Only one in 10 firms assign a monetary value to data they hold - report

A third of firms have not even attempted to value information assets they hold

Only one in 10 firms have assigned a monetary value to the data they hold, according to a report by The Economist Intelligence Unit, commissioned by HP.

The report surveyed 300 business leaders worldwide across 18 industries, 41 per cent of which are C-level executives or board members, to determine the steps organisations are taking to manage information risk.

According to the report, a third of respondents estimate the value of information held by their organisation to be worth 10 per cent to 50 per cent of total assets. Half of all companies are either putting a monetary value on some information or considering doing so.

However, despite the perceived value of information being high, 33 per cent of organisations have not attempted to value the information assets they hold at all.

The report states that it is "difficult" to implement a monetary value on information.

"Patents, copyright and industrial design are the types of information most likely to be assigned a monetary value, even though executives believe most mission-critical information resides in the finance department," it said.

According to Andrzej Kawalec, chief technologist at HP, critical data assets may be "of strategic national importance, have massive corporate value or have huge significance to an employee or citizen - be it the secret recipe to Coca-Cola or the medical records of a patient."

With companies more exposed to cyber-attacks by new trends such as BYOD and a lack of employee awareness, organisations are placing more importance on information risk.

However, over 70 per cent of executives believe their organisation at best only "partially understands" the information risk they are exposed to, and 76 per cent believe information risk can largely be mitigated by hardware and software fixes.

The survey also found that more than two-thirds (68 per cent) struggle with the management of information risk where regional differences in legislation - around areas such as data protection and privacy - apply.

Assigning a monetary value to the data a company holds is a key part of the process in obtaining cyber insurance - a trend that is supposedly "steadily growing" in Europe, according to head of cyber products and liability at AIG, Jamie Bouloux.

But Stephen Bonner, a partner in the information protection side of "big four" accountancy firm KPMG, which works alongside AIG and law firms CMS Cameron McKenna and Norton Rose to offer clients a "data breach response service", told Computing that companies that have the weakest cyber defences are the least interested in getting cyber insurance.

"It tends to be those that have taken all the reasonable steps, deployed the right controls and monitor their environment already, that go for insurance," he said.

He blamed this on a lack of cyber security awareness in some of the smaller organisations, and suggested that the market will boom once awareness has been raised.

The Economist Intelligence Unit survey found that senior business leaders are generally ill-prepared for a loss of information at their company: fewer than one in four respondents (23 per cent) would know enough to take the lead in the event of a breach, despite nearly half of organisations experiencing a loss of information in the last year. In the past year, 57 per cent of CEOs have not been trained on what to do after information has been lost or stolen.