IP is Valued Above Email but Below PII, Survey Finds
In mitigating an asset-risk by risk transfer (such as an insurance policy), the value of the asset is directly related to the cost of the transfer (the insurance premium). The same principle should be applied to other forms of risk mitigation, such as defending the asset. Where the asset is data, an information security policy should reflect the value of the data — but this assumes that the value of data is understood.
Trustwave, a Chicago, IL-based threat, vulnerability and compliance management firm, wanted to see how organizations value the prime categories of the data they hold — which it assumes to be personally identifiable information (PII), payment card data (PC), intellectual property (IP), and email content information. It commissioned Quocirca to analyze the financial value placed by different industry segments in different geographical regions on these four categories of data. Five hundred IT and risk managers were surveyed in the U.S., Canada, Australia, Japan and the UK (100 for each region).
Two specific metrics are used in the ensuing report (PDF): the per capita value (PCV) for data; and a data risk vigilance (DRV) score. PCV is calculated by dividing the overall value of a data set by the number of records it contains. It consequently provides a subjective view for each organization. The same principle was also applied to discover the comparative data PCVs for the criminal fraternity and regulators.
The second metric, the DRV score, isn’t simply a question of security budgets, but aggregates ten factors — four relating directly to risk, four to data value assessments and two to the impact of data theft.
The results are surprising in their diversity. For example, U.S. professionals value their PII data at more than twice the PCV value asserted by their UK counterparts ($1,820 versus $843). The difference may be less today following the recent 20% fall in the value of the pound, but is still surprising.
It would be tempting to think this might reflect the vast number of data protection regulations, both state and federal, in the U.S.; and that simply for compliance reasons US security officers value data more highly. If this were so, then the UK PCV would likely increase dramatically from next year when the GDPR with its very high non-compliance sanctions comes into effect.
Ziv Mador, VP security research at Trustwave, doesn’t believe this is cause of the difference. “It is likely,” he told SecurityWeek, “that the sheer volume of PII held in the U.S. by the big international organizations, and the knowledge that they are a tempting target for attackers, increases the awareness of PII value.” If this is the case, GDPR will more likely increase the disparity between the U.S. and the UK since it will still be U.S. organizations holding huge amounts of European PII.
Many of the findings of this survey and analysis are easy to understand and explain. For example, PII (which includes personal health information — PHI) gets the highest overall PCV rating. This is understandable given the potential cost of a breach, including law-suits, regulatory fines, and the cost of restitution. This is followed by IP and payment card data — again understandable in that card data is often held by third parties. More surprising, however, is that email is given the lowest PCV by a long distance.
Email seems not to be considered a serious area of concern despite the volume of sensitive data often sent within it. This ranges from PII to IP and user passwords in clear text. While IP is given a high value, emails that often contain IP or access to it are not. The demise of Nortel is a case in point. Hackers had access to Nortel for about a decade. An investigation subsequently found two rootkits giving the hackers remote access to corporate email. It is believed that IP stolen from Nortel enabled competitors from China to produce almost identical products at a fraction of the cost — ultimately leading to Nortel’s demise.
It would appear from the Trustwave survey that many organizations have still not learned the true value of, and threat from, email; and are likely to inadequately defend it. This is potentially confirmed in the report’s second metric — the data risk vigilance score. PC data replaces PII as having the greater vigilance. This may be, however, that companies holding large amounts of PC data (merchants, for example) hold lesser amounts of other types of data; and consequently bias the overall result.
Despite the example of Nortel in the importance of IP, IP ranks only third. Corporate email is a relatively distant fourth.
The strength of this report is that it will likely make organizations question whether they have correctly valued their own data, and have consequently applied the correct level of security controls for their different assets.
“Today,” explains Mador, “data is one of the most valuable commodities possessed by any business. Whether that data belongs to the organization itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cyber security investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018.”
The biggest single takeaway is that companies should perhaps re-evaluate both the PCV and DRV they apply to their corporate email systems.