Content, Content

Trustwave Study: US Security Pros Value PII More Than UK Counterparts

The value of personally identifiable information (PII) varies among security professionals around the globe, according to a study of 500 information technology decision-makers conducted by MSSP Trustwave.

Key findings from the Trustwave "Value of Data Report" included:

  • The average per capita value (PCV) of PII in the U.S. is $1,820; comparatively, the average PCV of PII in the UK is $843.
  • The mean PCV placed on a PII record by cybercriminals is $39, compared to $1,198 by IT professionals.
  • Overall criminal resale values for PII are less than 5 percent of the value that data controllers place on their own information.
  • On average, security managers overestimate the value of a payment card record by 60 times the actual price of this information on the black market.
  • Among data types, shareholder data is most highly valued by IT professionals at more than $1,700 per record, followed by patient records with a mean value of roughly $1,500 and consumer data at more than $1,000.
  • Canadian and U.S. companies earned the highest data risk vigilance (DRV) scores, followed by businesses in the U.K., Japan and Australia.
  • Financial and IT/communications were the highest-scoring business verticals in terms of DRV, and the hospitality and retail segments received the lowest DRV scores.

Even a single data breach can put an organization's sensitive information – along with its brand reputation and revenues – in danger. As such, organizations must understand the value of their data and explore ways to safeguard their sensitive information, Trustwave noted.

How Can Organizations Assess Data Risk?

Trustwave offered the following recommendations to help organizations protect themselves against data breaches:

  • Establish a risk baseline for all data. Conduct a preliminary risk assessment to evaluate the likelihood of a cyber incident.
  • Prioritize email protection. Safeguard email bi-directionally via secure email gateways with signatures to block phishing, ransomware and other cyberattacks.
  • Perform continuous testing. Evaluate networks, applications and repositories of sensitive information for vulnerabilities that could result in data loss or failure to meet compliance objectives.
  • Create a cybersecurity culture. Deploy established cybersecurity processes and procedures in conjunction with annual training to reduce risk across an organization.

In addition, managed security services can help organizations address gaps in their cybersecurity strategies, Trustwave stated. Managed security services enable organizations to augment the responsiveness and remediation capabilities of their internal security teams, Trustwave said, and provide access to threat intelligence.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.