Security Experts:

Businesses in the Dark on Value of Corporate Data

Most businesses lack insight into the actual value of critical data assets that are targeted by cybercriminals, a recent report from security consultant IRM reveals.

According to the company’s Risky Business Report, only 28% of CISOs conduct regular exercises to categorize and value the data within the company, which allows them to evaluate the risk associated with the loss of this data. In fact, 17% of surveyed business executives say they didn’t take action in this regard, while 55% of them have taken partial action, the report (PDF) reveals.

What’s more, 40% of responding CISOs said they have no clear view into the location and nature of their information assets, IRM says. The risks associated with poor knowledge of the value of data include difficulties in building an effective protection strategy, or in determining the amount that should be invested in data protection solutions, Charles White, Founder and CEO of IRM, warns.

Findings in the report are in line with thoughts from SecurityWeek columnist Rafal Los, on what he believes is the most important security question nobody seems to be able to answer: “What is your organization’s sensitive data, and where is it?” 

“The fact that more than a third of CISOs have no clear view of what assets they have in their networks is very worrying – how can you plan your cyber security investment accurately if you don’t know what you are protecting and how much it is worth? It is essential to know the value of the data stored and what its loss would cost the company across criteria such as cost of replacement, lost productivity, lost business, and damage to reputation,” White says.

According to IRM, while PCI regulations demand that credit card details should be stored using strong security, valuable passport information could be completely overlooked. Earlier this year, a Dell SecureWorks report revealed that credit card data could be sold for as little as $7 and as much as $80, depending on the country, while a passport scan could be sold for around $25.

However, the research also reveals that the relationship with the board has improved, with 66% of CISOs revealing that they rarely have issues engaging with the board on the cyber agenda, and only 3% admitting to always having difficulties. According to the report, 56% of respondents will focus on identifying risks and vulnerabilities within the next 12 months, while 17% of them said they would focus on vetting third party suppliers and securing the cloud.

The report also shows that CISOs are more concerned about people than technology, with 28% saying that internal staff were the area they felt most vulnerable. While 24% of respondents revealed they believed suppliers represent a vulnerability, 17% of them said that cloud and Internet of Things (IoT) devices were their main technological vulnerability.

IRM’s survey also shows that organizations are starting to look beyond the traditional best practice checklists of cyber security technologies and that they started understanding where threats come from, which is encouraging. However, without clear view of what information assets the company has and where they are located on the network, businesses are not only vulnerable, but also highly unlikely to efficiently respond in the event of a data breach, the report says.

Related: Corporate Data Lingering on Old Drives: Advice From The Professionals

Related: Broadly Shared Files a High Risk for Enterprise Data: Report

view counter