New research from IRM has revealed that almost two-thirds of companies don’t know the value of critical assets being targeted by hackers.
The firm’s Risky Business Report found as little as 28% of CISOs regularly carry out exercises to categorize and value the data within their IT estate to gain an understating of the risks linked to the loss of such information, and whilst 55% have taken partial action, 17% admitted to taking no action at all.
As a result, more than a third of CISOs have no clear view of what assets their business has, or where they are kept on the network.
Charles White, founder and CEO of IRM, argued that without a transparent understanding of the value of your data, it is far more difficult to build an effective risk strategy and determine how much should be invested to protect it.
“The fact that more than a third of CISOs have no clear view of what assets they have in their networks is very worrying,” he said. “How can you plan your cybersecurity investment accurately if you don’t know what you are protecting and how much it is worth? It is essential to know the value of the data stored and what its loss would cost the company across criteria such as cost of replacement, lost productivity, lost business, and damage to reputation.”
However on a more positive note, 66% of those polled said they now rarely or never have trouble in engaging with the board on the cyber agenda, with 57% stating that identifying risks and vulnerabilities was their top priority for the next 12 months.
“It’s encouraging to see a greater level of engagement between security heads and executives at the top level,” added White. “CISOs still struggling to make their case to the board need to be able to clearly demonstrate the ROI of their cyber strategy so that the board can balance investment costs against potential risk. Being able to accurately quantify how much the data on the company’s systems is worth and the financial impact of any threat against it is an essential tool in making this change.”