Vulnerabilities / Threats

11/28/2018
05:57 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Incorrect Assessments of Data Value Putting Organizations at Risk

Information security groups often underestimate or overestimate the true value of data assets, making it harder to prioritize controls.

Many information security groups are undermining data availability and security by incorrectly estimating the true value of their enterprise information assets, a new survey shows.

The Ponemon Institute conducted the survey on behalf of document security vendor DocAuthority. A total of 2,820 professionals from seven different functional areas — IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources — were asked to value 36 different information types on a per record basis. The information types included research and development documents, source code, customer records, merger and acquisition data, and personally identifiable information.

The results showed IT departments overestimating the value of certain information types, such as PII, while grossly underestimating the value of other information, such as financial reports and R&D data. On average, IT security departments tended to be as much as 50% off the true value of data assets as perceived by the data owners.

IT security departments, for instance, estimated on average that it would cost their companies $306,545 to reconstruct an R&D document compared to the $704,619 that R&D professionals themselves estimated it would cost. Similarly, IT security estimated the cost of a financial report leakage to be around $131,570 versus the $303,182 value that accounting and finance professionals assigned to the information asset.

Conversely security professionals perceived certain other data types to be worth more to the business than they actually do. Security groups estimated the monthly salary lists of 1,000 employees to be worth over $94,100 to the business while HR professionals pegged the value at a substantially lower $57,477.

The perception gap matters because it impacts how security organizations protect different types of data and how they make the data available across the enterprise, says Steve Abbott, CEO of DocAuthority. Incorrect data value assessments can result in the wrong types of controls being implemented. 

"Right now IT security and business see the value of business data significantly differently," Abbott says. "IT security doesn't understand or appreciate the value of data the same way that business does."

Many security organizations apply security and access controls on data using broad and often static classification schemes. The DocAuthority survey revealed the need for a more nuanced approach to handling enterprise data assets, Abbott says.

The survey for instance showed that not all information asset types have the same value. Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year.

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

The cost of recreating data and of dealing with the consequences of a breach varies by type and function as well. In marketing groups, pricing models and customer lists are the costliest data types to recreate; for human resources organizations it is pension data.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520). Interestingly, the data values that the different sets of business users in the survey arrived at for different data types were more or less consistent across industry vertical and location.

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When Your Sandbox Fails
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  4/11/2019
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
8 'SOC-as-a-Service' Offerings
Steve Zurier, Freelance Writer,  4/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1840
PUBLISHED: 2019-04-18
A vulnerability in the DHCPv6 input packet processor of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to restart the server and cause a denial of service (DoS) condition on the affected system. The vulnerability is due to incomplete user-supplied input validation when...
CVE-2019-1841
PUBLISHED: 2019-04-18
A vulnerability in the Software Image Management feature of Cisco DNA Center could allow an authenticated, remote attacker to access to internal services without additional authentication. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vuln...
CVE-2019-1826
PUBLISHED: 2019-04-18
A vulnerability in the quality of service (QoS) feature of Cisco Aironet Series Access Points (APs) could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation on QoS fields within Wi-Fi fra...
CVE-2019-1829
PUBLISHED: 2019-04-18
A vulnerability in the CLI of Cisco Aironet Series Access Points (APs) could allow an authenticated, local attacker to gain access to the underlying Linux operating system (OS) without the proper authentication. The attacker would need valid administrator device credentials. The vulnerability is due...
CVE-2019-1830
PUBLISHED: 2019-04-18
A vulnerability in Locally Significant Certificate (LSC) management for the Cisco Wireless LAN Controller (WLC) could allow an authenticated, remote attacker to cause the device to unexpectedly restart, which causes a denial of service (DoS) condition. The attacker would need to have valid administr...