Vulnerabilities / Threats

11/28/2018
05:57 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Incorrect Assessments of Data Value Putting Organizations at Risk

Information security groups often underestimate or overestimate the true value of data assets, making it harder to prioritize controls.

Many information security groups are undermining data availability and security by incorrectly estimating the true value of their enterprise information assets, a new survey shows.

The Ponemon Institute conducted the survey on behalf of document security vendor DocAuthority. A total of 2,820 professionals from seven different functional areas — IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources — were asked to value 36 different information types on a per record basis. The information types included research and development documents, source code, customer records, merger and acquisition data, and personally identifiable information.

The results showed IT departments overestimating the value of certain information types, such as PII, while grossly underestimating the value of other information, such as financial reports and R&D data. On average, IT security departments tended to be as much as 50% off the true value of data assets as perceived by the data owners.

IT security departments, for instance, estimated on average that it would cost their companies $306,545 to reconstruct an R&D document compared to the $704,619 that R&D professionals themselves estimated it would cost. Similarly, IT security estimated the cost of a financial report leakage to be around $131,570 versus the $303,182 value that accounting and finance professionals assigned to the information asset.

Conversely security professionals perceived certain other data types to be worth more to the business than they actually do. Security groups estimated the monthly salary lists of 1,000 employees to be worth over $94,100 to the business while HR professionals pegged the value at a substantially lower $57,477.

The perception gap matters because it impacts how security organizations protect different types of data and how they make the data available across the enterprise, says Steve Abbott, CEO of DocAuthority. Incorrect data value assessments can result in the wrong types of controls being implemented. 

"Right now IT security and business see the value of business data significantly differently," Abbott says. "IT security doesn't understand or appreciate the value of data the same way that business does."

Many security organizations apply security and access controls on data using broad and often static classification schemes. The DocAuthority survey revealed the need for a more nuanced approach to handling enterprise data assets, Abbott says.

The survey for instance showed that not all information asset types have the same value. Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year.

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

The cost of recreating data and of dealing with the consequences of a breach varies by type and function as well. In marketing groups, pricing models and customer lists are the costliest data types to recreate; for human resources organizations it is pension data.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520). Interestingly, the data values that the different sets of business users in the survey arrived at for different data types were more or less consistent across industry vertical and location.

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
CVE-2019-8424
PUBLISHED: 2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
CVE-2019-8425
PUBLISHED: 2019-02-18
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
CVE-2019-8426
PUBLISHED: 2019-02-18
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
CVE-2019-8427
PUBLISHED: 2019-02-18
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.