In our previous articles for Threatpost, we’ve talked a lot about how the attack surface has expanded into the personal digital lives of executives and high-profile employees. About how their online privacy, personal devices, and home networks are now primary targets – either to compromise them individually, or as a stepping stone into the organization’s digital infrastructure, or in some cases, for both purposes.
For a variety of reasons, the separation that once existed between one’s professional and personal life has all but evaporated. This has added new and complex risks to both the individual and the company that they lead. As such, executives, Board Members, and employees with access have become the soft underbelly of enterprise security.
While CISOs do a tremendous job protecting the people, processes, and technologies inside of their organization’s four walls, risks to executives in their personal digital lives present a challenge that security teams cannot solve, even if they wanted to.
So, why are personal digital lives off-limits?
Undue Burden of Responsibility
Consider this scenario: A security analyst decides to use corporate tools to monitor an executive’s personal mobile device for potential risk. While doing so, he notices that confidential corporate materials are being sent to his Gmail and accessed and downloaded to that device (a common practice known as the corporate sneakernet).
This observation creates a dilemma. Company rules dictate that the analyst must report the observation to HR as a potential violation of the company’s data privacy and confidentiality policy. In turn, this creates a problem for HR. The executive was likely accessing the information in good faith, unaware of the security risk of storing sensitive materials on an unprotected personal device. What should they do?
Unfortunately, there’s no clear resolution to a problem like this. It’s a breach of company policy, but the executive was only trying to do his job.
If you use company personnel to protect executives in their personal lives, then those responsible for ensuring an executive’s online security at home or on the road would be required to act as an agent of the organization 24x7x365. Not only is this a time-consuming task, but it also creates an undue burden of responsibility and accountability on that security team member.
Potential for Discrimination or Reputation Harm
Personal inboxes or social media feeds offer insight into personal ideologies, whether political, religious, or cultural. Executives rarely want that information made public, and they certainly don’t want a member of the security team coming across it. However, should the security team discover, through routine risk analysis, that the executive or a family member supports a controversial cause, that knowledge could be communicated internally. Besides harming the executive’s reputation, the information could also be used to discriminate against that executive if their viewpoint is inconsistent with the company’s values or those of its employees.
Ethical Risk for Employees
Protecting executive cybersecurity and online privacy in an executive’s non-work life is a hands-on job. A security team member would need to regularly converse with the executive to ensure their personal devices, home network, credentials, and other vulnerable assets are secure. In addition, since family members share the same network and devices, the team member must also be familiar with their digital habits. For many organizations, this level of intimacy would be considered improper.
To protect critical industries and national infrastructure, many companies must report cybersecurity incidents to the SEC or the federal government. But what if that incident results from sloppy cyber manners by executives at home? Any CISO, legal counsel, or compliance officer would be reluctant to report an executive, their family, or even the internal employee in charge of their digital protection as a cyber liability.
Separation of Church and State
In addition to the reasons cited above, it’s important to remember that no organization has the authority to mandate security controls or enforce security and privacy policies inside the home of its executives. As such, a clear divide exists between an executive’s at-work digital life and their non-work digital life. Even if the executive and family were amenable, legal teams would not allow them to monitor personal networks and devices due to personal privacy concerns.
Call it a separation of church and state or think “Severance,” the Apple TV+ show where workers undergo a “severance” procedure to create a version of the self that only exists at work and is separate from their non-work self. There are compelling compliance, ethical, legal, and privacy reasons why CISOs and their teams can’t protect executives in their personal digital lives, even if they wanted to.