Data security strategy still dangerously inadequate – but board level awareness is improving
Almost two thirds of businesses still don’t know the value of critical data assets being targeted by cyber criminals, research by leading security consultant IRM has revealed.
IRM’s Risky Business Report, which surveyed security heads at their recent conference, found that just 28 per cent of CISOs regularly conduct exercises to categorise and value the data within their IT estate in order to evaluate the risk associated with its loss. 55 per cent have taken partial action, while 17 per cent had taken no action at all. This lack of visibility is compounded by the fact that more than a third of CISOs have no clear view of what assets their business have, or where they are kept on the network.
Charles White, Founder and CEO of IRM, warns that poor knowledge of the value of data makes it much more difficult to draw up an effective risk strategy and determine how much should be invested to protect the data. PCI regulations demand strong security to protect credit card details for example, but much more valuable passport information could be completely overlooked. While a single credit card is worth around £81 on the dark web, a passport can fetch £2,000 or more, making it a much more attractive target.
He comments: “The fact that more than a third of CISOs have no clear view of what assets they have in their networks is very worrying – how can you plan your cyber security investment accurately if you don’t know what you are protecting and how much it is worth? It is essential to know the value of the data stored and what its loss would cost the company across criteria such as cost of replacement, lost productivity, lost business, and damage to reputation.”
“Businesses that are unable to identify and locate data assets will also be unable to react quickly and decisively when a breach does occur, leaving them unable to identify the damage or notify those affected. They are also likely to fall foul of regulations like the EU General Data Protection Regulation. The UK may be leaving the EU, but any firms trading into the EU could still be fined for up to four per cent of their global turnover in the event of a breach.”
IRM did however find that the attitude of senior executives in the boardroom had improved. 66 per cent of CISOs stated they now rarely or never had trouble in engaging with the board on the cyber agenda, while just three per cent said they always had difficulties. 57 per cent said that identifying risks and vulnerabilities was the top priority for the next 12 months – 40 more than the next most popular choices of vetting third party suppliers and securing the cloud.
The report also identified that people, not technology, were the top concern for most CISOs. 28 per cent stated that internal staff were the area they felt most vulnerable, followed closely by suppliers at 24 per cent. Cloud and Internet of Things (IoT) devices were seen as the chief technological vulnerability, with 17 per cent citing it as their top concern, followed by mobile and ECOM.
Charles adds: “The fact that the human factor is the chief security concern demonstrates the need for a strong culture of security, with clear policy in place at all levels. However, it’s encouraging to see a greater level of engagement between security heads and executives at the top level. CISOs still struggling to make their case to the board need to be able to clearly demonstrate the ROI of their cyber strategy so that the board can balance investment costs against potential risk. Being able to accurately quantify how much the data on the company’s systems is worth and the financial impact of any threat against it is an essential tool in making this change.”
IRM’s Risky Business Report 2016 can be downloaded here.