The story of cybersecurity is a constant progression of new ways to defeat new threats, from thought experiments to mainstream best practices. It started with the earliest antivirus software, which began as an experiment and progressed to being a necessity. More recently, we’ve seen it in security around SaaS and cloud infrastructure and in threats outside the perimeter, such as vendor risk management and digital risk protection for dark web threats.
We see this progression because cybersecurity, broadly, is very effective. Over the last five years, enterprises have had access to a veritable army of professionals and cutting-edge technology to secure their systems, and it’s paid dividends. Bad actors have had to evolve their attack strategies accordingly.
This evolution of strategies has taken two forms: first, moving from protected endpoints and infrastructure to other risk surfaces, and second, moving from large, well-protected organizations to smaller, less well-protected organizations. As stolen data becomes commoditized, why should bad actors spend their time and energy targeting JP Morgan and its $600 million of annual cybersecurity spending when they can instead target a mid-market company spending less than 1% of that?
The great news is that even mid-market companies are increasingly well-protected in their corporate environments as the tools and technologies of the largest enterprises have become more available and affordable. Today, the average business has 76 security tools, and in total, companies spend over $140 billion annually on cybersecurity. In the last two years, we’ve seen a vast increase in remote and hybrid work environments, and malicious actors are again moving their focus as corporate devices and networks become increasingly well-hardened.
However, with this evolution, bad actors are now targeting a new threat surface: the personal lives of employees. I call this attack surface “Employee-Targeted Digital Risk.”
Employee-Targeted Digital Risk represents the threat surface of attacks that come to the enterprise via the team’s personal devices, personal accounts and digital lives. These attacks take a variety of forms, but what they have in common is that they circumvent the extensive cybersecurity controls companies have in place by targeting accounts and devices outside the company’s purview and then using that access to move laterally to company systems and data. Sometimes these incidents start with a specific target company, and bad actors will identify a vulnerable employee. In other cases, these incidents start with vulnerable or exposed personal data, and target companies are chosen opportunistically.
We in the industry have been speaking on this extensively for several years—for example, Martin Casado of Andressen Horowitz dug into this problem in 2019 in The New Attack Surface is Your Life, and my company and Strategy of Security collaborated on a recent whitepaper—but only recently has the threat surface become more talked about. Historically, news around data breaches focused on the point of exfiltration and the consequences—but less on the area of exposure.
In 2022 alone, we saw incidents at Microsoft, Cisco and Uber originate in employees’ personal lives, and the 2021 Colonial Pipeline data breach played havoc with mid-Atlantic energy markets. What these breaches had in common was that they originated outside corporate-controlled systems. In each case, attackers compromised the employee’s personal accounts first. This is why protecting employees outside of work through personalized cybersecurity management (PCM) is becoming a business necessity.
While many chief information security officers (CISOs) are looking ahead to address employee digital risk proactively, some aren’t yet concerned. I still sometimes hear such explanations as, “We use multifactor authentication on everything,” “Our corporate software is containerized on employee devices” and “Employees can only access email.” I’m sure these statements are factual, but the reality of many high-profile attacks proves that these compromises are still possible.
Bad actors are moving to target employees’ personal lives with increasing frequency, and the string of recent, high-profile data breaches proves it. What was previously an optional nice-to-have in enterprise security is fast becoming a core category. This category includes several attack vectors.
• The personally owned devices of the team (even in cases where BYOD is not allowed).
• The personal accounts of the team, including personal email, social media and telephone numbers.
• Personal information, such as private phone numbers, security questions or breached passwords.
For many business professionals, the line between their personal and professional digital lives has become indistinguishable. Attackers know that and use it to their advantage. Here are some tips for businesses on how to approach personal security as an organization.
1. Know your level of exposure.
If you’re a security leader, it’s time to take a serious look at how your company could be impacted by security incidents that occur on the personal devices and accounts of employees. Successful attacks have already been carried out on several organizations with industry-leading security. Knowing your level of exposure and potential entry points can help you determine where to direct education and resources.
2. Work within your constraints.
Unlike corporate accounts and devices, security teams can’t require employees to register their personal devices or onboard their personal accounts to a central identity management system. It’s an impossible situation: Attackers can go after these unmanaged assets, but security teams can’t protect them like corporate assets. The best approach is to acknowledge the gap and work within the constraints rather than wasting time and resources on unfeasible solutions.
3. Don’t go it alone.
Investing in security for individuals at home—from proactive prevention through incident response—buys employees peace of mind and helps keep your company from becoming the next victim. Seek managed security and privacy for individuals, whether through personalized managed cybersecurity software or in partnership with an enterprise security team.
Ultimately, the decision to address this attack surface will be forced by employees, if not proactively, by CISOs. The reality is that employees are facing these threats because of their jobs, and like other work-related risks, both employees—and state regulators—are going to expect employers to provide protection.