What is your most sensitive, most valuable data?
The most common answer relates to customer personal information tied to finance, such as credit card data. Organisations have an obligation to their customers to protect such data. With the forthcoming European legislation in GDPR and NISD, it will increase the transparency and penalties for mishandling such data. However this legislation often does not get to the heart of what data is truly valuable to an organisation. In CGI's recently published research, “Cyber security in the boardroom: UK PLC at risk'' senior business leaders were asked to estimate the monetary value of the sensitive information they hold. The answer was £52.4 million for the commercial sector with variations across different market sectors. For an individual organisation, the accurate value of such a number can vary enormously and fundamentally relates to my opening question, “What is your most valuable data?”
Getting to grips with this question can have a profound effect on how effective an organisation's cyber-security strategy is. Talking to clients about what gives their organisation their competitive advantage can be a useful avenue to explore, as clearly all business leaders understand what drives their success. CGI's research proposed a variety of different forms of information that could be vital to an organisation's future success. Such information assets might include your business strategy, your acquisition targets, customer profiles and buying behaviours, designs and future patents, trading algorithms, business processes or a variety of other pieces of information that underpin your business' future. Other information assets include actual product, especially if you are running a digital business – examples might include video, music, books and designs. Finally, there is a wealth of ‘stuff' that every business depends on in order to function, for example client communications, internal communications, staff lists, supplier names, key customers and major contracts, to name a few, all of which are important in the day to day running of an organisation. Having identified which information assets are important to a client, the next question is:
“How is this information kept and who has access to it?”
In pre-digital days, the answers were often simple and the number of people who had access to such information was very restricted. Security was implicit, a simple matter of practicality as it was hard to physically copy pieces of paper and distribute them to hundreds of people. However, in today's digital economy, most of this information exists as digital assets, stored somewhere, in repositories where we might have no real idea of who has access to them.
In the digital world, information can be sent to thousands of recipients with a click of a mouse. Assets made available digitally for convenience can be seen by staff who have no real need to see them. The act of copying information is trivial, as thousands of pages of information are able to be stored on a USB drive that costs very little.
If that sounds frightening enough, add to the mix the increasing use of mobile devices to access corporate data systems, add remote access to data and applications that allow your workers to interact with your business systems from home or their local coffee shop, and add the use of cloud services that might be storing your company data and running your business applications from anywhere in the world.
These systems can allow freedoms and business efficiencies to run securely. They are able to control who has access to information and who is trying to access it when perhaps they shouldn't. However, there is something to be said for organisations to gain a real understanding of what their most valuable information really is and to focus their efforts on securing those assets as a priority. This is essential for protecting the business know-how and ensuring long-term competitive advantage.
A good starting point is to ask the right questions. For instance, if there was one piece of information that you wouldn't want falling into your competitor's hands, what would it be? Is that appropriately protected?
Contributed by Andrew Rogoyski, vice president of cyber-security, CGI