How much is your data worth? Putting a price on cyber security

According to a report from Symantec, 500 million identities were stolen or exposed online in 2015. And, with the recent acceptance of the new EU General Data Protection Regulation (GDPR), all organisations have a responsibility to protect their IT infrastructure to ensure their data is secure. Alongside the hefty fines that can now be imposed for improper handling of customer data, the loss of said data can easily ruin a company’s reputation.

However, not all data is created equally and a fundamental part of effective security and crisis management is understanding the relative risk associated with the loss or theft of different types of data; within each organisation there’s typically a ‘hierarchy’ of data which means that, should a breach occur, a proportionate response can then be triggered. Calculating the relative ‘value’ of different data is key to implementing the right response. This can save valuable time in the aftermath of a breach and ensure priorities are set according to your sensitive data profile.  

Aligning data value with the correct response

A recent report highlighted the low cost of cybercrime services available but it’s the relative worth of sensitive data that needs to be understood. Without this, it’s almost impossible to perform a risk assessment. There is no ‘one size fits all’ approach to security protection or incident response. The response to the loss of multiple customer records would be very different to the response following the loss of intellectual property such as the blueprint for a new product. 

Here we outline the key steps that can be followed to ensure you assess the value of your data and can implement processes to protect it adequately.

• Take stock of all data. A thorough audit of your IT estate will ensure you have the full picture regarding sensitive data locations.  
• Classify and identify high risk, high worth data. Assessing the value of data is a process that varies depending on the organisation size and sector. This considers factors such as:  the regulatory impact of the loss of data; the cost of downtime / replacing or recovering this data, the financial impact in terms of the organisation’s reputation and, for public companies, how it would impact the organisation’s share price, credit rating, and regulatory burden. 
• Map and track data within the organisation: you need to understand not only where it’s stored, but also how it moves across the network. What safeguards are in place to restrict this movement within and beyond an organisation?
• Share the hierarchy with relevant teams. This is a cross-departmental exercise with the ultimate aim of ensuring that the IT/security teams know where the most valuable data is, and can implement the appropriate security controls.
• Tailor the Crisis Management Plans. Once you know what the significant risks are, crisis management plans can be tailored and customised so appropriate measures are in place to cover different scenarios. Protecting sensitive data involves a chain of decisions impacting different departments across an organisation from IT to legal, PR and HR. With a well-documented and tailored plan, individuals across the organisation will know the correct processes and their responsibilities, according to different incident types.  
• Educate staff. Everyone in the organisation has a responsibility to protect the data they handle. Understanding its value and educating staff on the commercial worth of records they’re working with can help to reinforce that it’s an asset that needs to be protected, just like physical property.

Understanding the worth of your assets is an important step on the road to effective security protection and response strategies. It not only means that you can implement that right safeguards around your data, but also that the response fits the magnitude of the breach. 

Nick Pollard is UK General Manager, Guidance Software