Firms still don't know the value of critical data targeted by cyber criminals
Nearly two thirds of businesses do not know the value of critical data assets targeted by cyber criminals, according to a report.
Information Risk Management (IRM) found that just 28 per cent of CISOs regularly conduct exercises to categorise and value data to evaluate the risk associated with its loss.
55 per cent were found to have taken partial action, while 17 per cent have taken no action at all, the research said. Meanwhile, more than a third of CISOs have no clear view of what assets their businesses have or where they are kept on their networks.
“The fact that more than a third of CISOs have no clear view of what assets they have in their networks is very worrying,” said Charles White, founder and CEO of IRM.
“How can you plan your cyber security investment accurately if you don’t know what you are protecting and how much it is worth? It is essential to know the value of the data stored and what its loss would cost the company across criteria such as cost of replacement, lost productivity, lost business, and damage to reputation.
“Businesses that are unable to identify and locate data assets will also be unable to react quickly and decisively when a breach does occur, leaving them unable to identify the damage or notify those affected.
“They are also likely to fall foul of regulations like the EU General Data Protection Regulation. The UK may be leaving the EU, but any firms trading into the EU could still be fined for up to four per cent of their global turnover in the event of a breach.”
On a more positive note, the research found that the attitude of senior executives in the boardroom towards data security seems to have improved.
Two thirds of CISOs said they rarely or never have trouble engaging with the board on the cyber agenda, with just three per cent saying this is always difficult.
57 per cent said identifying risks and vulnerabilities is their top priority over the next year – 40 per cent more than the next choices, vetting third-party suppliers and securing the cloud.
28 per cent of security professionals surveyed said internal staff are their biggest vulnerability concern, while 17 per cent pointed to the cloud and Internet of Things devices.
“The fact that the human factor is the chief security concern demonstrates the need for a strong culture of security, with clear policy in place at all levels,” White said.
“However, it’s encouraging to see a greater level of engagement between security heads and executives at the top level. CISOs still struggling to make their case to the board need to be able to clearly demonstrate the ROI of their cyber strategy so that the board can balance investment costs against potential risk.
“Being able to accurately quantify how much the data on the company’s systems is worth and the financial impact of any threat against it is an essential tool in making this change.”