it to learn better. But also you want good data for your AI to be calling upon. So, again, if you're going to start going down that pathway of having AI in your own environment. You want good data, clean data, so that is a case of then going I probably don't need that recruitment form I created in 2013 anymore because we've moved well on from there, so that probably needs to get. If you can't get rid of it, you can't bring yourself to delete it, because it was the first form you built. You know. Take it out of the environment, though.

Speaker 2: 10:30

Maybe it needs to be stored on a hard drive externally, but otherwise you should be getting rid of all of that old data that just is never referenced again, never used again, and certainly just it makes it a lot cleaner when you're trying to do an AI project.

Speaker 1: 10:47

Well, it does make sense and sometimes it's a time thing, isn't it? You don't have the time to go back and sort through all your old files and stuff and get rid of the stuff that is well and truly past and used by date. But, as you mentioned, with AI, you know, coming in you want to have that data as clean as possible to obviously make your job as easy as possible.

Speaker 2: 11:06

Yeah, and there's a couple of ways you can do that. You can do searches based on the age of the files. You can just chip away at it a little bit a day. Like you know, I'm going to spend 15 minutes a day going through this folder and I'll get through it and before you know it, you'll have got through all those old folders and made sure that you have got it clean, even to the point. Some people just archive off everything that's old onto an external drive but take it straight out of their primary live system and I can get to it again if I really need to, but it's no longer in a position to be used. In a breach, it's no longer in a position to be used. You know to make your AI use that information as well, so it just takes it away from being so. We're just de-risking that data at that point.

Speaker 1: 11:54

Would that be your main advice for companies? Just sort of starting out on their data hygiene journey Sounds exciting, doesn't it?

Speaker 2: 12:03

Yeah, look, if you're starting out, it's probably even easier because build those hygiene practices in from the start, you can start to think about how you categorise your data and your documents. So there are whole structures, certainly in the Microsoft world, where you can categorize your documents, so it makes it easier for securing them. That's certainly something I would be trying to do up front if I had the time to start over in that scenario. But it's never too late to start, so you can always just start chipping it away at it. But it's never too late to start, so you can always just start chipping it away at it.

Speaker 1: 12:41

And it's kind of a little bit therapeutic when you start cleaning out your house a little bit or cleaning out the folders. Yeah, that's right, a bit of a spring clean, exactly A bit of a spring clean on your data.

Speaker 2: 12:46

When you open up that folder and there isn't, you know, 1,000 files in there anymore, that you only use 100 of them. So maybe there's 100 usable files.

Speaker 1: 12:55

I could probably definitely do with a little bit of a spring clean.

Speaker 2: 12:59

I think we all could and we're all guilty of it. So it's not like we're sitting here going oh, no one does it, but we are all guilty of it and we do produce a lot of documents over time and then a lot of them just aren't relevant in the future?

Speaker 1: 13:11

Yeah, is there any other advice or case studies that you'd like to share with the audience.

Speaker 2: 13:18

Probably another piece of advice I would just give us is the data. We don't even think about so, and what I mean is quite often you know, we're working in a payroll system or an accounting system and we've, we've oh we need to pull out a list, a list of customers and we're going to analyse their financial component, or a list of staff, and we've produced it as an Excel or a CSV file and we're working on it. We've produced it out. Then we don't do anything with that file. We've done the piece of work we needed to do, we've sent out the invite for the Christmas party from the staff list, but then that staff list is just sitting somewhere again because we produced it as a CSV when we don't need it anymore. We probably should just delete those as well. So those temporary files it's really good practice to get into the habit of deleting the files straight after the point where you've used it.

Speaker 1: 14:16

I have to say I do always learn something new every time we talk, so hopefully the listeners have learned a lot today too. And yeah, I mean, obviously it's not the most exciting thing, but it's very important, you know, to keep that data hygiene up to date.

Speaker 2: 14:32

Is there, you know, should people be reviewing their data hygiene practices, like annually or annually would be great, even even more often, uh, if they've certainly found an issue with some data. So if someone's come across a, an excel file with some credit card details are in it, something in it, maybe you might want to just go and do a bit of a review at that time as well, because that's kind of one of the issues that we find is that we don't even know what we've downloaded or we've exported from a finance system or from a system and we kind of lose track of that data over time, and it's much easier to do it when you've first done it than do it later.

Speaker 1: 15:17

I think that really is good advice, because it's such a fast-moving environment Click download. Send email. Yeah, that's a good habit to get into. Is there anything else you'd like to share?

Speaker 2: 15:29

Look, I think it's just. I know I get really passionate about data hygiene and it's one of those areas where people you know you start talking to them and they go oh yeah, I never really thought about that. So it is one that you get a little bit of satisfaction of being able to maybe enlighten people on the aspects of data hygiene and how important it is.

Speaker 1: 15:51

Yeah, well, definitely will highlight to people the value that data does have. So thanks for joining us today. You're welcome. And if anyone wants to reach out to Martin, probably best via the Mercury IT website.

Speaker 2: 16:04

Exactly.

Speaker 1: 16:05

And we'll see you on here another day.

Speaker 2: 16:07

Thanks, Alicia.

Speaker 1: 16:08

Thank you.