Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/28/2018
05:57 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Incorrect Assessments of Data Value Putting Organizations at Risk

Information security groups often underestimate or overestimate the true value of data assets, making it harder to prioritize controls.

Many information security groups are undermining data availability and security by incorrectly estimating the true value of their enterprise information assets, a new survey shows.

The Ponemon Institute conducted the survey on behalf of document security vendor DocAuthority. A total of 2,820 professionals from seven different functional areas — IT security, product and manufacturing, legal, market, IT, finance and accounting, and human resources — were asked to value 36 different information types on a per record basis. The information types included research and development documents, source code, customer records, merger and acquisition data, and personally identifiable information.

The results showed IT departments overestimating the value of certain information types, such as PII, while grossly underestimating the value of other information, such as financial reports and R&D data. On average, IT security departments tended to be as much as 50% off the true value of data assets as perceived by the data owners.

IT security departments, for instance, estimated on average that it would cost their companies $306,545 to reconstruct an R&D document compared to the $704,619 that R&D professionals themselves estimated it would cost. Similarly, IT security estimated the cost of a financial report leakage to be around $131,570 versus the $303,182 value that accounting and finance professionals assigned to the information asset.

Conversely security professionals perceived certain other data types to be worth more to the business than they actually do. Security groups estimated the monthly salary lists of 1,000 employees to be worth over $94,100 to the business while HR professionals pegged the value at a substantially lower $57,477.

The perception gap matters because it impacts how security organizations protect different types of data and how they make the data available across the enterprise, says Steve Abbott, CEO of DocAuthority. Incorrect data value assessments can result in the wrong types of controls being implemented. 

"Right now IT security and business see the value of business data significantly differently," Abbott says. "IT security doesn't understand or appreciate the value of data the same way that business does."

Many security organizations apply security and access controls on data using broad and often static classification schemes. The DocAuthority survey revealed the need for a more nuanced approach to handling enterprise data assets, Abbott says.

The survey for instance showed that not all information asset types have the same value. Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year.

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

The cost of recreating data and of dealing with the consequences of a breach varies by type and function as well. In marketing groups, pricing models and customer lists are the costliest data types to recreate; for human resources organizations it is pension data.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520). Interestingly, the data values that the different sets of business users in the survey arrived at for different data types were more or less consistent across industry vertical and location.

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5148
PUBLISHED: 2021-03-05
SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall a...
CVE-2020-36255
PUBLISHED: 2021-03-05
An issue was discovered in IdentityModel (aka ScottBrady.IdentityModel) before 1.3.0. The Branca implementation allows an attacker to modify and forge authentication tokens.
CVE-2019-18351
PUBLISHED: 2021-03-05
An issue was discovered in channels/chan_sip.c in Sangoma Asterisk through 13.29.1, through 16.6.1, and through 17.0.0; and Certified Asterisk through 13.21-cert4. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijac...
CVE-2021-27963
PUBLISHED: 2021-03-05
SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.
CVE-2021-27964
PUBLISHED: 2021-03-05
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.