Using Metadata to Quantify the Enterprise Value of Data to Assess the Severity of Data Breaches
Learn How Metadata can Help Quantify the Enterprise Value of Data (EvD)
In the first half of 2017, more than 1.9 billion data records were compromised by hackers, according to Gemalto’s Breach Level Index. The most severe contributor to this staggering statistic was Equifax, which recently made headlines after exposing the data of 143 million people, or nearly half the entire population of the United States.
In fact, global intelligence firm IDC predicts that by 2020 more than 1.5 billion people will be affected by data breaches. That’s roughly a quarter of the world’s population whose personal information will be accessible to hackers.
While organizations are always looking to evolve their data protection strategies and strengthen their internal security practices, it’s hard to keep up with all of the changes. As organizations implement more tools and security protocols to protect themselves and their customers, hackers become savvier. And considering the expanse and reach of the Internet today, and the opportunities its data brings to hackers, there is no conceivable scenario that predicts data breaches will decrease. Unfortunately, the trend is in the opposite direction, putting our corporate and personal data further at risk.
As organizations look beyond traditional security methods to protect their data, forward-looking companies are setting themselves apart by leveraging their metadata to better understand and protect the value of their data.
Metadata is simply data about data. It can tell us various data attributes including where data resides, how to find it and where it came from. Identifying, quantifying, and understanding this information helps organizations that have struggled to understand how much their data is worth. Metadata can help quantify the enterprise value of data (EvD) to help determine whether that data is essential to the organization.
By using metadata to better understand the valuable and sensitive information that could be targeted by hackers, organizations can have a more effective plan to help mitigate security risks. In addition, should a breach occur, organizations can have a faster public response because they know and understand the value of the compromised data.
Using Metadata to Derive the Enterprise Value of Data
If an organization is considering using metadata to classify and inventory an organization’s data, data should first be classified into one of three categories. This allows them to put a value on specific data sets, the enterprise value of data, so if a data breach occurs, organizations can understand the severity of the breach. The three data categories are:
Sensitive: This category should include customers’ most critical information assets like Social Security numbers, credit card numbers, medical information, and any other personally identifiable information (PII). This data must be carefully guarded and tracked to ensure it is thoroughly protected. Only a few individuals within an organization should have access to this information.
Confidential: This category should contain information that must be protected and retained inside the security firewall, like customer addresses and phone numbers since it pertains to the business model and delivers a competitive advantage. Access to this information is reserved for only the groups that need access.
Open: This category contains information that does not need to be protected with any security protocols. Generally, this information is publically available, or could be easily obtained from other sources by competitors and/or hackers. Information such as yesterday’s weather or the GDP of the U.S. Economy would fall into this category.
If a breach happens to an organization and they have their data classified, they have a head start on identifying, quantifying, and understanding the impact of the breach. This is invaluable because time is of the essence in a breach scenario. Organizations must act quickly to assess the damage and take the necessary steps for protecting additional information as well as their own reputation.
What is the Data Worth?
Data is an asset for any organization, and securing its value is critical. After categorizing data by security type, it is a smart idea to apply a normalized value to each set. Since any data in the sensitive category requires a higher security classification, it should also be assigned the highest value. We might assign a risk of ‘five’ to this category of data. Data in the confidential category is still essential to secure, but it is not as crucial as sensitive data, so we might give this data a three on the risk scale. And since open data contains minimal risk, it can be given a value of one.
While it makes sense to move toward a normalized quantification of data element value and risk, one of the challenges of data security is that it is the combination of data elements, rather than the individual data element, that poses the greatest risk.
Let’s use an example to help illustrate this concept further. If an organization has saved a number of customers’ Social Security numbers and classified them as sensitive (and thus, a level five), and those numbers were breached, then they can classify the data breach as a level five. While customers are rightfully weary of sharing their social security number, identity thieves would need a combination of other customer information, such as name and/or date of birth to put those Social Security numbers to (nefarious) use.
However, if Social Security numbers (5), addresses (1), full names (3) and dates of birth (5) were compromised, then the breach would be classified as a 14 (5+1+3+5). This means the breach is serious and the organization will need to notify customers and prepare for possible financial and reputation repercussions.
Of course, this rudimentary quantitative model is only a start, and might not adequately reflect the seriousness of a breach, but, it is more advanced than what is in place at many organizations. The truly data-centric organization would create a more complex data security model that accounts for particularly dangerous data combinations. This model would guide data security decisions in terms of where and how to store data.
Metadata can quantify risk if a data breach does occur. When organizations know the value of the data that has been leaked, they are much more prepared to handle it.
To learn more about leveraging metadata, download this data sheet.Download the Data Sheet