IT Security Undervalues Assets

Wednesday, December 5, 2018 @ 11:12 AM gHale

IT security departments are underestimating the value of business documents by hundreds of thousands of dollars, new research found.

Despite being responsible for their management and protection, IT security departments are undervaluing a range of business assets, from research and development to financial reports, according to the report conducted by the Ponemon Institute on behalf of DocAuthority.

RELATED STORIES
M2M Protocols Could lead to Industrial Attacks
Dell Suffers Attack
NC Water Utility Recovering from Attack
USB Drives Loaded with ICS-Based Malware

In contrast, security departments are over-prioritizing less-sensitive data related to personally identifiable information (PII).

The study found IT security departments predicted it would cost a business $306,545 to reconstruct an R&D document, while the R&D department estimated the reconstruction cost at $704,619.

Additionally, IT security departments estimated the impact of a financial report being leaked at $131,570, compared to the $303,182 the finance department believes it would incur from a security incident.

When IT security departments undervalue assets, they also underestimate the safeguards that should be put in place in order to protect the business assets, thereby increasing the security risk.

The report also found when organizations underinvest in protecting the more critical data, the result is money wasted on protecting meaningless data or the mishandling of access rights for employees.

The moral of the story is: Security professionals need to understand the crown jewels of the organization.

“Businesses are short-changing themselves if they don’t understand the value of their data,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Typically, the security and protection of business data is considered to be the responsibility of the IT security department. Yet, it’s clear from this research that IT security does not have the vitally important context required to understand the true value of that data and, in turn, create an effective strategy for defending it. Rather than being relegated to IT, data and its protection should be the concern of not only management level, but the business as a whole.”



Leave a Reply

You must be logged in to post a comment.