Perceived Data Value Varies Wildly Across Industries, Countries
When it comes to the value placed on critical data, there is major variance in perception across countries and industry sectors.
According to a study from Quocirca sponsored by Trustwave, shareholder data and patient data are the most valuable data types: Shareholder data is most highly valued by IT professionals at more than $1,700 per record, followed by patient records with a mean value of more than $1,500 and consumer data at just more than $1,000 per record.
The lowest-ranked are contractors, at just less than $600 per record.
However, valuations change across geographies. US professionals value their personally identifiable information (PII) data more than twice as much as their UK counterparts: The average per capita value (PCV) of PII in the US is $1,820, versus $843 in the UK (and $1,025, $1,186 and $1,040 respectively in Canada, Australia and Japan).
Different levels of importance are placed on different data types too, such as PII, intellectual property (IP), payment card data and email: PII (47.4%) is given a higher priority than IP (27.6%), followed by payment-card data (18.4%) and then corporate email (6.6%).
Industry sector also influences the type of data that is given highest priority: Healthcare and hospitality sectors prioritize PII data, with an average score of 3.5 and 3.4 out of 4, while industrial and IT/communications companies rank IP as most important, at 3.0 and 2.9 out of 4.
Corporate security and risk professionals also massively overestimate the value of PII data for sale on the black market: Overall criminal resale values for PII on the black market are less than 5% of the value that enterprise security professionals estimate them to be worth. For a payment card record, security managers over-estimate by 60 times the actual criminal values of data for sale on the black market. For a single banking record, it is 2,000 times more.
“Today, data is one of the most valuable commodities possessed by any business,” said Ziv Mador, Trustwave vice president of security research. “Whether that data belongs to the organization itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cybersecurity investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018.”
All of this translates into differences in both the level of vigilance applied to assessing and mitigating the level of risk. Data risk vigilance (DRV), a measure of efforts to protect data, is highest among Canadian and US firms, and lowest amongst Australian businesses. The UK and Japan fall in the middle. In terms of sector, financial companies and IT/communications companies were the highest-scoring verticals when it comes to DRV, and hospitality and retail are the lowest.
Patient data is the most rigorously risk-assessed: Nearly 80% of organizations seeing patients as their prime data subject said they had carried out a comprehensive risk assessment, more than for any other data subject. In the UK, where healthcare is largely controlled by the government through the National Health Service (NHS), this rose to 90%. In the US, where regulation is tight through Health Insurance Portability and Accountability Act (HIPAA), 85% have carried out risk assessment.
Certain types of PII are much less assessed in terms of risk: Contractors’ and suppliers’ individual PII data is less rigorously assessed than other types of PII, such as patient data. A full 45% of companies holding contractors’ private data and 42% holding suppliers’ data failed to conduct comprehensive risk assessments of the data.
"Data is transforming businesses in the early 21st century in the same way electricity did at the start of the 20th,” said Bob Tarzey, senior security analyst at Quocirca and principal author of the study. “For nearly all businesses, their PII and IP are essential assets that are enticing targets for criminals, those storing payment card data are the most tempting target. Data subjects are becoming more aware of the value their data has to the businesses they deal with, and are less forgiving when things go wrong. However, even as one data breach is eclipsed by another in the eye of the press, the regulators will continue to investigate the most serious as they are invested with more powers and the clout to issue ever greater fines.”
Source: Information Security Magazine