Nowadays, it seems that it’s not a case of if an organisation will suffer a data breach but when.
So, how do organisations prepare for this apparent inevitable event and how do they measure the potential impact it might have? It’s by putting value and ownership on the data, agreed a panel of experts at Computing’s recent Enterprise Security and Risk Management Summit 2015.
Dean Atkinson, global head of cyber security operations at Thomas Cook Group, described the process of putting value on data as “very difficult” but added that one way to determine what the loss could be is to examine real-world instances of data breaches.
“What we try to do is look at examples [of companies] that have suffered data breaches, try to value the company and try to value the loss as a result of that data breach financially, just to highlight that value and how it could translate to a potential attack,” he explained.
Atkinson acknowledged that cyber security is a “business risk” and therefore argued that “business needs to take hold of it”, although he suggested that this rarely happens. “I think there’s a lot of hand-holding which needs to be done still,” he said.
Ultimately, Atkinson told the audience a business needs to ask itself two simple questions to determine how it should prepare for and react to a data breach. What would hurt you if it was lost? And what do you have which could make someone rich?
“Through those two questions I try to identify what’s important to us and then really handhold the business leaders to value the information,” he added.
Dragan Pendic, former chief security architect at Diageo, agreed that it’s the business itself that should take control.
“In order to really evaluate the potential impact, how much that’ll cost you in terms of reputation and lost revenue and all of that, it requires a good ownership and understanding of the asset itself,” he said, before arguing that information security professionals are “the wrong crowd” for this task.
“It really requires everyone around the table, from the data officers, privacy guys, legal council, compliance and risk management and everyone else. Because it’s not something security will fix,” Pendic argued.
There are those who contend that it’s not possible to be precise when it comes to working out how much the assets of a business are worth. It’s something Andy Boura, senior information security architect at Thomson Reuters, has heard before, but he doesn’t accept that argument.
“I often hear there’s no point doing it, because it’s made-up numbers,” he said.
“The truth is there’s all sorts of aspects of the business which are based on the assumption of sales forecasts, capital, valuation and things like that,” said Boura, listing some of the assets businesses base financial forecasts and predictions on.
“So I feel sure as we get access to more information out there, we’re able to do a better job of putting a price on data breaches, then you can put a better price on whether it’s worth putting in better controls”, he added.
Boura also argued that in the event of a data breach, the impact could depend on the type of information accessed and whether it relates to the organisation’s core business.
“You’ve also got to ask the question, would some sort of compromise of this data, would it link back to our core offering? If it could, then the impact on your business is going to be significant,” he explained.
“If a bank has a breach of accounts, that’s their core business. If Sony Pictures has a breach of their networks, well, they’re a media company and there’s a lot of fallout, but long term it isn’t linked to their core business,” Boura continued, referencing the Sony Pictures hack.
But if the company can get a grip on the number of documents and files it has stored and what they contain, then it’s some way to measuring the impact a data breach could have.
“If you’ve got 15,000 records of a particular sort, you can get a reasonable prediction as to what that’d cost you in event of a breach,” he concluded.
This article is part of a Mimecast campaign