When you think about cyber-crime, and cyber-crime as an industry, the value for attackers is founded upon data. In the end, this industry monetizes on data and everything else (like malware, ATPs, brute forcing credentials) are all a means to an end. And the end - of course - is getting to the data because that is where the money is. There would be no cyber-crime if this were not the case. The focus for security organizations should be on data, because this is what attackers and insiders are after.