Incorrect Assessments of Data Value Putting Organizations at Risk

  /     /     /  
Publicated : 23/11/2024   Category : security


Incorrect Assessments of Data Value Putting Organizations at Risk


Information security groups often underestimate or overestimate the true value of data assets, making it harder to prioritize controls.



Many information security groups are undermining data availability and security by incorrectly estimating the true value of their enterprise information assets, a new survey shows.
The Ponemon Institute conducted the survey on behalf of document security vendor DocAuthority. A total of 2,820 professionals from seven different functional areas — IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources — were asked to value 36 different information types on a per record basis. The information types included research and development documents, source code, customer records, merger and acquisition data, and personally identifiable information.
The results showed IT departments overestimating the value of certain information types, such as PII, while grossly underestimating the value of other information, such as financial reports and R&D data. On average, IT security departments tended to be as much as 50% off the true value of data assets as perceived by the data owners.
IT security departments, for instance, estimated on average that it would cost their companies $306,545 to reconstruct an R&D document compared to the $704,619 that R&D professionals themselves estimated it would cost. Similarly, IT security estimated the cost of a financial report leakage to be around $131,570 versus the $303,182 value that accounting and finance professionals assigned to the information asset.
Conversely security professionals perceived certain other data types to be worth more to the business than they actually do. Security groups estimated the monthly salary lists of 1,000 employees to be worth over $94,100 to the business while HR professionals pegged the value at a substantially lower $57,477.
The perception gap matters because it impacts how security organizations protect different types of data and how they make the data available across the enterprise, says Steve Abbott, CEO of DocAuthority. Incorrect data value assessments can result in the wrong types of controls being implemented. 
Right now IT security and business see the value of business data significantly differently, Abbott says. IT security doesnt understand or appreciate the value of data the same way that business does.
Many security organizations apply security and access controls on data using broad and often static classification schemes. The DocAuthority
survey
revealed the need for a more nuanced approach to handling enterprise data assets, Abbott says.
The survey for instance showed that not all information asset types have the same value. Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.
The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year.
Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.
The cost of recreating data and of dealing with the consequences of a breach varies by type and function as well. In marketing groups, pricing models and customer lists are the costliest data types to recreate; for human resources organizations it is pension data.
Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520). Interestingly, the data values that the different sets of business users in the survey arrived at for different data types were more or less consistent across industry vertical and location.
The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.
Related Content:
A Data Protection Officers Guide to GDPR Privacy by Design
The Data Security Landscape Is Shifting: Is Your Company Prepared?
The Best and Worst Tasks for Security Automation
7 Data Classification Tips
 
 
Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Incorrect Assessments of Data Value Putting Organizations at Risk