Drive IT security ROI by determining your data value

All your data is at risk, but not all data is equally valuable or subject to the same risks.

You can mitigate these risks but at a cost.

Exposure risk management means focusing your security investments on your most valuable data that is under the highest risk, so you get the best returns.

Exposure Risk Management by value

Cost-effective security starts with a determination of the value of your different data and the risk of it being exposed.

There is no return on spending more to protect data than what the data is worth to you.

“Worth” however is not just a question of the potential sale-value. Proprietary technology, e.g. your future marketing plans, might have some sale-value to an unscrupulous competitor, but most company data cannot be effectively used by anyone else. It’s “worth” includes:

the cost of recreating the data
consequential losses attributed to the data exposure
reputational and legal damage flowing from its theft

For example, customer data, even data that a diligent criminal might scrape from Facebook, carries a high reputational and legal risk if stolen. It’s also high risk because hackers target it. It can have a dollar value to others. And it may be hard to rebuild. So customer data typically has the highest value.

Your accounting records probably don’t have much reputational or legal risk attached. They are a hacker target for ransom demands, but this risk is easily offset by a good backup strategy. Increasingly, sophisticated hackers are penetrating and manipulating accounting systems, especially to make bogus payments or divert legitimate payments. You should have security addressing this specific risk, but these measures need not be as all-embracing as your customer data protection.

Having your advance promotional plans exposed might cause you some inconvenience, but promotions that are close to running are in most cases widely exposed through providers and bookings. Exposure might be a serious inconvenience with some consequential loss of sales, but it’s not life-threatening. You might decide on lighter, common-sense measures for this class of data.

The point is that to build cost-effective IT security that earns a return on investment, you need an evaluation of your different data types based on value and risk, that can be used as valuable input into your security strategy.