Vulnerabilities / Threats

11/28/2018
05:57 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Incorrect Assessments of Data Value Putting Organizations at Risk

Information security groups often underestimate or overestimate the true value of data assets, making it harder to prioritize controls.

Many information security groups are undermining data availability and security by incorrectly estimating the true value of their enterprise information assets, a new survey shows.

The Ponemon Institute conducted the survey on behalf of document security vendor DocAuthority. A total of 2,820 professionals from seven different functional areas — IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources — were asked to value 36 different information types on a per record basis. The information types included research and development documents, source code, customer records, merger and acquisition data, and personally identifiable information.

The results showed IT departments overestimating the value of certain information types, such as PII, while grossly underestimating the value of other information, such as financial reports and R&D data. On average, IT security departments tended to be as much as 50% off the true value of data assets as perceived by the data owners.

IT security departments, for instance, estimated on average that it would cost their companies $306,545 to reconstruct an R&D document compared to the $704,619 that R&D professionals themselves estimated it would cost. Similarly, IT security estimated the cost of a financial report leakage to be around $131,570 versus the $303,182 value that accounting and finance professionals assigned to the information asset.

Conversely security professionals perceived certain other data types to be worth more to the business than they actually do. Security groups estimated the monthly salary lists of 1,000 employees to be worth over $94,100 to the business while HR professionals pegged the value at a substantially lower $57,477.

The perception gap matters because it impacts how security organizations protect different types of data and how they make the data available across the enterprise, says Steve Abbott, CEO of DocAuthority. Incorrect data value assessments can result in the wrong types of controls being implemented. 

"Right now IT security and business see the value of business data significantly differently," Abbott says. "IT security doesn't understand or appreciate the value of data the same way that business does."

Many security organizations apply security and access controls on data using broad and often static classification schemes. The DocAuthority survey revealed the need for a more nuanced approach to handling enterprise data assets, Abbott says.

The survey for instance showed that not all information asset types have the same value. Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year.

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

The cost of recreating data and of dealing with the consequences of a breach varies by type and function as well. In marketing groups, pricing models and customer lists are the costliest data types to recreate; for human resources organizations it is pension data.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520). Interestingly, the data values that the different sets of business users in the survey arrived at for different data types were more or less consistent across industry vertical and location.

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: New camera 2FA closed loop!
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20059
PUBLISHED: 2018-12-11
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
CVE-2018-20056
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter.
CVE-2018-20057
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter.
CVE-2018-20058
PUBLISHED: 2018-12-11
In Evernote before 7.6 on macOS, there is a local file path traversal issue in attachment previewing, aka MACOSNOTE-28634.
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.