By Dr Chris Pierson, BlackCloak Founder & CEO
Earlier this year, news broke that Chinese hackers had been caught sending sophisticated phishing emails to the personal Gmail accounts of US-government agency employees. While the nation-state cybercriminals exact motivations will never be fully understood, many believe that they were targeting personal email accounts to circumvent the agency’s robust cybersecurity and gain entry through lateral movement into the digital infrastructure.
As the lines between the professional and personal have almost completely blurred, this type of lateral cyberattack is increasingly common; and it poses a major threat to the enterprise. Today, the soft underbelly of enterprise security has become the personal digital lives – the online privacy, personal devices, and home networks – of executives, Board Members, and other high-profile employees with access to finances, proprietary data, and personal information that cybercriminals want to compromise and place under their control.
Vulnerabilities and minimal security controls entice cybercriminals
It’s not hard to understand why cybercriminals, in particular criminal groups and nation-states, now choose to attack individuals as the stepping stone into an organization’s digital infrastructure.
For one, most high-profile employees almost always lack the cybersecurity and privacy protections afforded to them by work when outside of the company’s four walls. In fact, proprietary BlackCloak data has found that:
- 39% of executives have malware on their personal devices
- 59% of executives have antivirus on their personal devices
- 40% of executives have their IP address available on online data brokers
- 75% of executives’ personal computers are either totally unprotected or operating using default security settings
Second, the smartest cybercriminals know that CISOs cannot extend enterprise protections into personal digital lives. Due to ethics risks, privacy laws, SEC requirements, and lack of team bandwidth, among other factors, security teams cannot simply deploy enterprise protections on personal devices and networks. Likewise, CISOs maintain zero authority to mandate a spouse or child, or even an executive for that matter, to follow a protocol or best practice when not in the office. Imagine the look of dismissal one would receive when telling a teenager of an executive to comply with a rule?
Finally, executives are vulnerable in their personal digital lives because consumer cybersecurity and privacy protections are no deterrent. Commoditized safeguards, such as signature-based antivirus and credit card monitoring masquerading as identity theft protection, provide minimal resistance, if any, to today’s most sophisticated threats.
As such, the path of least resistance into the enterprise is to attack – either by social engineering, spoofing, malware injection, communications hijacking, or one of many other attack techniques – the personal digital lives of a company’s most important personnel.
The enterprise as collateral damage
It’s important to note that not all cybercriminals are attacking executives’ personal lives exclusively to move laterally into their organization. Many times, the executives themselves are the target due to their wealth or status. Nonetheless, an attack on an executive as an individual almost always has some consequence on the organization.
For example, a CEO of a major autonomous car company is hacked with financial fraud as the objective. The attack unintentionally exposes private information about the family’s political leanings, which are in contrast to the mainstream views. While the executive is the victim, the news focuses on the information leak, and the public backlash to the politics is swift and harsh.
The company then takes a big reputation hit with the public, and many employees are dismayed and unsure about their future of work. Business continuity is disrupted, and crisis remediation strategies are forced into action.
In this example, the company wasn’t the primary target (the CEO’s wealth was), but the collateral damage was plenty impactful.
Reducing risk with digital executive protection
The hit Apple TV show “Severance” in which technology prevents one’s work-life and personal-life from ever intermingling is a great drama, but it is so far removed from today’s work reality that it’s best classified as science fiction.
Even before the pandemic, the lines between personal and professional lines were thinning. Now, with remote and hybrid work permanent for so many, and with IoT proliferation accelerating at rapid scale, it’s hard for most security teams to be certain about where their perimeter begins and where it actually ends.
That’s why protecting executives in their personal digital lives to protect the company has been a complex problem to solve. Fortunately, a new wave of digital executive protection solutions make it possible to take the burden off of the cybersecurity team and put it into the hands of a third-party that can focus exclusively on mitigating this specific risk factor without the privacy, legal, and bandwidth concerns.
Attacking the personal digital lives of executives may be a threat in its infancy when compared to other challenges security teams deal with on a daily basis. But it is a threat worth addressing before it gets completely out of control.
About the Author
Dr. Chris Pierson is the Founder & CEO of BlackCloak, a leader in digital executive protection for corporate executives, high-profile and high-net-worth individuals and their families. Chris has been on the front lines of cybersecurity and privacy in both the public and private sectors for over 20 years. Previously at the Department of Homeland Security, Chris served as a special government employee on their Cybersecurity and Privacy Committees. He’s also spent time as the Chief Privacy Officer for Royal Bank of Scotland (RBS), as the Chief Information Security Officer for two prominent FinTechs, and is also a Distinguished Fellow of the Ponemon Institute.