Following a year full of major data breaches and forthcoming new regulations, we are seeing a change in the way organisations think about their data. After years of regarding all forms of data as a commodity to be hoarded as a matter of course, firms are increasingly realizing just how valuable it really is – and how costly data loss can be.
Defining the real value in monetary terms has always been difficult, so we sought to establish a clearer picture by asking the decision makers who deal with data every day. The Value of Data Report asked 500 senior IT managers in Canada, the US, UK, Japan and Australia for their insight on how they value different types of data, and then contrasted their perspective with the value for regulators, insurers, and the cyber criminals themselves.
We examined attitudes towards four of the most crucial types of data for an organisation - personally identifiable information (PII), intellectual property (IP), payment card (PC) data, and corporate email. PII was a clear priority for firms around the world, with 47.4% ranking it as the most important data type. IP and PC data were next at 27.6% and 18.4%, while corporate email was by far the least important, with just 6.6% of respondents seeing it as the most valuable.
Understanding how much data is truly worth to an organisation is an essential part of forming a security strategy to keep it safe. The more valuable key data sets are, the more important it is to invest in models such as managed security services and techniques like threat hunting, which can help to prevent attacks by more advanced criminals. The perceived value of data decides on what type of security controls needs to be adopted for protecting that type of data.
How data is valued in Canada and beyond
When it came to attributing a monetary value to PII data, Canadian respondents were notably on the lower end of the scale compared to the others around the world, ahead of only the UK. The average value per capita value (PCV) in Canada for PII was $1,025, compared to $1,186 and $1,040 respectively for Australia and Japan. The UK respondents placed by far the least value at $843, while the US more than doubled this at $1,820.
At first glance, the vast difference in value may seem to suggest that US firms are much more vigilant than their Canadian counterparts. However, the truth is there are many different factors influencing how firms value their data. In particular, the US is home to many extremely large organisations that hold huge volumes of data. The mean number of consumer PII records held by US companies stood at close to 33mn, compared to just under 9mn in Canada. Another reason could be the strict penalties by regulatory bodies.
Larger organisations are generally better equipped to understand the value of the data they hold, as well as more thoroughly evaluating the risks, a major contributor to the monetary figures given by our respondents. Thanks in part to the larger amounts of data they possess, US-based firms are also one of the biggest draws for cyber attackers. This elevated threat level can serve to make organisations more aware of their data, and more motivated to protect it.
Aside from the differences in data types and locations, we also discovered a large difference in the values given by IT managers, and those of insurers and regulators. The global mean PCV for PII records was $1,198, while insurers almost tripled this at $3,211. Regulators meanwhile dwarfed both groups, with a mean PCV of $8,118. The high monetary value from regulators is reflected in the increasingly large fines they are capable of hitting companies with in the event of a security incident. Canada currently holds some of the lower fines on a global scale, with the maximum fine standing at Canadian $100,000, and $50,000 in Quebec. By comparison, the upcoming EU General Data Protection Regulation (GDPR), set to enter into law in May 2018, will come with potential fines of up to 4% of global turnover or $30mn, whichever the regulator deems to more appropriate.
Compared to these huge sums of money, it’s notable that cyber criminals themselves generally place far lower value on the data they steal in their attacks. We estimate the overall criminal resale for PII to be just 5% of the PCV given by firms themselves – averaging at just $39 per record.
The future of data value
While Canada’s overall value for data was lower than other countries, we did find that Canadian firms took the lead when it comes to the efforts to protect their data – something we termed “Data Risk Vigilance”, or DRV. To determine a country’s DRV score, the study assessed the measures organizations put in place to care for their data according to 10 separate factors – four relating directly to risk, four to data value assessments and two to the impact of data theft. The most attention is paid to the value of data, and of the highest possible score of 20, PC data had the highest score (14.8), just ahead of PII (14.7) and IP (14.4). Email was relatively neglected with a score of 13.0.
We anticipate the way organisations value their data will continue to change over 2018 and beyond as both the cyber and regulatory landscapes shift. Faced with both more sophisticated attackers and higher potential fines, it is essential for firms to build on their existing DRV with thorough ongoing risk assessments and the development of a mature security strategy. More proactive measures, such as threat hunting with in-depth threat forensic analysis and the use of new models such as managed security services, can help to tackle these threats and help Canadian organisations to protect their increasingly valuable data from abuse by criminals.
Sangameswaran Manikkayam, Manager, System Engineering at Trustwave