Critical Importance of Information Asset Audits

Information Asset Audits?

“Knowing is half the battle”?

In the ever-evolving world that is cybersecurity, understanding what you own is a fundamental step towards protecting it. An audit against internal information assets should be a structured process where an organisation identifies, classifies, and assesses all its information assets, from sensitive customer data to intellectual property. This exercise should be pivotal in building cybersecurity maturity by illuminating vulnerabilities, reducing unnecessary data exposure, and enabling targeted risk management strategies.?

Many organisations fall victim to common pitfalls: underestimating the scope of their data holdings, overlooking shadow IT, and failing to implement periodic reviews to keep registers up to date. Conducting an Asset Audit involves systematic inventorying, mapping data flows, identifying ownership, and analysing storage and access controls, laying the foundations for informed and robust security practices.?

Where have we seen things go wrong??

The absence of comprehensive information asset audits has been at the heart of several high-profile breaches. Organisations like Volkswagen and Optus failed to adequately identify and assess their data holdings and associated risks. Volkswagen’s lack of oversight of unsecured AWS credentials led to a massive data leak of information that, frankly, should not have been retained, while Optus maintained excessive customer data without clear business justifications.??

Neither company conducted thorough audits that could have revealed at-risk data, improper access controls, or non-compliance with regulatory requirements. Additionally, maintaining an up-to-date register of information assets is crucial in identifying and securing sensitive data, ensuring compliance and mitigating vulnerabilities. By neglecting such audits and registers, these organisations missed opportunities to address risks proactively, highlighting the importance of understanding and managing information assets effectively.?

1. Volkswagen – A Lesson from Exposed AWS Credentials?

December 2024, Volkswagen faced a significant data breach due to improperly secured AWS credentials, as revealed at the Chaos Computer Club conference. The breach exposed sensitive data from over 15 million vehicles, including customer names, email addresses, birthdates, physical addresses, vehicle information and even geolocation data with accuracy as precise as 10 centimetres. This information revealed personal details like daily routines, workplace locations, and even the residence of law enforcement.?

The breach stemmed from a heap dump, a diagnostic tool that was not password-protected, exposing active AWS credentials in plain text. These credentials allowed unauthorised users to generate tokens and access sensitive data. Furthermore, Volkswagen’s excessive data collection practices violated GDPR and the company’s own policies. Storing unencrypted data far beyond operational needs -- including precise geolocation and EV battery data -- magnified the breach’s impact. This case exemplifies the critical importance of securing diagnostic tools, encrypting sensitive data, and adhering to data minimisation principles.?

2. Optus – The Cost of Over-Collecting and Under-Securing?

The 2022 Optus data breach exposed personal information of nearly 10 million customers, including names, addresses, passport numbers, and driver’s licence details. The breach was primarily attributed to inadequate security controls and the unnecessary retention of excessive customer data, much of which was outdated or no longer required for business purposes.?

This breach shows the risks of retaining data without proper oversight. Had Optus maintained a comprehensive understanding of their data assets, they could have identified redundant information and securely purged it. Additionally, better-defined access controls and stricter data governance would have reduced the likelihood of exposure. This case illustrates how excessive data retention and poor security hygiene can amplify the consequences of a cyberattack, making data minimisation and clear accountability essential components of risk management.?

The Danger of "Store Everything"

A ‘store everything” mentality, keeping all data “just in case”, Increases both operational costs and potential security risks Excess (especially legacy data types) data is difficult to organise and secure, often leading to shadow IT environments where data is stored outside official oversight. This disorganisation creates fertile ground for breaches, as data silos may lack appropriate security measures or compliance with organisational policies.?

Additionally, holding onto outdated or redundant data increases exposure in the event of a breach. Attackers who gain access to unmaintained systems or forgotten storage locations can exploit this treasure trove of information. Excessive data retention also complicates legal and regulatory compliance, particularly with privacy laws that mandate data minimisation and secure disposal practices. Organisations must prioritise not just collecting data but responsibly managing and periodically purging it to reduce their risk surface.?

Conclusion: Building Your Security Foundation?

Information asset audits are not just about knowing your assets, they’re about protecting your organisation’s future. By understanding where sensitive data resides, how it flows, and who can access it, you can pre-emptively address risks before they become breaches. Our team specialises in helping organisations conduct thorough assessments, implement robust data governance, and achieve cybersecurity resilience.?

To learn more about how we can assist in facilitating information asset audits, reach out to us today.