Black Cloak released their study today, Examining the Modern Attack Surface: Quantifying the Risks to Individuals and the Enterprise. The study reveals just how shockingly vulnerable C-suite execs are. Some examples:
- 87% of executives’ personal devices have NO security installed
- another 87% have passwords leaked on the dark web.
- 27% of executives’ personal devices contain malware
- 76% of executives’ personal devices are actively leaking data
- 23% of executives have open ports on their home network
- 20% of those have open security cameras
- 53% of executives are not using a secure password manager
Corporate devices and data extend beyond the physical business perimeter, and increasingly appear in the home network — a network that is out of management scope by your security team. As a result, maintaining visibility and control over the corporate-owned devices is necessary to ensure protection of your data. While this requires a delicate balance to remain sensitive to the privacy of personal devices and personal networks, it’s essential that the endpoint and the data are treated as perimeters in and of themselves.
While measures like multi-factor authentication aren’t perfect, these basic best practices are essential, especially for the board/C-suite who often opt-out of the requirement as a matter of convenience. Beyond Multi-Factor Authentication, other security fundamentals include adopting modernized password practices, reliably deployed and configured endpoint security software, and embracing Zero Trust and Data Loss Prevention as you mature your organization.
It’s also critical to raise awareness throughout your organization around common CEO-spoofing campaigns for smshing/vishing and other social engineering attacks, as exposed CEO data – and public info from social media posts – can make for a very convincing lure to dupe victims.
The Black Cloak report presents some hard hitting and staggering datapoints on acute vulnerabilities and urgent need for executive protection. Conventional cyber safeguards come into play much later and the fundamental problem here is the ability of threat actors to identify an executive’s digital footprint in the first place.
Avoidance is better than remediation and the best strategy is to lower the probability of detection of the executive’s digital footprint across public cloud and the Internet. In the intelligence and forensics world this is known as managed attribution where source and destination relationships are obfuscated. Sensitive resources are hidden from potential adversaries which prevents direction finding and identifying the targets in the first place.
Businesses should urgently implement next generation VPN technologies with cloud obfuscation capabilities to prevent executive “digital bread crumbs” from creating targets. Strong authentication combined with improved protection for high value users and locations can be and should be core to a modern data protection strategy.