How valuable is your information?


By David Halstead of Deloitte & Touche

Do you really know how valuable your information is? Many companies don't, because they haven't assessed the value of information as an asset, because it's intangible.

Even those that think they know may be deluding themselves, believing that their lawyers have it covered when in fact the legislative protection of IP is only applicable 'after the fact', when it has been disclosed.

Ask yourself these simple questions. What would be the impact on my business if:

  • my information was disclosed to competitors or to the public?

  • my information wasn't 100% accurate?

  • I couldn't get my hands on my information when I need it?

    If you have to hesitate before answering any one of these questions, then you don't know the true value of your information. Read on!

    First steps

    Identify your business-critical information assets. Gather together staff members from across the business, and not just from the IT department, and together determine what is the key business data that drives your business.

    Once identified, you need to assess the impact on the business of the unauthorised disclosure, modification or loss of these information assets. These can be measured in terms of confidentiality, integrity and availability.

    By way of example, if your company is a telecommunications service provider, you will probably care most about availability, because this is how your customers measure you. However, if you are a drug discovery or innovations company, confidentiality may be higher on your agenda, so that you maintain your competitive edge, although clearly integrity is also critical.

    This measure of impact is an effective barometer of the value of your information assets. Once you know this value, you are in a position to start managing its exposure to the risks posed by unauthorised disclosure, modification or loss. Minimum cost-effective security controls can then be determined and documented in your information security policies and standards. The controls can be applied using technology, such as firewalls or cryptography, or it could be a simple case of improving procedures, such as implementing a clear desk policy.

    It may be that the key to successfully managing your information security risks is to take a fresh view of what it is that you really value. Everyone in the business can - and should - contribute to this decision because the best way to manage your information security is to talk about it.

    David Halstead is a Partner at Deloitte & Touche in Cambridge. Contact him by email

    21 March 2003

    This article first appeared in Tangent, a fortnightly column offering business advice and comment

    The Deloitte Cambridge office comprises 8 Partners and over 250 staff who deliver a full range of professional services to the East Anglian region. As well as focussing on the life sciences and technology sectors for which the region has become so renowned, the office has long standing specialisms in other sectors including the professions, consumer business, food and agribusiness.

    Deloitte LLP