It’s been roughly two months since Russia first launched its unprovoked invasion of Ukraine. Since then, the world has borne witness to unspeakable tragedy. While damaged and destroyed property can and will be rebuilt; the death and despair incurred by Ukrainians will leave a lasting imprint across all of Europe for generations to come.
As horrific as the physical war has been, the much-anticipated cyberwar hasn’t materialized as quickly as some cybersecurity and national security experts thought it would. In early March, Former General Counsel of the National Security Agency and Central Security Service Glenn S. Gerstell told The Guardian, “we have not yet seen the completely destructive attacks on Ukraine infrastructure some anticipated.”
But there are new indications that Russia may soon try to intensify its cyberwar. Two weeks ago, Ukraine’s IT infrastructure came under significant assault from Russian hackers. This was the first major attack of real consequence since Russians targeted Ukrainian banks in mid-February.
And according to Foreign Affairs, “all available evidence indicates that Russia has employed a coordinated cyber-campaign intended to provide its forces with an early advantage during its war in Ukraine.”
Threat Landscape Shifts from the Professional to the Personal
While the extent of Russia’s digital warfare ambitions remains unknown, much of the world is preparing for the first global cyberwar.
In America, President Joe Biden and DHS’s Critical Infrastructure Security Agency (CISA) continue to issue detailed cybersecurity warnings to US agencies and businesses alike. Recently, CISA alerted wealth managers that Russian cyberattacks targeting their organizations and their clients are likely. Hospitals, the energy sector, and Fortune 1000s across every industry have also been warned of direct threats and the potential for collateral damage.
One attack vector noticeably missing from both government and industry alerts is the personal digital lives of executives – the C-Suite, Board Members, and senior company leaders – with direct access to financial, proprietary and confidential information.
Recently, skilled cybercriminals and nation states have strategically begun to bypass government and organizational security controls by attacking what CISOs and security teams cannot control: the online privacy, personal devices, and home networks of executives and their families.
Vulnerabilities are Vast in Personal Digital Lives
Because enterprise security cannot extend into personal lives, personal device and home network vulnerabilities are plentiful, and often easy to exploit.
According to BlackCloak, internal data, 87% of executives’ personal devices lack any cybersecurity controls, and at least 27% of devices contain previously undiscovered malware.
Additionally, 75% of personal devices are leaking data due to missing or improperly configured device privacy settings, and 69% of executives have personal and work passwords available on the dark web.
These vulnerabilities, among others, represent a green space for cybercriminals and nation-states to breach organizations by hacking executives in their personal lives to subsequently move laterally into the organizations that are their ultimate target.
Last month, Google’s Threat Intelligence Group identified Chinese threat actors attempting to hack the personal Gmail accounts of US government workers, according to an article in Bleeping Computer.
Protect Executives’ Personal Digital Lives, Protect the Organization
It remains to be seen if Russia will escalate its cyberwar, and whether or not an escalation will directly target or indirectly impact US businesses and government agencies. Regardless, security teams must now prepare for lateral attacks manifesting in their executives’ personal digital lives.
Fortunately, there are several safeguards that, although burdensome, security teams can help company leaders implement in their personal lives. These include:
- Ensure that multifactor authentication is active on all personal (including family) devices, apps and systems that allow it. CISOs should block access to all corporate systems from any device in which MFA is not deployed.
- Submit opt-out requests to as many online data brokers as possible, limiting adversaries ability to obtain the personal information needed to launch social engineering and spear-phishing attacks.
- Set automatic operating system and firmware updates on all personal devices; and implement home network security via router firewalls and WiFi network encryption to ensure the integrity of communications.
- Ensure all personal devices, including those of spouses and children, have anti-malware installed and updated.
- Install WiFi security to protect your home networks and enable home visitors to connect to the guest network.
Unfortunately, such safeguards, among others, can take already sacred time and resources to implement, without any guarantees that they will keep individuals or the company safe and secure. But with the drums of cyberwar beating harder and harder, protecting an organization may start and end with how well it can protect executives in their personal digital lives.