Part 2 of 3
Last week, we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.
Quick Recap: What VAR Is All About
As the term value at risk suggests, the idea is to determine how much business value is exposed to phishing attacks—how much of which types of data could be stolen or even destroyed, as seen through the dual lens of known threats and current defenses.
Here’s the chart we used:
The net result is an active-risk profile. You’ll know which types of attacks against which types of records pose the costliest threats. In the chart above, for example, business email compromise (BEC) threatens your business to the tune of $4.2M.
Knowing this, you would adjust your phishing-simulation training accordingly, concentrating on users who guard (whether they know it or not) data or access to funds in the face of BEC scams. Perhaps you’d decide to simulate a BEC wire-transfer scam and send it to users in Finance—or even to your C-suite.
Okay, you may be thinking: do I really need a model to know I should test against BEC, one of the few phishing threats covered by cable news?
Maybe not, but let’s say you haven’t tested much against the Dyre financial trojan. The sample model shows your VAR for this threat is over $2M. That’s a handy reminder to simulate phishes that deliver Dyre. And back to BEC for a second. Should you ever need to explain to your board why you train so much for BEC, the VAR model will back you up, in terms they’ll easily grasp: dollars.
Where Does Your Value Live? (And What Is “Value” Anyway?)
As we continue the VAR conversation, one question begs itself: how do you assess the value of data and other protected assets—anything that could be exposed by a phishing-related breach?
Short answer: with educated guesses.
In truth, most of us can’t pinpoint value, but we need a ballpark idea. Without going all the way into full-blown data mapping, start by identifying the type of data on your network. Customer data, for instance, will usually have high value. Who has access to it? Various people, no doubt, including some of your vendors, some of whom will actually collect that data themselves.
As you assess the types of sensitive data that your organization owns and which vendors are collecting their own data on your employees and/or customers, you might also take a close look at existing data protocols. It won’t hurt to know which vendors ensure CIA—confidentiality, integrity, and availability—and which don’t.
Your SaaS applications might collect customer data, too. Recently, Cofense™ introduced Cofense CloudSeeker™. It identifies SaaS applications configured for your environment, including applications you may not know.
So, it’s good to know more clearly where your business value lives. But you also need to remember that value goes beyond data. Where breaches are concerned, value extends to the cost of recovering from the damage.
Your tab might include:
- Cost per stolen record
- Recovery costs (incident response, IT hours, etc.)
- A formal investigation—could you handle this in-house or would you need pricey outside resources?
- Brand reputation damage—seemingly incalculable, until you check your stock price
To estimate these costs, avail yourself of free tools. Here’s one from IBM: https://databreachcalculator.mybluemix.net/
If estimating makes you nervous, take solace in knowing it’s better than having no clue at all. You need to put the “value” in VAR if you’re going to use it. With the security world steadily adopting risk-compliance methods, converting data (and more) to dollars makes sense.
Next week, the third and last installment in this series will examine access controls and phishing—who has access to which types of data you protect. For another perspective on how to maintain your anti-phishing program, view our “Left of Breach” e-book.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.