[BreachExchange] Mis-valuation of data poses a huge threat to businesses

Destry Winant destry at riskbasedsecurity.com
Mon Jan 21 06:51:42 EST 2019


https://www.itproportal.com/features/mis-valuation-of-data-poses-a-huge-threat-to-businesses/

IT Security safeguards corporate data. It’s a widely accepted practice
and commonplace in businesses across the globe. You would therefore
assume that the integrity of data would be safe in the hands of these
skilled specialists? While IT Security is best-placed to deal with
keeping businesses safe from hackers and security threats, new
research from the Ponemon Institute has found they mis-value the data
they protect. Why is that a problem? If the department responsible for
protecting data doesn’t accurately grasp its value; data security
could be compromised. Business critical data may be left open to
attack and low value documents left over-protected. A business must
fully understand the value of its data if it is to protect it
properly.

The true value of data

Not all data is equally valuable to a business. Imagine, for example,
that a cyber-attack uncovered the minutes of an international
business’ board meeting. This type of sensitive information leaking
into the public domain could be enormously revealing and destroy a
business’s market position. At the other end of the scale, a
cyber-attack only uncovers cafeteria menus for the next month is not
nearly as damaging. This insight is rarely recognised in IT Security
strategies – because they are built on an incorrect estimation of the
value of stored business data.

Recent research from the Ponemon Institute found that IT Security
departments estimated the value of R&D documents at less than 50 per
cent of what the business would estimate their worth. IT Security
predicted that it would cost $306,545 to reconstruct an R&D document
compared to a figure of $704,619 – provided by the R&D department
itself.

This startling revelation becomes a pattern across an organisation. IT
Security also underestimated the monetary impact of a financial report
being leaked, at $131,570, versus the $303,182 that the Finance
department believes it would incur from this incident. Or with monthly
salary lists. The inevitable outcome is that IT Security departments
are serially prioritising and protecting less sensitive data. Under or
over valuations will lead to applying the incorrect levels of security
to business data; and increases the potential damage incurred by a
data breach.

IT Security departments are working with imperfect information. They
do not have the crucial context necessary to understand its true value
and, in turn, develop an effective strategy for its defence. Of a
business’s retained data, we estimate that as little as 5 per cent
will be vital to running the organisation. Despite this, companies
still approach data security with a ‘one size fits all’ mentality.
Data and its protection is a wider remit and should be the concern of
the entire business. Businesses absolutely need to take a more
strategic and cost-effective approach to data security – which starts
with the identification and classification of data to make accurate
decisions on where security needs to be applied.

Overcoming data management challenges

Businesses don’t understand data. Understanding that could prove
crucial in the strategic decisions that they make. Companies don’t
really know what data they hold, where it is located, its functional
context, who has reviewed it, or copied it and even if it is legal for
it to be deleted. The majority of businesses find it very complicated
to assess which documents contain valuable details, such as R&D
information or financial data, or to understand the sensitivity or
business context of documents. However, the advent of progressive data
privacy legislation, such as the General Data Protection Regulation
(GDPR) and the California Consumer Privacy Act (CCPA), is forcing
business to take data management seriously.

Traditionally, the process of identifying and classifying data can be
extremely costly and time consuming. For example, manually scanning
the unstructured data stored by a typical 5,000 seat organisation
could take up to 400 years’ worth of expenditure and time.
Unstructured data makes up the majority – as much as 70 or 80 per cent
– of an organisations’ stored data. If a business turned to machine
learning technology for data identification and classification, it
would really struggle because this type of technology is unable to
gauge the context of documents.

The emergence of Artificial Intelligence (AI) technology is exciting
as it is capable of generating data inventories automatically, with a
high level of accuracy, in a very rapid timeframe. The efficiency of
AI technology means that it won’t interrupt the day-to-day work of the
business, but can understand and apply context, purpose and therefore
value to the data held within a business.

Improved data management means that the business won’t mis-value its
information. Moreover, that knowledge can be put to work in the
application of more effective security protections. A business is also
able to lower the quantity of data it stores and improve the quality
of the data. Taking a confident approach to the deletion of ‘toxic
data’ lessens the impact of a data breach hitting a business.
Alongside this, a lower level of stored data means that less
irrelevant data is available, which results in less errors being made
as it’s easier to locate the information staff members need. It
doesn’t stop there either. Improving the visibility and management of
data can also, immediately, increase the value of business information
assets by 15 per cent. That is a compelling argument; especially when
talking and justifying IT spend to CFOs.

Business can now gain a clear view of its data, where it is, who can
see it, what is valuable and what isn’t. As a result, the paradigm of
data mis-valuation can be removed forever. This improved management
and protection means a business can finally accurately identify the
market value of data to monetise information assets; and put a
financial value to governance projects. It can also improve security
protections, operational procedures and offer financial boosts. These
benefits can be opened effectively, rapidly, accurately and
successfully using existing AI technology. These solutions are the
only realistic route to fully understanding the context of corporate
data; and making the era of genuine data-driven advances a reality.


More information about the BreachExchange mailing list