Healthcare leads data risk assessments – Trustwave study

A new report has found a yawning gap between the value put on critical data, across different industries and countries.

Patient data within healthcare is the most rigorously risk assessed, according to a report from technology firm Trustwave.

Nearly 80% of organisations saw patients as their prime data subject said they had carried out a comprehensive risk assessment, more than for any other data subject.

In the UK, where healthcare is largely controlled by the government through the National Health Service (NHS), this rose to 90%, according to the report “The Value of Data: a cheap commodity or a priceless asset?” from Trustwave and tech research firm Quocirca.

In the US, where the study from the Chicago-based tech firm noted that regulation is tight, through the country’s Health Insurance Portability and Accountability Act (HIPAA), the comparable figure was 85%.

Ziv Mador, vice president of security research, SpiderLabs at Trustwave told StrategicRISK: “UK companies ARE more concerned about patient health information which they collect and store.

He suggested UK regulation is strict in this respect, with the Information Commissioner’s Office (ICO) fining companies investigated and found to be poor at protecting data to an average of £114,000, with the biggest fine, thus far reaching above £400,000.

“That’s pretty significant,” said Mador. “That cost comes on top of other damages caused when such a leak happens, such as reputational damage, setting up alternative systems and hiring breach investigators.

However, US professionals across sectors valued their PII data more than twice as much as their UK counterparts.

The average per capita value of PII in the US was $1,820 versus $843 in the UK, according to the report.

The comparable figures for Canada, Australia and Japan were $1,025, $1,186 and $1,040 respectively.

Mador suggested the larger average size of US companies meant they might attach greater value to data.

“The number of records stored by US companies are huge, making them very lucrative targets for attackers on and ongoing basis,” he said.

“We see those attacks happening throughout the year, and UK companies also have increasingly large amounts of data,” Mador continued.

Industry sector also heavily influenced the type of data that is given highest priority, according to the paper.

Healthcare and hospitality sectors prioritised personally identifiable information (PII) data with an average score of 3.5 and 3.4 out of 4, while industrial and IT/communications companies ranked intellectual property as most important at 3.0 and 2.9 out of 4.

Dramatic differences exist between values placed on PII data by attackers, security professionals, insurers and regulators, reported the survey.

Cybercriminals put a $39 mean per capita value on a PII record, compared to some $1,198 by IT professionals, $3,211 for insurers and $8,118 for regulators.

For a payment card record, security managers over-estimate by 60 times the actual criminal values of data for sale on the black market. For a single banking record, it is 2,000 times, the study said.

“Data risk vigilance” (DRV), a measure of efforts to protect data, is highest among Canadian firms and lowest amongst Australian businesses with the UK in the middle, Trustwave reported.

Canadian and US companies earned the highest DRV and were therefore more data risk vigilant, followed by the UK, then Japan and Australia.

Financial companies and IT/communications companies were the highest scoring verticals and hospitality and retail the lowest scoring, according to the report.

Mador cited the importance of the EU’s General Data Protection Regulation (GDPR) which goes into force in Europe (including the UK, despite Brexit) from May 2018.

“GDPR requires companies to take action to protect data and the systems they run,” he said.

“That will help, as regulation encourages companies to take action to protect against breaches and make it harder for attackers,” he said.

“The attackers will go for the weaker prey, hitting easiest targets to get at the loot they might capture,” he added.