The better your information – whether customer records or employee data, process documentation or daily outgoings – the better your ability to plan ahead, make decisions and manage your operations.
Anything that important is a source of risk. If sensitive data is compromised by a cyber attack, you face reputation damage, financial loss, heavy fines, business disruption and customer churn. This is why information security risk has shot up the boardroom agenda, regularly appearing among the top risks identified by global insurers [PDF - 4.2 MB] and the World Economic Forum’s Global Risks Report [PDF - 7.9 MB].
Yet our global survey of 2,900 businesses suggests that many do not have a clear picture of the data they hold or its overall importance. Less than two in three (65%) are taking steps to fully understand what data they have; only about half (56%) assign a risk profile to their information.
Our findings beg a simple question: if organisations don’t know what data they hold, or how important it is, are they wasting time and money safeguarding low-value information while their most critical assets are exposed?
The answer is almost certainly yes. About four in five respondents to our survey (78%) admit that they tend to spread their protection measures evenly across all their data. Only the remainder stress that they put in place special safeguards to protect their most vital information from cyber criminals.
We estimate that the Pareto principle applies to information risk, with 20% of a business’s data carrying 80% of the risk.
There is a well-known saying: ‘To protect everything is to protect nothing.’ It is almost impossible to make all systems hack-proof, so why not focus on the small amount of data for which security is absolutely essential?
With this in mind, it is our firm belief that businesses should undertake a structured programme to assess and understand their data assets, using a categorisation/classification process. Then, they can identify their ‘crown jewels’ and build effective security around them.
“Step number one is acknowledging that your information assets are not equivalent,” explains Johnny Lee of Grant Thornton US. “Step number two is conceding that a compromise is likely to occur. It follows that you would focus on protecting the higher-value assets.”
