Page 207 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 207
Vulnerabilities and minimal security controls entice cybercriminals
It’s not hard to understand why cybercriminals, in particular criminal groups and nation-states, now
choose to attack individuals as the stepping stone into an organization’s digital infrastructure.
For one, most high-profile employees almost always lack the cybersecurity and privacy protections
afforded to them by work when outside of the company’s four walls. In fact, proprietary BlackCloak data
has found that:
● 39% of executives have malware on their personal devices
● 59% of executives have antivirus on their personal devices
● 40% of executives have their IP address available on online data brokers
● 75% of executives’ personal computers are either totally unprotected or operating using default
security settings
Second, the smartest cybercriminals know that CISOs cannot extend enterprise protections into personal
digital lives. Due to ethics risks, privacy laws, SEC requirements, and lack of team bandwidth, among
other factors, security teams cannot simply deploy enterprise protections on personal devices and
networks. Likewise, CISOs maintain zero authority to mandate a spouse or child, or even an executive
for that matter, to follow a protocol or best practice when not in the office. Imagine the look of dismissal
one would receive when telling a teenager of an executive to comply with a rule?
Finally, executives are vulnerable in their personal digital lives because consumer cybersecurity and
privacy protections are no deterrent. Commoditized safeguards, such as signature-based antivirus and
credit card monitoring masquerading as identity theft protection, provide minimal resistance, if any, to
today’s most sophisticated threats.
As such, the path of least resistance into the enterprise is to attack - either by social engineering,
spoofing, malware injection, communications hijacking, or one of many other attack techniques - the
personal digital lives of a company’s most important personnel.
The enterprise as collateral damage
It’s important to note that not all cybercriminals are attacking executives' personal lives exclusively to
move laterally into their organization. Many times, the executives themselves are the target due to their
wealth or status. Nonetheless, an attack on an executive as an individual almost always has some
consequence on the organization.
For example, a CEO of a major autonomous car company is hacked with financial fraud as the objective.
The attack unintentionally exposes private information about the family’s political leanings, which are in
contrast to the mainstream views. While the executive is the victim, the news focuses on the information
leak, and the public backlash to the politics is swift and harsh.
207