Assume a malicious actor already has your data – what would they have?

When reviewing cyber-readiness, much of the focus is on the five core functions of the NIST CyberSecurity Framework – Inspect, Protect, Detect, Respond, and Recover. However, what if as part of the Inspection phase, you ask the question – what if protection and detection are too late? What if a malicious actor already has access to my data? This approach is known as “Assumed Breach”, whereby the trust placed in applications, services, identities and networks are limited by treating them all as not secure and probably already compromised.

What does it mean for how you think about security investments in people, processes, and technology?  And what does it mean for how you look at your data?

If you’re like most professionals “of a certain age”, chances are you may have years, if not decades, of files and emails hoarded for the day you may need them. Will you really need that payroll report from 2010 which includes the social security numbers of your staff employed at the time? What about that file with the title “websitepasswords.xlsx” – would it be bad if a malicious actor had access to all your website credentials? Or that email history with all of the attachments from that loan you were applying for last year with all of your corporate information?

Assuming a malicious actor already had access to that information makes you view the data in an entirely new way. Therefore, a critical component to improving your cyber-readiness stance is to decrease the liability if data were to fall into unauthorized hands. The surest way to reduce your exposure is to get in the habit of cleaning out your closet – in this case, your virtual IT closet which may currently be storing old but valuable files and emails forever and ever, to the benefit of the bad guys who may find them more valuable than you ever will.