Throughout my professional career I have facilitated many conversations on the topic of “Why protecting data is important?” During these conversations I am often confronted with the following concerns:
What is the value of my data?
What data should I be protecting?
How much does it cost to protect?
How much protection do I need?
Most of you probably agree these are the right questions. But how many of you have taken time to really consider how the answers could impact your business?
As I begin conversations about the value of data, I like to ask a series of questions to demonstrate a simple, yet obvious, realization. Go ahead and play along while reading this post. Raise your hand if any of the following are true (Don’t worry; your colleagues will assume you are stretching):
Do you have a Driver’s License?
Do you possess a Birth Certificate?
Do you keep a Social Security Card?
Where do you store this information? Perhaps in a filing cabinet, locked in a safe or some other location safeguarded from inappropriate access? Thank you for participating. If you still have your hands in the air it is safe to put them down.
Now let’s talk about the less obvious value of another type of data—mail. What’s the first thing you do when you get home at the end of your day, no matter how long or short it was? Pick up the mail. Then, after entering your domicile, what is the first thing you do with the mail? Do you prioritize its value and act accordingly? Probably not. You file it somewhere or set it down on the counter or the shelf next to the door with your keys, right?
Why isn’t this information safeguarded similar to your driver’s license, birth certificate or social security card? As humans, we naturally classify our data by instinctively determining its value. Why isn’t this same logic naturally used while you are at the office? That’s a question everyone should be asking.
In order to determine the value of your organization’s data you should have a basic idea of where it is located and whether or not this information is important or not. Do you know if your organization can locate valued information? Can you say more than that it is in your CRM or ERP solution? Does your organization’s leadership understand why information is shared throughout the myriad of applications and systems that collect, use and exchange it? Does your answer make you think about the potential risks?
What is Information Value? This is a qualitative measure defining the importance of information based on factors such as the strength of the following controls allocated to protecting the data:
Criticality, sensitivity (e.g., classification level) of the information
Releasability (e.g., to third parties, vendors)
Perishability/longevity of the information (e.g., short life data versus long life intelligence source data)
Potential impact of loss of confidentiality, integrity and availability of the information.
Have you ever thought about the factors to consider when determining your organization’s information value? For example, How many years of research and development effort did it take your company to create that new widget, piece of technology or other unique process? What if an attacker is able to exfiltrate this information, sell it to your competitor and they are able to go to market before your organization? I know you must be thinking, “That couldn’t or won’t happen to me?”
Earlier this year, an endpoint security company, Endgame, commissioned a research study through Forrester Consulting entitled “Achieve Complete Breach Intolerance through SOC Transformation”. This study highlights a couple interesting data points. The first is that, “91% of cybersecurity executives believe achieving complete breach intolerance is important, yet the majority lack staffing or expertise to respond to targeted attacks”. The second is that “92% of survey respondents have experienced at least one Attack or Data Breach that put their organization at risk in the past year”.
Meanwhile on the dark web, data is bought and sold like any other consumer business. The value for a credit card ranges from $1-$8 but if you add the pin the range increases to $17-$35 per card. Driver’s License can range from $100 - $150 each while your full identity profile ranges from $1200-$1300.
Every organization should implement a data classification system as one element within the base of your organizations data governance strategy. Simply stated this system is a method to categorize your organizations information. Information is assigned a classification based on the appropriate audience. The classification then guides the selection of safeguards and other controls over the information relative to the level of risk that its compromise may pose to the organization and to determine its appropriate protection levels.
As you are thinking about appropriate protections, remember to consider the three states of data (e.g., Data-in-Use, Data-at-Rest and Data-in-Motion). Understanding the different states can be helpful in order to choose the appropriate types of controls, safeguards or encryption. And while you’re thinking about encryption, it’s important to remember that controlling privileged access by protecting your machine identities will help defend some of your most valuable data.
Some have argued that Data is a commodity while other people maintain it should be harvested for monetization. I believe data is all of us. It is unique, establishes patterns, and tells our story. It has value and protections should be designed into processes to prevent exposure.
Thank you for taking the time to read my posts. I appreciate the energy spent and I hope you find the topics engaging. If you have comments please let me know as I would love to hear your thoughts. Connect with me on LinkedIn at https://www.linkedin.com/in/billyjackspears/ or via Twitter @BillyJackSpears.