More than 20 months into a global pandemic, it has become an article of faith that the best way to keep organizations and critical networks safe is to embrace zero trust. Under this umbrella, it is assumed that all network access requests originate from an insecure location, and each user must be verified according to their locations, identities, and the state of their devices. During the ongoing pandemic, the mantra “Never trust and always confirm,” has never been more important.
To review, the key to the zero-confidence framework is the principle of minimum privilege, which is the idea that all users have the minimum level of access required to perform a task. Likewise, users should only have access to a particular app, system, or network when they need access.
But here’s the kicker: Zero-trust policies must apply to everyone – even those at the top of the organization chart, every CXO, director and industry leader. Many C-level employees can take over the fact that they do not always have access to all content on a network; nevertheless, this is the best approach. If C-level users do not need to access data to perform a task, they should not be granted access.
C-Level Executives are primary goals
Failure to keep C-level users to the same standards as other employees can be a fatal mistake. Bad actors are knowledgeable; they realize that the best entry point to a network is often through C-level users – all too often these users are with unrestricted access to sensitive data.
In addition to often having privileged access to sensitive business data, C-level execs also tend to work long hours, receive a barrage of emails, and have valuable reputations. If a top manager’s information is compromised, bad actors can get leverage. After all, if a C-level leader were the cause of a data breach, the bad actor could probably do some damage to reputation just by revealing that fact. So perhaps it is no surprise that it is rare to hear about the exact causes of a data breach.
As Frank Satterwhite, senior cybersecurity consultant at Frankfurt-based 1600 Cyber, explains: “Every time you hear about a large company that has been hacked, you see the CEO come on TV and say, ‘We’re so sad. We “implementing these new technologies. We want to be more protected than ever. But they never address one thing: Nearly 90% of attacks required someone to do something wrong or make a mistake.” Perhaps the reason CEOs so rarely address this human element is because a member of the C-suite was the culprit
Given that C-level executives are the most likely to be targeted, it is logical to assume that some whaling and social engineering attacks on C-level personnel are successful. Nevertheless, it would cost the company further damage to its reputation to issue this treat.
Monitoring, analysis is the key
Within the network, all communications must be encrypted and all abnormal activity must be marked. Through a comprehensive endpoint management solution, it is easy for IT staff to verify the identity of users as well as the state of their endpoints. As many C-level employees feel entitled to have access to all applications at all times, it is especially important to participate in privileged session monitoring.
By monitoring all privileged sessions, IT staff can identify any abnormal behavior or failed login attempts from C-level users’ accounts. These data points can help to interrupt any C-level of the notion that they should always have access to sensitive information. In addition, as dictated by the principle of minimum privilege, all privileged sessions should be closed as soon as possible.
Using a good VPN monitoring solution, IT staff can pull VPN logs from a firewall and then generate security reports for all C-level executives. These privileged user behavioral analytics help create context-aware contexts. After IT personnel combine privileged access data points with endpoint event logs, luminous correlations can occur.
Given that top executives often have accounts with high privileges, their actions can lead to greater consequences; for example, if a CEO accidentally clicks on a malware link, the malware will take effect immediately due to the inherently high privileges in the director’s account. While the director’s access is monitored, all actions that occur due to their behavior will be displayed in incident logs. These data points are then correlated to reconcile the threat and to ensure that the malware launch was actually due to the CEO’s access. Again, these data points can help convince C-level employees that they do not need access to everything all the time.
Embracing zero trust without exception
According to a survey we conducted, 58% of North American respondents reported an increase in phishing attacks. In addition, 46% of North American respondents said endpoint network attacks were increasing, and 37% reported an increase in malware attacks.
The unfortunate reality is that the recent migration to teleworking has created some security challenges and C-level staff need to work with IT staff to keep their networks secure. The last thing organizations need is C-level users who refuse to adopt a zero-confidence framework and behave as if the rules do not apply to them.