How Much is Your Data Worth?

Most organizations that prioritize and categorize data rarely assign it a specific monetary value. Usually, there is no need to go into that level of detail; it is enough to identify the most sensitive data and concentrate on securing what really matters.

Ransomware Gangs are Setting the Price of Data

One ugly development is threatening that strategy: Ransomware. Today, more and more companies are being forced to estimate the dollar (or bitcoin) value of their data to decide whether it’s worth paying the ransom ($1.2 million on average) to get their data back.

Specifically, decision-makers attempt to calculate how much money they will lose if they refuse to pay, factoring in the cost of lost revenue, customer attrition, fines for compliance failures, penalties from partners and contractors and much more. At the same time, they also need to consider that paying the ransom by no means guarantees they’ll get the data back—only 65% of encrypted data is restored even when payment is made. Moreover, paying one ransom often leads to repeat attacks, since the organization has demonstrated its willingness to meet the ransomware gang’s demands.

Cyberinsurance is not a Panacea

It can be tempting to turn to cyberinsurance to protect against the expenses of ransomware attacks. In this case, the cost of your data will be established by the insurance companywhich will be based on the average ransom demand. So, again, attackers are the ones setting the value of your data.

That’s assuming you can even get insurance. Remember, the business model for this type of insurance is based on the assumption that catastrophic cyberattacks will be rare. With every third organization worldwide being hit with ransomware now, insurance payouts have become both more frequent and more costly. Accordingly, the cost of cyberinsurance has skyrocketed: Prices in the U.S. nearly doubled in the third quarter of 2021 compared to the same quarter the previous year. Moreover, discussion about refusing to pay if an attack originated from a state actor or whether or not attacks can be considered an act of war and, therefore, fall outside of contractual coverage, is gaining momentum.

In short, an insurance policy might quell anxiety but it doesn’t solve the problem of ransomware risks.

Protect What Really Matters

Investing in security simply makes more sense than investing in ransomprotection costs less than paying criminals exorbitant sums in the (often vain) hope of getting your data back.

Data classification is the key, because protecting all content equally is way too costly. It’s not necessary to assign specific values to each piece of data; it’s enough to determine which data is most valuable and focus on protecting the confidentiality, integrity and availability of that data.

Before starting the data classification process, it is crucial to make sure that different parts of the organization—IT, security, legal and other business teams—agree on the criteria to be used, so you can implement a complete and consistent approach to data categorization across the board. This alignment also facilitates more balanced process and technology decisions, as well as faster ROI for data discovery and classification tools.

Risk assessment is first and foremost our own responsibility. Don’t let ransomware gangs set the price to your data.

Avatar photo

Ilia Sotnikov

Ilia Sotnikov is vice president of product management for Netwrix, a provider of information security and governance software. He has over 15 years of experience in IT management software market. Prior to joining Netwrix in 2013, he was managing SharePoint solutions at Quest Software (later acquired by Dell).

ilia-sotnikov has 4 posts and counting.See all posts by ilia-sotnikov