The following is an opinion piece written by Michael Warnock, Australia country manager, Aura Information Security. The views expressed within the article are not necessarily reflective of those of Insurance Business.
Data mismanagement - such as misuse, theft and loss - tells us a lot about how much individuals and businesses value their data. In Australia this year, the alleged misuse of medical data being fed to compensation lawyers and health insurers caused outrage, as did the sale of location data from mobile phones to statistics agencies.
Internationally, people showed significant concern about the amount of data that social media networks shared with third parties, and the permissions free email services gave others to read the content of emails.
Putting a dollar value on these kinds of breaches of trust is difficult. In most cases, this is data individuals had no intention of explicitly selling to anyone else, and they are likely to put a higher price on it than its relative street value. Studies this year have shown that demographic and personal data can be worth US$240 per person per year in digital advertising revenue alone. This is also shown in valuations: when Microsoft bought Linkedin, it essentially paid about US$260 per active customer record.
In the hands of a hacker or thief, however, the data is worth considerably less. Stolen credit card data can range from as low as half a cent to $50 per record depending on the freshness and completeness of the data.
The upper limit can be commanded for sets of data that include a credit card number, expiry date, CVV and card holder details such as full name, home address, email and mobile number. In most cases, one can get hold of all the information needed to pass an identity screen test on a call with the victim’s bank.
It’s not just individuals that are facing tough questions about how much their data is worth: businesses are also being forced to put a dollar value on data. However, if individuals overestimate the value of their data, businesses often seem guilty of underestimating it.
Many businesses today are turning to data science to understand whether their vast data holdings have any unrealised value. The value here is likely to be reflected in process efficiencies or perhaps improvements in net promoter score from using data to learn more about customers and their personal preferences.
Putting a price on data is also essential for businesses seeking to avail themselves of new insurance products that cater to cyber-related threats.
However, too many businesses still learn the value of their data holdings the hard way.
DLA Piper, Maersk and TNT Express learned from a ransomware outbreak that not having core systems and data for an extended period had costs that ran into the hundreds of millions of dollars. Organisations like the Australian Taxation Office and the University of New South Wales have also seen the price of their data courtesy of hardware failures that rendered data unrecoverable.
For businesses wanting to value their data the right way - that is, without being under duress of loss - there are several aspects to consider.
1. Know the different types of data you use and its criticality to your success.
A business impact assessment can help you to establish which data, systems and applications are the most critical to your business. There are a number of models and methodologies around that can be helpful.
2. Know where the data is stored and how it is used within your organisation.
We recommend businesses analyse their networks to determine which systems, applications, people, networks or third parties have access to data. Different business units and process owners will apply different valuations to data, and these need to be accounted for when taking decisions about future data storage.
3. Envision some risk scenarios and what could go wrong should the scenario happen.
Take a leaf from the book of ransomware victims like Maersk and TNT Express. After weeks of reverting to manual processes, complete IT system rebuilds later, and hundreds of millions in losses each, they know what the worst-case scenario can bring, and how to prevent it if there’s ever a ‘next time’.
4. Evaluate if you have sufficient security in place to cover those risks.
5. Assess how that security performs in a simulation of an attack.
All good security, continuity and resiliency strategies and tools need regular testing to ensure they work as designed - and will be available if you ever need to call on them for real.
Like any business asset, data is hugely valuable and for many organisations, it isn’t usually possible to know where our data is stored, given that most ecommerce services are Software as a Service (SaaS)
and often use third party plugins/apps that sync data and may store it anywhere in the world and not disclose this, unless mandated to.
However, if data falls into the wrong hands it can have a lasting impact on both your reputation and your bottom line. This is why having the right checks and balances in place to prevent the misuse, theft or loss of data is so crucial; and why sometimes it’s better to call the experts