Compulsive data retention, from cluttered desktops to legacy systems, is silently expanding the attack surface and threatening both security and compliance.
Digital hoarding, the compulsive accumulation and retention of digital assets beyond their business need, is far more than a simple productivity issue; it is a significant and often underestimated cybersecurity risk, argues Anna Collard, SVP of Content Strategy and CISO Advisor at KnowBe4 Africa.
Like an overflowing storage unit, our digital workspaces, shared drives, and cloud accounts are becoming vast repositories of unmanaged data. This includes:
- Multiple versions of documents.
- Outdated, unsupported software.
- Unused accounts and obsolete databases.
- Personal files mixed with sensitive business data.
“Unlike physical clutter, digital hoarding creates an invisible risk; people may not even know what data they’re storing or where,” Collard explains. This accumulation means abandoned projects with sensitive client information remain accessible, and legacy systems run alongside modern infrastructure, creating dangerous security gaps.
The roots of digital hoarding are primarily behavioral:
- The ‘Just In Case’ Mentality: The fear of deleting a critical file leads employees to retain virtually everything.
- Sentimental Attachment: Employees may struggle to let go of old projects or work they have invested heavily in.
- Lack of Policy: When there is no clear organizational guidance on data retention, the default behavior for employees is simply to save it all.
This volume of uncategorized data creates a larger, unmanageable attack surface. Every old account, unpatched device, and long-forgotten document is a potential entry point for attackers.
“Outdated software may contain unpatched vulnerabilities, and old documents with sensitive information can be a goldmine for attackers,” Collard warns.
In the event of a breach, digital hoarding severely complicates the response by overwhelming security teams and blurring the lines between personal and corporate liability. Crucially, retaining data for longer than legally mandated can lead to severe non-compliance penalties under regulations such as the Protection of Personal Information Act (POPIA).
Tackling this human-centric issue requires a three-pronged approach: clear policies, better technology, and cultural change.
- Establish Clear Policies and Automation: The first step is establishing and enforcing clear Data Retention Policies that define how long various data types must be kept.
- Implement automated prompts and procedures to trigger data reviews and clean-up schedules.
- Use data loss prevention (DLP) tools to automatically identify and classify sensitive information.
- Make Deletion the Easy Default: Organizations must make secure disposal easier and more trustworthy than retention.
- Provide simple, one-click archive and deletion tools that employees trust.
- Implement the practical guideline: if a file has not been accessed in a year, it should be archived or deleted.
- Use graduated storage costs to make hoarding economically undesirable.
- Drive Cultural Change: Ultimately, managing this risk requires a shift in employee behavior.
- Recognize and reward employees who maintain clean digital workspaces.
- Provide comprehensive Security Awareness Training that specifically addresses the risks associated with digital hoarding.
- Create peer accountability through team-based “digital clean-up challenges” to foster a shared culture of data resilience.
By treating digital hoarding not just as a technical problem but as a human behavior issue, organizations can move beyond mere storage management to build a more resilient and secure digital culture.
