Toxic data, a term coined by Forrester Research, conjures images of oil spills and other disasters that occur when a valuable resource is breached. But what is toxic data, and what threat does this data pose for your business?

In the report “Instill A Culture Of Data Security And Privacy,” Forrester analyst Heidi Shey wrote, “There are really only two types of data in your organization: 1) data that someone wants to steal and 2) everything else. The issue today is that [security and risk] pros are putting data controls in place around the data they think is most valuable and not necessarily the data that is the most valuable to those who are out to steal it—we call this toxic data.”

2016 Report: How Organizations Manage Data Breach Exposures

Toxic data, Shey wrote, can be defined in a simple equation: 3P (PII, PCI, PHI) + IP (intellectual property). In this first of a two-part series, we’ll discuss what toxic data is and the effectiveness of encryption in protecting that data.

Classifying Toxic Data

Toxic data must be properly secured against cyber-criminals, be they individuals, organized crime rings, or hostile nation-states. But these attackers are well-organized and highly motivated. According to an RSA Conference/ISACA study last year, 82 percent of organizations expected to be the victims of an attack in 2015.

Figuring out which data is toxic is no easy task. According to the just-released 2016 Global Encryption and Key Management Trends by Thales e-Security and Vormetric Data Security, employee and HR data were the types of data most commonly encrypted—even more than payment data, intellectual property, and financial records. This finding suggests that perhaps businesses don’t fully grasp the scope of toxic data and its attendant risks.

Businesses need to know which data is toxic and which isn’t, in order to properly secure it. In a TechTarget article, analyst John Kindervag shared Forrester’s Big Data Security and Control Framework, a three-step process for securing and controlling big data. He said that businesses “should define data classification levels based on toxicity. This allows security to properly protect data based on its classification once it knows where that data is located in the enterprise.”

Toxic Data in The Cloud

The 2016 encryption report found that more than half of respondents are moving sensitive or confidential (i.e. toxic) data to the cloud—a statistic that will rise to 84 percent in the next two years. “Yet only a third of respondents had an overall, consistently applied encryption strategy,” said Peter Galvin, vice president of strategy at Thales e-Security. “Encryption is now widely accepted as best-practice for protecting data, and a good encryption strategy depends on well-implemented encryption and proper key management.”

The Lowdown on Encryption

But just how effective is encryption in protecting toxic data in and out of the cloud? It’s an apt question given the ongoing FBI-Apple debate, and one that was a hot topic at the recent RSA Conference. In a January 2016 post on the RSA Conference blog, Tony Bradley, editor-in-chief of, pointed out that encryption has its vulnerabilities.

“A complex encryption algorithm may seem unbreakable when it’s first introduced, but cracking tools and decryption methods will adapt,” he wrote. “Over time the computational power available to the average user increases as well, rendering outdated encryption tools virtually useless.”

Bradley also pointed out, “As computers get exponentially faster and more powerful, cracking smaller encryption keys becomes more trivial. When attackers can harness botnets of tens or hundreds of thousands of computers to compress the time required to run through the possible keys, it means that data that is secure today may be easily compromised tomorrow.”

Despite its fallibility, he said that encryption is important in that it keeps a company’s data from becoming “low-hanging fruit” for attackers, who will seek easier prey.

Dr. Larry Ponemon, chairman and founder of Ponemon Institute, agreed. “Mega breaches and cyberattacks have increased companies’ urgency to improve their security posture, and encryption usage continues to be a clear indicator of a strong security posture,” he said, in connection with the 2016 encryption study.

Businesses should consider encryption as an important part of their overall security strategy in protecting toxic data. For further information, I recommend taking a look at Forrester’s Big Data Security and Control Framework. In the next post in this encryption series, we’ll see how encryption fits within a multilayered strategy for data security and how this approach can keep toxic data safe from new and emerging threats.

2016 Report: How Organizations Manage Data Breach Exposures