Published on the 11/12/2018 | Written by Heather Wright
Not all data is equal. Is your company protecting your most valuable data?…
While it’s obvious that not all your company data is equally valuable, a new report suggests that many IT security departments are misjudging the value of the data they’re protecting, leading to insufficient investment into the availability, protection and security of the most commercially valuable data.
The Ponemon Institute research, commissioned by data management company DocAuthority, claims IT security teams are placing greater value on personally identifiable information, and much less value on valuable research and development and financial reports.
“Data and its protection should be the concern of not only management level, but the business as a whole.”
That mis-alignment between the value placed on data by IT security and the value the wider business places on the same data is resulting in incorrect levels of security, increased chances of data breaches and mishandling of access rights for employees, Ponemon says.
It says IT security departments estimated the value of R&D documents at less than 50 percent of what the business itself estimated they were worth, at US$306,545 versus $704,619. That’s a big issue, the Understanding the Value of Information Assets report says. “[It] can lead to insufficient investment in protection and backup investments, which could lead to the loss of business data.”
In an interview earlier this year, Delta Insurance general manager Craig Kirk told iStart noted the need to protect R&D information, saying the insurance company was seeing targeted hacking attacks aimed at stealing companies’ research and development.
New Zealand companies are spending more than $1.6 billion on R&D annually. In 2015, Australian R&D spend was 1.87 percent of GDP.
The Ponemon report says the impact of a financial report being leaked was also underestimated by the IT security departments, who put the financial impact of a leak at $131,570 versus the $303,182 value their finance departments attributed to the same asset.
“This may result in not investing enough to protect financial reports from leakage, potentially leading to a very expensive breach.”
On the flip side, the IT department overvalued monthly salary lists at $94,148, compared to the $57,477 value attributed by human resource departments.
“Because IT security is overly focused on personally identifiable information-related data, this may reduce the investment in protecting far more expensive data types such as product designs, pricing or financial data. This can lead to far more expensive data breaches.”
Larry Ponemon, chairman and founder to the Ponemon Institute, says while the security and protection of business data is typically the realm of the IT department, the research shows IT doesn’t have the vitally important context to understand the true value of data and in turn create an effective strategy for defending it.
“Rather than being relegated to IT, data and its protection should be the concern of not only management level, but the business as a whole,” he says.
The report, which was based on US and UK research, notes that the fresher the information, the higher the value, and that the cost to recreate different information assets varies significantly, with pricing models and customer lists rated costliest information assets to recreate for the marketing function.
The cost to deal with negative consequences of data leakage also varies, with respondents saying a lead of R&D documents is more costly than that of product manufacturing and engineering workflows, while M&A leakage is, unsurprisingly, more costly than the leakage of signed customer contracts.
“The ability to value information assets has practical implication for organisations,” Ponemon says. “The ability… to succeed in a competitive and global economy depends on the quality, accuracy and relevancy of their information assets.”
So what’s a company to do?
Ponemon says there are six criteria to assess the value of corporate data, which can provide companies with an overview of the value of data and enable them to align security strategies with the most valuable assets.
Its six criteria are:
Intrinsic value – how correct, complete and exclusive data is
Business value – how good and relevant data is for specific purposes
Performance value – how the data affects key business drivers
Cost value – the cost if the data was lost or leaked
Market value – what you can earn from selling or trading the information
Economic value – how the information contributes to the company’s bottom line
“The process of categorising and assessing a value provides insights into what data are most critical to their operations and should receive the highest level of security,” the report says.
Adds Dr Ponemon “Businesses are short-changing themselves if they don’t understand the value of their data
“You need to have a clear view of your data, where it is, who can see it, what is valuable and what is toxic if you are to effectively manage and defend it. But you also need the same level of understanding if you hope to appreciate and realise the true value of data you hold; whether that is intellectual property or data that increases business sales or marketing effectiveness.”