Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Chris Pierson, CEO at BlackCloak, has dedicated much of his “digital executive protection” firm’s efforts to protecting a breach point that, at times, lives beyond corporate walls and firewalls. Pierson says today’s cyberattackers bypass high-security corporate environments—the castles—by exploiting less-defended personal email accounts.
“If the castle walls are high, don’t attack the king and queen there. Go attack them down at the summer cottage, right? You attack them where there are less controls, but the same target,” Pierson told IT Brew.
Pierson, along with other cybersecurity pros who spoke with IT Brew, gathered a checklist of controls to avoid turning personal compromises into corporate ones.
What’s at stake. A threat actor with access to an exec’s personal email has potential access to shared corporate documents, calendar entries, and conversations between colleagues.
On September 27, 2024, the US Attorney’s Office, District of New Jersey charged a UK national with a “hack to trade” scheme, claiming that the indicted man gained unauthorized access to corporate execs’ Office365 email accounts and then obtained non-public information about impending earnings announcements to gain “substantial profits,” the DOJ shared.
A May 2023 report from BlackCloak found that 42% of 553 surveyed global IT and security practitioners saw an attempt to compromise their personal email.
In 2023, the FBI’s Internet Crime Complaint Center (IC3) received 21,489 complaints related to business email compromise—“the second-costliest type of crime” that year, according to the agency, leading to adjusted losses over $2.9 billion.
Some recommendations from IT pros:
- Good passwords. You’d be surprised how frequently a work password matches a home password, Adam Marrè, CISO at cybersecurity company Arctic Wolf, told IT Brew. A recent report from the vendor found that 68% of polled global IT and cybersecurity leaders reused credentials.
“Cybersecurity leaders admit to reusing passwords, and you better believe that number is as high or higher with executives,” Marrè said.
Multiple IT pros also stressed the importance of familiar basics like multi-factor authentication and updated browsers and software. - Mobile Application Management. Christina Powers, partner at consultancy West Monroe, noted this class of mobile application management (MAM) tools that can “draw a box around” corporate email and applications, enforcing functions like remote wiping and the restriction of copying and pasting of data.
Marrè recommends even blocking personal email on work devices. “If you fall for a phishing attack on your personal account, but it’s on your work device, and you download malware, guess what? That malware is now on your corporate device,” Marrè said, even recommending two separate devices where possible. - Out of the band! Powers also suggested secondary channels to verify sensitive transactions. “Let’s say the CFO gets a request from the CEO to wire money. The CFO should be able to call the CEO on their known number and say, ‘Hey, was this actually you? Is this legitimate?’” Powers said, regarding verifications when the CEO isn’t found within those castle walls.
“Corporate cybersecurity doesn’t end at the door of the company,” Pierson said.