IT Security safeguards corporate data. It’s a widely accepted practice and commonplace in businesses across the globe. You would therefore assume that the integrity of data would be safe in the hands of these skilled specialists? While IT Security is best-placed to deal with keeping businesses safe from hackers and security threats, new research from the Ponemon Institute has found they mis-value the data they protect. Why is that a problem? If the department responsible for protecting data doesn’t accurately grasp its value; data security could be compromised. Business critical data may be left open to attack and low value documents left over-protected. A business must fully understand the value of its data if it is to protect it properly.
The true value of data
Not all data is equally valuable to a business. Imagine, for example, that a cyber-attack uncovered the minutes of an international business’ board meeting. This type of sensitive information leaking into the public domain could be enormously revealing and destroy a business’s market position. At the other end of the scale, a cyber-attack only uncovers cafeteria menus for the next month is not nearly as damaging. This insight is rarely recognised in IT Security strategies – because they are built on an incorrect estimation of the value of stored business data.
Recent research from the Ponemon Institute found that IT Security departments estimated the value of R&D documents at less than 50 per cent of what the business would estimate their worth. IT Security predicted that it would cost $306,545 to reconstruct an R&D document compared to a figure of $704,619 – provided by the R&D department itself.
This startling revelation becomes a pattern across an organisation. IT Security also underestimated the monetary impact of a financial report being leaked, at $131,570, versus the $303,182 that the Finance department believes it would incur from this incident. Or with monthly salary lists. The inevitable outcome is that IT Security departments are serially prioritising and protecting less sensitive data. Under or over valuations will lead to applying the incorrect levels of security to business data; and increases the potential damage incurred by a data breach.
IT Security departments are working with imperfect information. They do not have the crucial context necessary to understand its true value and, in turn, develop an effective strategy for its defence. Of a business’s retained data, we estimate that as little as 5 per cent will be vital to running the organisation. Despite this, companies still approach data security with a ‘one size fits all’ mentality. Data and its protection is a wider remit and should be the concern of the entire business. Businesses absolutely need to take a more strategic and cost-effective approach to data security – which starts with the identification and classification of data to make accurate decisions on where security needs to be applied.
Overcoming data management challenges
Businesses don’t understand data. Understanding that could prove crucial in the strategic decisions that they make. Companies don’t really know what data they hold, where it is located, its functional context, who has reviewed it, or copied it and even if it is legal for it to be deleted. The majority of businesses find it very complicated to assess which documents contain valuable details, such as R&D information or financial data, or to understand the sensitivity or business context of documents. However, the advent of progressive data privacy legislation, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is forcing business to take data management seriously.
Traditionally, the process of identifying and classifying data can be extremely costly and time consuming. For example, manually scanning the unstructured data stored by a typical 5,000 seat organisation could take up to 400 years’ worth of expenditure and time. Unstructured data makes up the majority – as much as 70 or 80 per cent – of an organisations’ stored data. If a business turned to machine learning technology for data identification and classification, it would really struggle because this type of technology is unable to gauge the context of documents.
The emergence of Artificial Intelligence (AI) technology is exciting as it is capable of generating data inventories automatically, with a high level of accuracy, in a very rapid timeframe. The efficiency of AI technology means that it won’t interrupt the day-to-day work of the business, but can understand and apply context, purpose and therefore value to the data held within a business.
Improved data management means that the business won’t mis-value its information. Moreover, that knowledge can be put to work in the application of more effective security protections. A business is also able to lower the quantity of data it stores and improve the quality of the data. Taking a confident approach to the deletion of ‘toxic data’ lessens the impact of a data breach hitting a business. Alongside this, a lower level of stored data means that less irrelevant data is available, which results in less errors being made as it’s easier to locate the information staff members need. It doesn’t stop there either. Improving the visibility and management of data can also, immediately, increase the value of business information assets by 15 per cent. That is a compelling argument; especially when talking and justifying IT spend to CFOs.
Business can now gain a clear view of its data, where it is, who can see it, what is valuable and what isn’t. As a result, the paradigm of data mis-valuation can be removed forever. This improved management and protection means a business can finally accurately identify the market value of data to monetise information assets; and put a financial value to governance projects. It can also improve security protections, operational procedures and offer financial boosts. These benefits can be opened effectively, rapidly, accurately and successfully using existing AI technology. These solutions are the only realistic route to fully understanding the context of corporate data; and making the era of genuine data-driven advances a reality.
Steve Abbott, CEO, DocAuthority
Image source: Shutterstock/Carlos Amarillo