What's your data worth? More importantly, to whom?
This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you.
When considering how to protect your data, don't consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to you.
I know, it seems so simple when you see it in print. But, surprisingly, many people take the opposite approach. "We don't have anything of value to anyone else, we don't need security." There's no more dangerous statement than this. Resist the urge to think about its value to the bad guys when deciding how to secure your data, because if you think your data isn't valuable to anyone else, then you'll probably get the security wrong (that is, you won't have enough).
If you've got data accessible online, it's valuable to someone -- you! Why else would you put it up? It's logical, then, that it might be valuable to someone else, even if you can't imagine how. So think about your data's value to your organization: how much is it worth, and what is your exposure if the data is stolen, compromised, or lost. When you take this approach, you'll get the security right, and your decisions will reflect the true value of your data.
Comments
Anonymous
January 01, 2003
Great post, explained really well and I could really understand. Thank you.Anonymous
January 01, 2003
Joe-- This is what information security is all about! There are plenty of good books and web sites that can help you learn about it. See my del.icio.us link in the right-hand column for some starting points. And there's plenty of information at http://www.microsoft.com/security.Anonymous
January 01, 2003
As I've explained before I like to do mail in the morning before I leave the house. Finding myself runningAnonymous
October 29, 2007
Steve, completely agree with your point about how valuable your data is to you (your company) should be of primary concern. However I am cautious that you don't disregard what it's worth to an attacker. Sure if you value the data more than an attacker it's the way to go, however if the data is worth coniderably more for an attacker than it is for the company (and to be honest I cannot think right now of a scenario for this) then should that not be taken into consideration also ? - for this may indicate how far and how hard someone may be willing to go to obtain it. - and hence the likelyhood of your security measures being tested and/or the data being stolen etc. Perhaps it should be that in any considerations you allow for both values but in particular the higher value - which ever side that value applies ?Anonymous
November 13, 2007
I read about your vital point on how to protect data from the attacker but you never make or tell us important step on how to protect how data from the attackers, so please tell me how i can protect my data from attackers because my data means a lot to me.Anonymous
November 26, 2007
I think it's important to remember that part of the value this data has to your company is the value it has to your customers. Maybe you only get a few dollars per customer per year, but if you lose their information, that customer's out several hundred, perhaps several thousand, dealing with the fallout of 'identity theft'. Obviously, that cost may come back to your company, in the form of fines, credit watch services, etc, but it's a layer of depth that many companies still aren't ready to think about.