The value of personal data to companies and cyber criminals
Businesses rely more and more on data, but a new study shows up significant differences in the value that is placed on confidential data around the world and in different industries.
The research from cyber security firm Trustwave involved more than 500 IT decision makers in the United States, Canada, United Kingdom, Australia and Japan, examining attitudes towards the value of confidential data.
It finds that US professionals value their personally identifiable information (PII) data more than twice as much as their UK counterparts. The average per capita value (PCV) of PII in the US is $1,820 versus $843 in the UK and $1,025, $1,186 and $1,040 respectively in Canada, Australia and Japan.
Different levels of importance are also placed on different data types such as PII, intellectual property (IP), payment card data and email. PII (47.4 percent) is given a higher priority than IP (27.6 percent), followed by payment card data (18.4 percent), with corporate email (6.6 percent) coming last.
There are big differences between values placed on PII data by attackers, security professionals, insurers and regulators. The mean PCV placed on a PII record by cyber criminals is just $39 compared to $1,198 by IT professionals, $3,211 for insurers and $8,118 for regulators.
Criminal resale values for PII on the black market are less than five percent of what enterprise security professionals estimate them to be worth. For payment card records for example, security managers over-estimate by 60 times the actual criminal values of data for sale on the black market.
'Data risk vigilance' (DRV), a measure of efforts to protect data, is highest among Canadian and US firms and lowest amongst Australian businesses with the UK in the middle. Financial companies and IT/communications companies are the highest scoring verticals , with hospitality and retail the lowest scoring.
Industry also affects the type of data that is given highest priority. The healthcare and hospitality sectors prioritize PII data, while industrial and IT/communications companies rank IP as most important. Shareholder data is most highly valued by IT professionals at more than $1,700 per record, followed by patient records with a mean value of more than $1,500 and consumer data at just more than $1,000 per record - lowest ranked are contractors at just less than $600 per record.
Nearly 80 percent of organizations seeing patients as their prime data subject say they have carried out a comprehensive risk assessment, more than for any other type of data subject. In the UK, where healthcare is largely controlled by the government through the National Health Service (NHS), this rose to 90 percent and in the US, where regulation is tight through HIPAA, to 85 percent.
"Today, data is one of the most valuable commodities possessed by any business," Trustwave's vice president of security research Ziv Mador says. "Whether that data belongs to the organization itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cyber security investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018. Businesses should look to the managed security services business model so that they have the confidence that full data risk vigilance is applied to all types of confidential and valuable data by specialists in the industry."
You can find put more in the full report which is available from the Trustwave website.