Connect with us

Hi, what are you looking for?


Data Protection

Businesses in the Dark on Value of Corporate Data

Most businesses lack insight into the actual value of critical data assets that are targeted by cybercriminals, a recent report from security consultant IRM reveals.

Most businesses lack insight into the actual value of critical data assets that are targeted by cybercriminals, a recent report from security consultant IRM reveals.

According to the company’s Risky Business Report, only 28% of CISOs conduct regular exercises to categorize and value the data within the company, which allows them to evaluate the risk associated with the loss of this data. In fact, 17% of surveyed business executives say they didn’t take action in this regard, while 55% of them have taken partial action, the report (PDF) reveals.

What’s more, 40% of responding CISOs said they have no clear view into the location and nature of their information assets, IRM says. The risks associated with poor knowledge of the value of data include difficulties in building an effective protection strategy, or in determining the amount that should be invested in data protection solutions, Charles White, Founder and CEO of IRM, warns.

Findings in the report are in line with thoughts from SecurityWeek columnist Rafal Los, on what he believes is the most important security question nobody seems to be able to answer: “What is your organization’s sensitive data, and where is it?” 

“The fact that more than a third of CISOs have no clear view of what assets they have in their networks is very worrying – how can you plan your cyber security investment accurately if you don’t know what you are protecting and how much it is worth? It is essential to know the value of the data stored and what its loss would cost the company across criteria such as cost of replacement, lost productivity, lost business, and damage to reputation,” White says.

According to IRM, while PCI regulations demand that credit card details should be stored using strong security, valuable passport information could be completely overlooked. Earlier this year, a Dell SecureWorks report revealed that credit card data could be sold for as little as $7 and as much as $80, depending on the country, while a passport scan could be sold for around $25.

However, the research also reveals that the relationship with the board has improved, with 66% of CISOs revealing that they rarely have issues engaging with the board on the cyber agenda, and only 3% admitting to always having difficulties. According to the report, 56% of respondents will focus on identifying risks and vulnerabilities within the next 12 months, while 17% of them said they would focus on vetting third party suppliers and securing the cloud.

The report also shows that CISOs are more concerned about people than technology, with 28% saying that internal staff were the area they felt most vulnerable. While 24% of respondents revealed they believed suppliers represent a vulnerability, 17% of them said that cloud and Internet of Things (IoT) devices were their main technological vulnerability.

Advertisement. Scroll to continue reading.

IRM’s survey also shows that organizations are starting to look beyond the traditional best practice checklists of cyber security technologies and that they started understanding where threats come from, which is encouraging. However, without clear view of what information assets the company has and where they are located on the network, businesses are not only vulnerable, but also highly unlikely to efficiently respond in the event of a data breach, the report says.

Related: Corporate Data Lingering on Old Drives: Advice From The Professionals

Related: Broadly Shared Files a High Risk for Enterprise Data: Report

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Data Protection

Social media, use of mobile devices for business, and the economic downturn are posing serious challenges for organizations looking to keep confidential company and...