Let’s talk about your personal belongings for a second. When you apply for homeowner’s insurance, you’re asked to value your property. How much is your computer worth? All of those tools you have tucked away in the garage? What about your wardrobe? Kitchen supplies, furniture and so on also must be taken into account. The reason is obvious of course: If someone were to steal them, you can file a claim and get reinbursed based on the value of your possessions.
Your business is no different when it comes to physical assets. Value is attributed to your computers, printers, furniture, and so on. And where do you track that value should you need to make a claim? Your balance sheet.
But something is missing from the balance sheet. While it’s not physical, it’s arguably the most valuable object for your business: Your data.
Data has value. Medical data specifically, is as good as gold. Why is that? For starters, the policing of medical records is little to non-existent. When your medical identity is stolen, the thief can use the acquired data to access prescription drugs or fraudulently bill payers (Medicare is especially lucrative), resulting in millions of dollars in fines and legal hassle for the payers, government, and the victim. Criminals will pay extraordinary amounts of money (up to $470 for Medicare patient identity) for those unmonitored medical records. Take a moment and run the numbers on that: hosting a mere 10,000 Medicare records means you are protecting potentially $4,700,000 in black market value that someone wants to take from you.
Now let’s say the very worst happens (I cringe writing these words): you have been breached. If you are prepared, you know about it. There are a couple of ways this can go:
- The data is either cryptolocked and has been exfiltrated;
- The hacker (or hackers) want you to pony up to get your information back safely or it is already being packaged and sold on a data market.
Unfortunately, it’s not like getting a stolen car or wallet back. Data can be infinitely replicated. Once that data is gone, consider it gone. And what happens when that data is gone? You could face termination, lawsuit, or worst of all, go out of business. How can you replace that kind of asset? You can’t and given the potential liability, legal ramifications, and loss of revenue make it one of the more (if not most) valuable asset of your entire company. Why isn’t that reflected in your balance sheet?
You might argue that it is, albeit indirectly. After all, your IT security assets are what keep all that data safe. And that’s definitely listed on your sheet. My guess is that when compared to the value and liability of your data, those assets are a trivial number. In order for your board of directors or CEO to see why you need all those dollars for security, they need to see the exact value of what is being protected. There’s nothing like seeing it in black and white to drive that point home.
How do you figure out how much your data is worth? Several sources track market values. Here are a few:
- McAfee Hidden Data Economy Report
- Trend Micro: A Global Black Market for Stolen Personal Data
- Havocscope Black Market Prices
Take the market value, estimate the number of records you protect, and boom, you’ve got a ballpark market value. Don’t be surprised if it’s a rather large one.
Now that you’ve figured out the incredible value of your data, what’s next? Make sure you take adequate steps to protect it. If you have a board of directors or a CEO/CFO you report to, make sure they are aware of the numbers and use them along with other reasons (link to marketing post about security being good for the brand) to defend your security budget. Don’t wait until it’s too late to protect what’s most precious to you.
Next time we’ll talk about the value of investing continually in security.