There is an old joke about a police officer who sees a man searching for something under a streetlight. The officer asks what he has lost. The man responds that he lost his keys, and then they both proceed to look under the streetlight together. After a few minutes, the police officer asks if he is sure he lost his keys there; and the man replies, “No,” and that he lost them in the park. The police officer then asks why he is searching in this spot, to which the man replies, "Because this is where the light is."
This is called the streetlight effect, or only searching for something where it is easiest. In today’s world, companies often approach cybersecurity in this way, searching for things where the light is brightest, even if it’s the wrong place. Businesses generally focus on input metrics – what’s coming into the network, such as malware – as opposed to output metrics, or what is leaving the network. In the wake of modern data breaches, there is one metric that is more important than all of the others: has your toxic or sensitive data been exfiltrated from your network or systems into the hands of a malicious actor (a hacker)? This is a significant rethinking because, as an industry, we often still think of a “breach” as breaching the castle walls and capturing the flag. However, your “flag” must be exfiltrated in order to get you in trouble (this is the legal and regulatory definition of a breach).
As one example, I was recently asked to provide credit card information to book a hotel. I was sent a document where I was asked to add the information and then send it on to a third party. As a recovering QSA, I know that PCI is a 12-step program. Sharing sensitive information in this way is a clear violation of PCI, so I obviously did not do it. If done in a work setting, this is the kind of thing that can put companies and individuals at risk. This is why it is important to train employees on understanding how sensitive, custodial or regulatory data can be potentially misused.
In recent years, there have been numerous major breaches that have led to the termination of executives, including CEOs, CIOs and CISOs, causing tremendous damage to shareholder value and even having geopolitical consequences. To prevent outcomes like these, during National Cyber Security Awareness month, I would advocate expanding upon traditional cybersecurity awareness training to focus on proactive data awareness training that looks at output metrics and shows you exactly where your most valuable data is – and how it is leaving your network. People typically do not think enough about data, or differentiate between what is sensitive and benign. However, once you do this, you’ll no longer be that person looking for your keys in the wrong place.