In the first entry of Info-Tech’s “The Risks of Archiving Everything” series, we highlighted the misconceptions and general lack of knowledge around when, how, and why electronic content must be proactively managed and, where appropriate, should be properly destroyed. Organizations that have defaulted into an “archive everything” position do so in an attempt to be compliant and lawful, but are often oblivious to the importance of managing their content archives. In the face of expansive content growth, failing to manage your content archive exposes you to a collection of additional risks that can have substantial financial and/or reputational impacts. These risks can manifest themselves by impacting storage, resource management, business productivity, security as well as discovery and/or regulatory compliance risk. Organizations need to prioritize (and mitigate!) these risks based on their objectives, compliance mandates, and overall risk appetite to align their archiving and content management strategies accordingly.
What are the storage and resource management risks associated with excessive content archiving?
While there is a large degree of variation in content storage costs, variable upon a variety of parameters (i.e. cloud vs. on-premise, tape vs. disk vs. SSD), the exponential growth of stored content is driving those costs up regardless of the storage location and medium. This is not limited to the physical storage media either, in fact, as content repositories grow in size and complexity, the effort required from staff to support and manage these assets increases accordingly.
Today, the average cost of purchasing and maintaining 1 GB of storage is approximately $0.17 USD annually, after de-rating and overhead costs (Clearsky, Stop Measuring Storage Costs in Terms of $/GB). Take a moment to consider how much content your organization is storing? Is it 1 petabyte or 100 petabytes? Now, multiply that by $0.17 per GB to calculate the low-end estimate of content management at your organization. The Association for Information and Image Management has suggested that as much as 70% of all stored content is “ROT” (Redundant, Obsolete, or Trivial) and if even 10% of the archived communication content in your organization can be de-duplicated or otherwise defensibly deleted, the avoidable costs start to add up in a hurry.
What are the business productivity risks associated with excessive content archiving?
If you have ever searched through multiple archives for that email—or was it an instant message?—that has suddenly become important, you understand the role that aligned ECM strategies play on business productivity. If this record is simply one more record in a repository of tens of thousands, then it will take considerable time and effort to locate it using typical Boolean search capabilities within each platform or archive it could be in. Info-Tech research indicates that between 14% and 25% of a knowledge worker’s workday is spent accessing and retrieving information, and that through effective metadata tagging, de-duplication, and single-search capabilities, organizations can dramatically reduce the wasted effort. At a tactical level, this can translate into weakened customer service when employees struggle to find relevant information to the client request, and significant inefficiencies like duplication of work when it is easier to recreate than find.
At a more strategic level, reliable, accurate, and accessible information is needed to facilitate decisions at all levels of the enterprise. Content analytics can enhance decision making – sentiment analysis, efficiency insights, behavioral insights – and in the age of the digital revolution, where data is power, by not doing this you are taking the risk that your competitor is using their data in their decision making.
What are the security risks associated with excessive content archiving?
Customers lose their trust in a company or service that cannot keep its important payment and/or Personally Identifiable Information (PII) data safe. While it is necessary to maintain records as part of doing business (recurring pre-authorized payments, saving profile data for future use), this should not be an indefinite timeline. In 2016, IBM and Ponemon Institute estimated that the average cost of a single lost record equates to $158 USD in damages, with the average data breach incurring $4M USD in damages. The average cost of a lost record varies greatly by industry with healthcare being the greatest cost per lost record at $355.
With this in mind, an organization with an “archive everything” mentality could be exposing themselves to significant and unnecessary financial and reputational risk in the event of a potential cybersecurity event, particularly in highly regulated industries. Any sensitive data should follow clearly defined protocols and timelines for permissioned access, secure storage, and timely deletion, in accordance with regulatory and legal requirements.
What are the discovery and regulatory compliance risks associated with excessive content archiving?
In addition to the prospects of content being exfiltrated through malicious and unlawful means, any content that is retained in an archive also becomes subject to disclosure through an eDiscovery, compliance review, or if applicable, Freedom of Information Act/Access to Information Act request. Now to be clear, Info-Tech does not advise or otherwise condone the unlawful destruction of content, or willful disregard of any duty to report transgressions if uncovered. However, we do recommend that, where no regulations or other provisions are mandated for content to be preserved, that an organization carefully weigh the benefits against the potential risks.
Internal communications between employees, as an example, are likely beyond the scope of many mandated retention periods. The vast majority of these day-to-day discussions are largely transactional, and at most could be a reference point for some future conversation, and their value to any specific need diminishes over time. But what happens if one or more of these conversations touches on a specific employee’s performance (or lack thereof)? Will that provide some value at a later date in the event that the employee needs to be disciplined or terminated? Perhaps if the organization is looking to terminate with cause, but what if, in a different context, that same communication can be subpoenaed by that employee who is bringing a wrongful termination suit against the organization? There is not a clear-cut right or wrong in this case, but it exemplifies the need for a thoughtful approach to archiving and deletion. If the organization has a policy never to terminate for cause, then those communications might present more risk than benefit, and these are exactly the types of questions that must be asked when aligning the archiving strategy to the organizational direction.
How do I determine what content is valid to destroy and what I need to keep?
Organizations that delete content to aid with the creation of new storage capacity are increasing the magnitude of risk exposure to their organization. Information management without information governance is equivalent to treating the symptoms but not curing the disease. If information management standards and priorities are not embedded into the enterprise information governance framework—which includes policies, procedures, and governing bodies—information management remains a Band-Aid fix. Addressing the problem at the point of ingestion (new content/information coming in) and at the process level ensures that going forward, the information quality is aligned to compliance mandates and organizational standards. To ensure that alignment exists, organizations must consider their level of risk tolerance: what types (and magnitudes) of risk are most acceptable and which are not, and then prioritize their efforts based on the four levers described above. In the final installment of our series we will explore how to start thinking about and building content creation and management policies that are aligned to your organizational objectives and risk thresholds—and don’t involve archiving everything!
About the Author
Ryan Smith is an Associate Research Director in Info-Tech’s Enterprise Content Management (ECM) Advisory Practice specializing in the development, establishment, and governance of ECM strategies. Ryan regularly provides IT and business leaders with guidance, analysis, and tools required to optimize their ECM operations and unlock the true power of content as a business enabler. His client work includes developing strategic visions and roadmaps, requirements gathering and vendor evaluation, and the establishment of governance bodies including ECM centers of excellence. He is the author of Info-Tech’s ECM Strategy Development Framework which outlines the seven sub-disciplines of ECM and serves as the foundational methodology of Info-Tech’s ECM Practice. For more information, be sure to check-out Info-Tech’s Library of ECM Methodologies and Toolkits.
About Retain by Micro Focus
Micro Focus Retain provides archiving of email, social media, and mobile communication data. Retain archives all of this data into on central archive. Retain includes built-in eDiscovery tools, including browse, search, litigation holds, export, print, forward, and redaction archived data. Policy-based archiving ensures that you only keep what you need to keep, based on age of a message, mailbox, or post office. Once a message reaches the specified age for deletion, it is automatically removed from the archive. Retain allows you to manage and have oversight on your email, social media, and mobile communication data.
To see how Retain can work for you, or to get a price quote, visit www.RetainArchiving.com
And for more information about archiving, read these blog posts: