September 14, 2022 By George Platsis 4 min read

Today’s most valuable currency is data. Breaches, information operations, analytics and behavior recognition are all driven by data and the desire to possess it, regardless of what those who possess it want to do with it. We set out to answer the question “What kind of data costs the most in a breach?” As it happens, that’s a complicated question. We’ll need to factor in many variables depending on the specifics of your business.

Want to generate some revenue? You need some data to create a business plan, develop intellectual property and conduct a sales campaign. Want to commit a crime? Lock up some data, hold it for ransom and prey on the emotions of the owner. Want to stir up some geopolitical tensions? Manipulate some code to disrupt an industry.

Every one of these acts comes downstream from data generation, regardless of its origin or type: personal information, health information, intellectual property, financial – you name it, the list goes on and on.

Think about it: if you have no data, there is likely no cost to you. Conversely, without data, you can’t generate a return, honest or illicit. Therefore, it’s important to remember the life cycle of data, from inception to destruction. The steps along the life cycle allow you to determine what the costs of a breach may be to you.

Read the Report

What determines value?

In the movie “Indiana Jones and The Raiders of the Lost Ark,” Indy’s nemesis, Belloq, pulls out a pocket watch and says: “It’s worthless. Ten dollars from a vendor in the street. But I take it, I bury it in the sand for a thousand years, it becomes priceless … like the Ark. Men will kill for it. Men like you and me.”

In this case, the value of the pocket watch is derived from the passage of time and its anticipated future scarcity. Those factors drive value.

If you are not looking at factors that drive value, you will likely misappropriate the value of the data you could lose during a breach, in either direction (too high or too low). Within your operation, value may be derived through customer data, trade secrets, policy documents or business plans. Figuring out that value is a crucial first step.

Don’t miss this boat. Everything downstream will likely be incorrect if the initial valuation is incorrect.

Who determines value?

Another key factor drives value: who is setting it? The exact same data set may be of extreme value to you, but utterly meaningless to me. After all, one person’s trash is another person’s wealth. Keep in mind a third party may be setting the price, too. For example, a regulator might deem certain types of data to hold some inherent or increased value (or risk). Depending on which industry you operate in, you may be bound by it. In your mind, you may not see the data as valuable. However, a governing agency may state that if you want to do business in this field you need to protect that data.

What is the value to you?

Of course, personal data has been a big juicy target for most of the major breaches recorded, but whether it has been the most costly is unknown. Many of the organizations that suffered these breaches are still up and running today. Larger groups can generally replace some personnel who take the fall and reach a settlement, even when millions of records are involved. But a smaller company, which may be responsible for less data being breached, has a greater likelihood of going out of business if there are disruptions to cash flows or legal bills it can’t cover. That’s just one more factor that drives valuation.

In the end, you cannot determine the cost of a breach without knowing the drivers that determine value. And that is only the first step.

What’s in your vault?

Assume for a moment that you have been able to determine, with high confidence, what drives value. Now, the important action item is knowing if you hold that valuable data. Think of these three states:

  • Known knowns: I know what type of data I hold, and I know where it is.
  • Known unknowns: I know what type of data I hold, but I don’t know where it is.
  • Unknown unknowns: I don’t know what type of data I hold, so I can’t know where it is.

See the problem? Data discovery and classification are very important to find the cost of a breach. There are multiple proactive steps you can take if you have determined value, classification and location. Here is just a small list of some of the benefits:

  • You can plan your infrastructure and architecture around data requirements, such as jurisdictional requirements, provenance, residence, segmentation compliance and so on.
  • It is easier to follow requirements for encryption standards, access controls and group policies.
  • You have access to response actions and requirements, and financial disclosures versus personal health information disclosures. Remember, part of the cost of a breach is the expertise you will require to respond. You might need a privacy lawyer, a Securities and Exchange Commission specialist or somebody familiar with regulations.
  • Gain the ability to perform risk quantitative calculations. (For example, if I hold this type of data in this region, and it is breached and I lose x amount of records, the anticipated cost will be y.)
  • Be aware of backup and restoration needs, which will drive recovery strategy planning.

Simply put, you cannot determine the impact – or the cost – of a breach unless you know what factors feed into that. But once you do, your downstream actions end up being a whole lot easier.

Who discovers and maintains what’s in the vault?

If there was ever a team game for data classification and handling, it is data discovery and maintenance. The legal, finance and R&D teams may tell you what is valuable and what is a liability to hold or if lost. The security and developer teams may tell you how and where to protect the valuable data. The risk, resilience and incident response teams will likely be the ones who tell you what has been impacted by the breach. The infrastructure and compliance teams may be the ones determining what needs to be off-boarded, destroyed or maintained, both as a natural course of business and as data storage comes at its own cost.

What does it all mean? Simple: know your business. There is no single sweeping answer here. Just like ‘the best food’ is the food you like best, the most costly data is the type that is most costly to you.

More from Data Protection

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today