Undervalued Assets Put Business at Risk
In a newly published report, the Ponemon Institute found that despite being responsible for their management and protection, IT security departments are undervaluing a range of business assets, from research and development to financial reports. In contrast, they are over-prioritizing less-sensitive data related to personally identifiable information (PII).
The study found that IT security departments predicted that it would cost a business $306,545 to reconstruct an R&D document, while the R&D department estimated the reconstruction cost at $704,619, more than double what the IT security department estimated.
Additionally, IT security departments estimated that the impact of a financial report being leaked at $131,570, compared to the $303,182 that the finance department believes it would incur from a security incident.
“The recent Ponemon report about data value illustrates the importance of understanding the relationships between organizations and third parties and the value of the information being shared. Only by doing so can organizations fully understand risk and properly prioritize effort and control,” said Matan Or-El, CEO of Panorays.
When IT security departments undervalue these assets, they also underestimate the safeguards that should be put in place in order to protect the business assets, thereby increasing the security risk.
The report also found that when organizations underinvest in protecting the more critical data, the result is money wasted on protecting meaningless data or the mishandling of access rights for employees.
"Typically, the security and protection of business data is considered to be the responsibility of the IT security department. Yet it’s clear from this research that IT security does not have the vitally important context required to understand the true value of that data and, in turn, create an effective strategy for defending it,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute in a press release. “Rather than being relegated to IT, data and its protection should be the concern of not only management level, but the business as a whole.”
Source: Information Security Magazine