How do you solve a problem like data sprawl? Data governance and security
Picture it: the year is 1995, you are at the office. You just created a document or a spreadsheet on the computer and then walked away to get a cup of coffee. You come back to your computer to find it frozen, and guess what? You didn’t save your file. All that work is gone, and you have to start over.
Fast forward to 2005; the early days of data governance and security practices. You have learned to be one step ahead of the computer. When you create a document, you immediately save it. Before you head out to a meeting, you save it again. To be extra careful; you save the document with the word “backup” at the end of the file name.
Today, saving files or documents looks different. Many systems auto-save or have the option to recover a file that was closed before being saved. But every share and download creates a new version of the same file. Consider the following scenarios:
- A colleague reviews your draft, makes changes, and emails it back
- Someone saves your document as a PDF and sends it to outside stakeholders
- Another team uploads it to a local government website
Now, instead of one file, there are dozens of copies in different locations. And good luck keeping track of all the different versions. This is commonly referred to as data sprawl. Does this sound exhausting? It is!
Even more significant than the headache of keeping track of so many files is the risk of data leaks. A lack of centralized data oversight can result in gaps in security protocols, unpatched systems, and outdated encryption standards, all of which can be exploited by malicious actors.1 Any of those files might contain data like health records, payment information, or social security numbers. This presents an immediate problem in cybersecurity and data governance.
The escalating importance of cybersecurity and data governance
We have lived with this data sprawl for many decades, and for the most part, it has been accepted as a common practice. Data governance and security laws emerged to combat the problem. But even with the rise of cyberattacks, these haphazard data saving practices continue and have grown more prolific. The results are magnified significantly when considering how much time is spent looking for documents. Multiple studies over the years have shown an individual spends anywhere from 9-15 hours per week looking for information. That equates to 30-50% of the work week.2
The explosion of cyberattacks on the public sector has revealed the depth of this data sprawl problem. In 2013, data showed attacks on retail giants such as Target, Adobe, and Yahoo, but very little in the public sector. In 2025, cyberattacks have escalated to the point that even the annual Verizon data breach report has created a separate section for public sector. In the 2025 report, over 2,100 separate incidents were confirmed.3 When you consider how much of our public sector systems include critical infrastructure, data governance and security couldn’t be more imperative.
Another layer of complexity to this problem is the numerous types of devices you can store your documents on. Gone are the days of a file being stored exclusively on a local computer drive. Documents can now live on a USB drive, an external hard drive, in the cloud, and even on your mobile phone.
And now, with the rise of artificial intelligence (AI) and generative artificial intelligence (GenAI), a plethora of data quality issues are being uncovered. AI and data governance can help organizations identify problems with data collection, accuracy and relevancy, to name a few.
Data governance and security best practices
While many of these issues are bigger than any one person or organization, you can create a more secure future by taking control of your personal and work-related data. Start by focusing on the following best practices:
- Be consistent in where you save documents.
- Know your records retention policy, and if you don’t have one, start one!
- Use links for sharing, rather than emailing a copy of the document.
Be consistent with your naming convention for documents.
Here are a few foundational principles to start:
Use descriptive names; include relevant details such as the project name, date, and version
Example: Data governance and security project_2025-09-02_v1
Be consistent in date formatting; use a format such as YYYY-MM-DD to ensure files will populate and organize chronologically
Example: Report_2025-09-02.pdf
Implement version control; include version numbers or identifiers to track changes easily
Example: Data governance and security_v3.docx
Avoid special characters; use underscores or hyphens instead of spaces to prevent issues with different operating systems
Example: Project-Overview_v1.pdf
Indicate status or type; include information about the file's status or type, such as draft, final, or archive
Example: Data Governance and Security Program_Final_2025.pdf
Avoid repurposing files without changing their name
Example: 2022Feb_monthly_budget_report.xls should be renamed with the appropriate date information, not continuously saved as is because you continue to use the same spreadsheet
- Develop automated procedures for when to delete documents. This helps address the problem of higher storage volumes, which translates into cost savings or cost avoidance.
- Password-protect or encrypt data. Most email systems today have the encryption option available before you send the email. Further, the document application generally has the ability to add a password to protect the file itself.
- Conduct a data asset inventory, which is a list of both structured data (databases) and unstructured data (files, documents, etc.).
- Name directory folders consistently and with appropriate names. Labeling digital file folders is an art lost to the digital age.
Stop the sprawl with data governance and security
As one county CIO recently shared, “The last time you have any control over your file is 1 second before you…”
- Send it as an email attachment
- Provide a link to the file
- Upload it to any site not controlled by you
These best practices are just a start to combat data sprawl, but they can help solidify a data governance and security strategy. For now, remember you can’t boil the ocean, but you can chart a course with small, impactful steps.
CAI has years of experience partnering with local government and public sector agencies to improve data security and develop governance strategies.
To learn more about how CAI can help your organization, fill out the form below.
Endnotes
- Katie Bowen. “Combatting Public Sector Data Sprawl in the Age of AI & Cloud.” Solutions Review. August 29, 2024. https://solutionsreview.com/endpoint-security/combatting-public-sector-data-sprawl-in-the-age-of-ai-cloud/. ↩
- Viktor Laufs. “Million sin Lost Productivity: The Hidden Cost of 9+ Hours of Weekly Search Time.” LinkedIn. March 13, 2025. https://www.linkedin.com/pulse/millions-lost-productivity-hidden-cost-9-hours-weekly-viktor-laufs-e9c2c/. ↩
- Verizon. “2025 Data Breach Investigations Report: Public Sector Snapshot.” https://www.verizon.com/business/resources/infographics/2025-dbir-public-sector-snapshot.pdf. ↩
