Vulnerabilities and minimal security controls entice cybercriminals

            It’s  not  hard  to  understand  why  cybercriminals,  in  particular  criminal  groups  and  nation-states,  now
            choose to attack individuals as the stepping stone into an organization’s digital infrastructure.

            For  one,  most  high-profile  employees  almost  always  lack  the  cybersecurity  and  privacy  protections
            afforded to them by work when outside of the company’s four walls. In fact, proprietary BlackCloak data
            has found that:


               ●  39% of executives have malware on their personal devices
               ●  59% of executives have antivirus on their personal devices
               ●  40% of executives have their IP address available on online data brokers
               ●  75%  of executives’ personal computers are either totally unprotected or operating using default
                   security settings

            Second, the smartest cybercriminals know that CISOs cannot extend enterprise protections into personal
            digital lives. Due to ethics risks, privacy laws, SEC requirements, and lack of team bandwidth, among
            other  factors,  security  teams  cannot  simply  deploy  enterprise  protections  on  personal  devices  and
            networks. Likewise, CISOs maintain zero authority to mandate a spouse or child, or even an executive
            for that matter, to follow a protocol or best practice when not in the office. Imagine the look of dismissal
            one would receive when telling a teenager of an executive to comply with a rule?

            Finally, executives are vulnerable in their personal digital lives because consumer cybersecurity and
            privacy protections are no deterrent. Commoditized safeguards, such as signature-based antivirus and
            credit card monitoring masquerading as identity theft protection, provide minimal resistance, if any, to
            today’s most sophisticated threats.

            As  such,  the  path  of  least  resistance  into  the  enterprise  is  to  attack  -  either  by  social  engineering,
            spoofing, malware injection, communications hijacking, or one of many other attack techniques  - the
            personal digital lives of a company’s most important personnel.



            The enterprise as collateral damage

            It’s important to note that not all cybercriminals are attacking executives' personal lives exclusively to
            move laterally into their organization. Many times, the executives themselves are the target due to their
            wealth  or  status.  Nonetheless,  an  attack  on  an  executive  as  an  individual  almost  always  has  some
            consequence on the organization.

            For example, a CEO of a major autonomous car company is hacked with financial fraud as the objective.
            The attack unintentionally exposes private information about the family’s political leanings, which are in
            contrast to the mainstream views. While the executive is the victim, the news focuses on the information
            leak, and the public backlash to the politics is swift and harsh.









                                                                                                            207