Effective communication about the risks of data loss to an executive or board level audience always need to include more than the likelihood of an incident occurring. To ensure Data Loss Impact (DLI) is fully understood and prioritised at board level, and that the necessary resources are available to mitigate the risk, security and data specialists need to help executives to recognise the potential cost and reputational impact of an incident.
DLI is a difficult metric to capture and even more difficult to action upon. Performing a risk assessment focused on loss factors involves an amount of hypothetical future-gazing and conclusions can vary wildly depending on decisions to include or exclude certain factors. However, in the cloud era it is more important than ever for security and data professionals to help their organisations understand DLI and where to implement controls to effectively reduce costs associated with DLI.
Valuing loss
Standards body The Open Group outlines six forms of loss to consider when measuring risk. Some are specifically associated with the lifecycle of an incident, while others are related to the business’ capacity to continue to trade normally.
1) Loss of productivity
This category captures any reduction in the organisation’s ability to generate value from the core business proposition. In essence, it asks whether the data loss incident impacts day-to-do day operations and revenue in any way. This figure must use numbers that the board recognises and agrees with, and ideally should map against the board’s expectations for company growth.
For cloud, this may include predetermining the business continuity and operational resilience of third party service providers and identifying whether access to data is interrupted if data loss occurs due to a cloud service failure.
2) Response costs
This section details all expenses which will be accrued in managing the incident. This will likely involve internal labour costs, as well as supplier fees.
For cloud, audit information such as admin, user, and data access audit logs may be essential to efficiently manage incident response times and therefore costs. Not all cloud service providers offer this level of auditability, however investigating incidents and determining loss factors will require contextual traceability of this log data from a cloud DLP engine.
3) Cost of replacement
While ‘cost of response’ covers assets that can be fixed, there will be others that are lost or damaged in a data loss incident that will need replacing.
For cloud, replacement costs would typically cover the costs to replace a service during an incident or post-incident. As many cloud services are subscription based, the costs may vary, however the time and cost involved in shifting data to a new service should also factor.
Top 5 tips for doing a cloud storage cost analysis
4) Fines and judgement fees
The formalisation of data protection responsibilities is giving greater clarity to the potential fines that might be imposed after a data loss incident, with fines usually capped and identifiable in advance.
For cloud, shared liability and shared ‘reasonable costs’ need to be taken into account from a controller and processor perspective when fines and sanctions are issued and need to be appropriate to the procedural safeguards between the parties as per the agreement.
5) Loss of competitive advantage
Following a data loss incident, organisations can see a decline in the value of competitively differentiating assets. The value of individual data sets within large organisations is something that should be assessed and measured by individual data owners within each team (engineering, product, marketing, HR etc). These data owners understand the life cycle, value, and use of their specific data and should be working in collaboration with the information security team to ensure appropriate risk practices are followed.
For cloud, in addition to the data itself, competitive advantage components may include algorithms tuned by the data for business intelligence and data analytics purposes. Data integrity is key to monitor for data poisoning attacks that may intentionally target machine learning through model skewing or feedback weaponisation.
6) Reputational damage
The scale of reputational damage depends on the organisational business model, the details of any incident, and on the category of data itself. Customer data loss can lead to long-term reputational damage, especially if the organisation has been clearly critiqued for poor organisational and technical controls in protecting the data.
For cloud, historical instances have shown that the data-owning brand bears the brunt of the reputational damage, even when the fault may lie with a third-party cloud provider.
Valuing data
It is tempting to look at the underground market retail value of data and consider this the cost of its loss to the organisation. While this calculation can provide a useful explanation as to the resources that malicious actors are prepared to expend on accessing the data (and potentially provide a threshold minimum that organisations should be prepared to expend on basic technical defences), it misses the point that an organisation’s data is worth more than the sum of its parts.
Getting value from your data under GDPR
If someone steals your car and strips it down to sell off the parts for $5,000, that is a good day’s work for the thief, but it is likely to cost you more than $25,000 to replace the car and cover your costs in the meantime. Is the knowledge that your car’s parts might be worth $5,000 to someone else enough to justify your annual rent on a secure and CCTV-covered parking space? Probably not, but the fear of the $25,000+ risk cost might be.
There is a difference between data being lost from an organisation (which is a data protection issue) and data being lost to an organisation (which is an added asset loss issue). When valuing data that is lost to an organisation, i.e. data that is no longer an asset, professional services firm Genpact assigns three layers of value to aid in assessment:
Intrinsic value – Where the sale of the data alone is a revenue opportunity, and its loss is comparable to the loss of boxed product.
Derivative value – Where value is found by analysing relationships between data sets, or acting on the data.
Algorithmic value – Where the data unlocks value as part of a machine learning or otherwise automated business workflow.
A single data set may have multiple uses and its loss may impact multiple areas.
The fluctuating cost of avoiding data loss
The principle of proportionality says that as the potential impact of data loss increases, so should the action undertaken to protect it.
The information security team, along with the appropriate data owners, should therefore be evaluating and categorising data sets as closely as they study and protect potential attack surfaces. Neither data value nor risk are static, and as they fluctuate organisations need to identify ways to measure them dynamically.
Cloud brings its own challenges in managing costs associated to data loss. Consider the additional contextual information required to identify a data loss incident in the cloud, the additional controls to identify and prevent the incident from occurring, the security training and awareness required and finally the shared model of responsibility between cloud provider and customer. There should be no surprises that the customer will ultimately be responsible for evaluating Data Loss Impact in the context of cloud.