A relatively high proportion of organisations do not understand their data or successfully manage the associated risks. Less than two in three (65%) are trying to fully understand the data they hold, and only half (56%) assign a risk profile to this critical business asset.
But getting to grips with data is not easy and cannot be taken lightly. As they try to understand their data, businesses must overcome several challenges.
In many businesses, the risk function was established to track, measure and mitigate a defined list of insurable business risks. These legacy teams are often less experienced in managing fast-evolving, non-physical risks. As a result, data breaches and infiltration by hackers may not be as ingrained in the risk mitigation strategy as other threats. This could help to explain why a relatively modest number of businesses worldwide assign a risk profile to their data.
As with any process-driven internal initiative, organisations are likely to experience resistance from stretched employees who are already busy with their day-to-day tasks. It’s not surprising that some try to skip their new responsibilities.
It is difficult to get the balance right. If you ‘over-secure’ and enforce some highly rigid controls, you risk creating an unpleasant working culture that leads to attrition. But if you are too lax in implementation, you get ‘passive avoidance’, where people ignore guidance, or mark something as low priority, to make their lives easier.
If you do not have buy-in at the highest level, any enterprise-wide data initiative is likely to fail. This isn’t just because the leadership can provide governance and give the programme its due level of importance – it also ensures that those involved in assessing the data are clear about its wider strategic relevance. Beyond the C-suite, this may also mean bringing in people from all corners of the organisation.
Despite guidance such as the CIA model (as mentioned in chapter 3), it is difficult for large organisations to achieve consistency in how their people think about data. Exacerbating this problem is the fact that the risk attached to one data set may change over time depending on its relevance to current business priorities.
For some organisations, the principal threat of cyber risk is considered to be the loss of customer data and reputation damage caused by negative media coverage. But this hasn’t proven to be as damaging for some companies as originally expected – leading some to downplay the harm that a hack could cause.
