Why Data Awareness Needs to be Part of Cybersecurity Awareness
By John Kindervag, Field CTO at Palo Alto Networks
Ever heard of the old joke about a police officer who sees a man searching for something under a streetlight? The officer asks what he has lost, and the man responds that he lost his keys, and then they both proceed to look under the streetlight together. After a few minutes the police officer asks the man, "Are you sure you lost your keys here?" The man replies, "No, I lost them in the park." The police officer then asks, "Well, why are you searching in this spot if you lost them elsewhere?" and the man replies, "because this is where the light is."
The act of looking for something where it is easiest is known as "the streetlight effect." In today's world, companies often approach cybersecurity in this way, searching for things where the light is brightest even if it's in the wrong place. Businesses generally focus on input metrics – what's coming into the network, such as malware – as opposed to what is leaving the network, or output metrics. In the wake of modern data breaches, there is one metric that is more important than others: has your toxic or sensitive data been exfiltrated from your network or systems into the hands of a malicious actor (aka a hacker)? This is a significant change in mindsets, because as an industry, we often still think of a "breach" as breaching the castle walls and capturing the flag. However, your "flag" must be exfiltrated in order to get in trouble (this is the legal and regulatory definition of a breach).
Here's a recent example. I was asked to provide credit card information to book a hotel, and was sent a document which requested that information be filled out and sent back to a third party. As a recovering QSA, or qualified security assessor - I know that PCI is a twelve-step program. Sharing sensitive information in this way is a clear violation of PCI, so I obviously did not do it. If done in a work setting, this is the kind of thing that can put companies and individuals at risk. This is exactly why it is important to train employees on understanding how sensitive, custodial or regulatory data can be potentially misused.
Cybersecurity will be increasingly in the spotlight in the next year, especially in Europe. In anticipation of the General Data Protection Regulation (GDPR) applying in Europe starting in May 2018 – which focuses on clear requirements for data handling and governance for EU residents' personal data – I would advocate to expand upon traditional cybersecurity awareness training to focus on proactive data awareness training that looks at output metrics and shows you exactly where your most valuable data is and how it is leaving your network. People typically do not think enough about data, or differentiate between what is sensitive and benign. However, once you do this, you won't be that person looking for your keys (read: data) in the wrong place.