Top Tips for Data Governance and Security


Don't ever say, "It won't happen to me." Every organisation is at risk from a data breach and the stakes are high - both for the company’s financial well-being and more importantly for its brand and reputation.

Data governance and security is everyone’s responsibility. According to Cisco’s Consumer Privacy Survey 2019, 84% of people indicate they care about privacy, care for their own data, care about the data of other members of society, and they want more control over how their data is being used. Of this group, 80% also said they are willing to act to protect it [1].

By following the tips below and remaining vigilant, you are doing your part to protect your organisation.

Tip 1: Know your data. Know the truth.

Organisations continue to store and process vast volumes of unstructured data which inevitably contains unsecured sensitive data. Large organisations can literally have thousands of systems and storage facilities within their IT infrastructure. Take a moment to imagine all the software trials you’ve signed up to, the USB keys lying in the bottom of your drawer, the little notes you’ve got stored with passwords, credit card numbers or contact details. Keeping on top of everything is a real challenge.

Those organisations that do not have complete visibility over their data estates are leaving themselves vulnerable to operational risk and reduced resilience. Audits by regulatory authorities or internal departments often create a compelling need to discover and remediate unstructured data as part of a focus on risk controls. So, start by finding out exactly what data you have, where its stored and who has access to it. But don’t even think about using manual methods. It will take forever, will only ever give you snapshot of your data estate at that one time, and will be fraught with error. Automating the process with data discovery technology gives you an always up-to-date visualization of your entire data estate with pin point accuracy, showing you the truth about what’s there.

Tip 2: Tackle hidden risk in your structured and unstructured data

Once you know what data you’ve got in your estate, you can tackle the hidden risk within it. Because data, particularly unstructured data , contains risk. (Unstructured data is anything that’s not held within a nice, neat structured database for example emails, attachments, spreadsheets, documents and other things saved all over the place).

Indeed, every data estate contains roughly:

12% of data that’s business critical
23% that’s redundant, obsolete and trivial
65% that’s gone ‘dark’. In other words that’s hidden in networks, people and machines.

The first step to fixing the risk is finding it, in the dark 65%. And that needs investment in people and technology. Without the right skills and tech, you end up with hugely manual processes which increases the risk for you and your organisation. We have a customer that’s a financial services organization which had risk in unstructured data red-flagged to the board after a data audit. They attempted to find and fix the risk using a team of 10 people to search manually through every item in a small data store of 700,000 items. Nine months later they’d only scratched the surface. Once they’d implemented data discovery technology from Exonar they quickly identified that 80% of the hidden data was redundant, obsolete and trivial, and contained unencrypted confidential customer data which they remediated immediately. This represented a massive data security and regulatory breach risk which simply couldn’t have been found manually.

It can be hard to get leadership buy-in around data discovery and risk mitigation if you haven’t already had a breach. Talk to the board in their language, find out what will make them listen. Finally, you can use simulation exercises to demonstrate what would happen if a breach occurred. Conduct table top exercises to assess the impact of a breach. Figure out what’s an acceptable level of risk to your business.

Tip 3: Educate employees

Whether it’s employees’ login credentials or sensitive personal and financial information, businesses possess and manage a significant amount of data. Unfortunately, none of it is safe. According to efront, for most companies that have experienced a data breach the cause has usually been as a result of human error. [2] Accusing employees of irresponsible behavior and negligence is pointless and unfair. Instead, deploy data security training for your staff to minimise the possibility of similar incidents in the future or to prevent them in the first place.

You may be thinking how do you train your employees on data security? Firstly, deploy data security training from day one. This will allow the policies to become innate within employees rather than something they have a vague idea they should do. Also follow up with a formal training approach, this could be an external trainer or an online course. Give employees the opportunity to refresh and keep their knowledge up to date. Another way is to discuss physical security, for example, introduce a clear desk policy so no confidential documents can be seen by those who don’t need to. The key to this is to repeat regularly. Get people to care and keep them caring.

Tip 4: Govern your data with smart policy management

It’s absolutely critical that there’s a solid data governance structure in place with data owners and data stewards in the business. They need to be the people who manage the systems that are used, and the data they produce. Data owners need to be able to make decisions around the security of data. Crucially, this needs to be part of their job description, recognised as a key area of responsibility and time allocated for it. Don’t tack it on to their day job and hope it will be done.

In addition, make it realistic – you can’t give someone responsibility for 100,000 unstructured files and expect them to take any meaningful action. Embed data privacy, protection and security by design. For example, the process by which data is shared in your organisation or where data is shared in an ecosystem. A good data discovery technology will come inbuilt with automated Workflows which track adherence to data policies, showing where problems with data protection are occurring so that people can be nudged to do the right thing. This way you turn policies into practice and they don’t end up as a ‘paper-based’ tick box exercise.

Tip 5: Be prepared for a breach

The whole world is now in agreement on a seriously uncomfortable truth; if your business has not yet suffered a breach, you are not far off from facing one. In fact, over 85% of UK businesses have suffered some form of data breach in the last 12 months alone [3].

So, how do we protect ourselves, I hear you ask. Well, let us tell you, its Exonar Reveal. In a short window of time, the Exonar Reveal platform will ingest, analyse and index all your data. And provide at a glance, simple results that show you exactly what data you have stored in any given location. Number of files? Check. PII present? Check. Company sensitive information? Check. Size of objects? Check. Total risk profile? Check. Ethnicity, credit card details, religion, email addresses, physical addresses, national insurance numbers…check check check! We can highlight exactly what content is stored in every file, at every location. Think of it like a digital twin of your data estate which will aid your organisation to report very quickly on PRECISELY what has been taken if you do suffer a breach.

To find out more about how Exonar Reveal can help, why not take a test drive on up to 1TB of your data. Find out more about Test Drive here.


[1] 100 Data Privacy and Data Security statistics – Data Privacy Manager
[2] 7 tips for implementing data security training for employees (
[3] UK Data Breach Statistics | Databasix | Bringing People & Data Together (