I’ve spent enough time talking to CISOs, IT directors, and board members to know that the honest answer to “do you know where all your data is?” is almost always the same. A long pause. A cautious “we have a pretty good picture.” Then, if I press, an admission that the picture has significant gaps. These gaps are data security blind spots — and in most organisations, they’re larger than anyone is comfortable admitting.
That’s not a criticism. It’s the reality of operating in a modern digital environment where data doesn’t sit still. It doesn’t ask permission to move, and it accumulates faster than any team can realistically track. However, those blind spots have consequences. In my view, closing them is the single most important thing most organisations can do right now to reduce their security exposure.
Hackers don’t announce themselves. They find the door you didn’t know was open.
The data sprawl problem no one talks about honestly
Most organisations think of their data in terms of where they put it. The CRM. The file server. The cloud storage platform. But that’s only part of the picture.
The rest — the part that keeps security professionals up at night — is data that ended up somewhere without anyone making a deliberate decision. The spreadsheet a manager emailed to their personal account to work on over the weekend. The customer records a developer pulled into a test environment to make code work with realistic data. The archived project files sitting in a cloud bucket spun up in 2021 and never decommissioned.
This is dark data: information your organisation holds but doesn’t actively manage, monitor, or even know about. It sits quietly, often for years, unclassified and unprotected. And it is exactly the kind of target sophisticated attackers look for — because they know it’s unlikely to be monitored.
Shadow IT: your biggest developer-created data security blind spot
I want to be direct about this, because it’s a conversation that often gets avoided. Developers are frequently the source of significant undiscovered data risk. Not through malice — through pragmatism.
When a developer is building or testing a new feature, they need data that behaves like real data. So they take a copy of a live database. They stand up a cloud instance to run it against. They push credentials into a repository — sometimes a public one. The feature ships, the sprint moves on, and that environment keeps running. That repository stays accessible. Nobody decommissions it, because nobody officially knows it exists.
This is shadow IT: tools, systems, and data stores that exist entirely outside the formal IT procurement and governance process. In the age of self-serve cloud — where any developer with a company credit card can provision infrastructure in under ten minutes — the scope of shadow IT has grown dramatically. As a result, your security team has no way of knowing it’s there without the right discovery tooling in place.
The cloud misconception that makes blind spots worse
There is a dangerous assumption embedded in how many organisations think about cloud security, and it needs to be stated plainly: your cloud provider does not protect your data. They protect their infrastructure.
Every major cloud provider operates under a shared responsibility model. The provider secures the underlying infrastructure — the servers, the network, the physical facilities. The data inside that infrastructure, and the controls around it, are your responsibility. Misconfigured storage buckets. Overly permissive access controls. Unencrypted data at rest. These are overwhelmingly customer-side failures, and they are among the most common causes of significant data breaches.
Your cloud provider secures the building. The data inside it is your problem. Share on X
In practice, this means your data security programme cannot stop at the boundary of your on-premises estate. It has to extend into every cloud environment, every SaaS application, and every third-party platform where your data might live — including the ones your teams adopted without going through IT. Our cloud security practice works with organisations specifically on this shared responsibility gap.
Why classification turns discovery into action
Discovery tells you what you have. Classification tells you what it means — and what you should do about it.
By categorising your data against a defined sensitivity framework — personal data, financial records, commercially sensitive information, regulated data, genuinely public content — you can apply controls that are proportionate to the risk. You can encrypt what needs encrypting. You can restrict access based on genuine need rather than historical habit. In addition, you can prioritise remediation effort where exposure is highest.
Without classification, a breach response begins with the worst possible question: what did they actually get? With it, you already know the scope, you know the regulatory implications, and you have the evidence to demonstrate to regulators and customers that you were managing your data responsibly.
One thing worth noting: the classification challenge is not just about documents and spreadsheets. Modern organisations hold data in formats that traditional data loss prevention tools struggle with — audio recordings of customer service calls, video of meetings, scanned contracts held as image files, years of PDFs that have never been indexed or categorised. Unstructured data is the hardest to classify and, in my experience, the most likely to be overlooked. It is also increasingly where sensitive information lives.
Where to start closing your data security blind spots
The answer is straightforward, even if the implementation takes effort: know what you have — all of it — before you try to secure it.
That means running a discovery exercise across your full estate. Not just the environments IT manages, but cloud platforms, SaaS applications, backup and archive systems, and developer environments. It means classifying what you find against a clear, consistent framework. And it means applying controls that reflect the sensitivity of the data, not the convenience of the team that created it.
Northdoor’s data discovery and classification service helps organisations map their full data estate — including shadow IT and unstructured data — and apply the right protections at scale.
The organisations that do this well are not the ones with the biggest security budgets. They’re the ones that decided to look properly — and then acted on what they found.
Discovery and classification won’t stop every attack. But they mean that when something goes wrong, you already know what was at risk. That changes everything.