Why the C-Suite Doesn't Need Access to All Corporate Data

If zero trust is to work properly, then it must apply to everyone.

More than 20 months into a global pandemic, it's become an article of faith that the best way to keep organizations and critical networks safe is to embrace zero trust. Under that umbrella, it's assumed that all network access requests originate from an unsafe location, and every single user should be verified according to their locations, identities, and the health of their devices. During the ongoing pandemic, the mantra "Never trust and always verify," has never been more important.

To review, the key to the zero-trust framework is the principle of least privilege, which is the notion that all users are provided with the minimum level of access required to complete a task. Likewise, users should only be granted access to a particular app, system, or network when they need access.

But here's the kicker: Zero-trust policies must apply to everyone — even those at the top of the organizational chart, every CXO, director, and line-of-business leader. Many C-level employees may take umbrage with the fact that they are not always provided with access to all content within a network; nevertheless, this is the best approach. If C-level users do not need to access data to complete a task, they should not be granted access.

C-Level Executives Are Prime Targets
Failure to hold C-level users to the same standards as other employees can be a fatal mistake. After all, bad actors are savvy; they realize that the best entry point into a network is often through C-level users — because far too often, these are the users with unbridled access to sensitive data.

Besides often having privileged access to sensitive corporate data, C-level execs also tend to work long hours, receive a barrage of emails, and have valuable reputations. If a senior executive's information is compromised, bad actors can gain leverage. After all, if a C-level executive was the cause of a data breach, the bad actor can likely do some reputational damage just by disclosing that fact. So perhaps it is no surprise that it is rare to hear about the exact causes of a data breach.

As Frank Satterwhite, principal cybersecurity consultant at Frankfurt-based 1600 Cyber, explains, "Every time you hear about a big company being hacked, you see the CEO get on television and say, 'We're so sorry. We're implementing these new technologies. We're going to be more protected than ever. But they never address one thing: Almost 90% of the attacks required someone to do something wrong or make a mistake." Perhaps the reason CEOs so rarely address this human element is because a member of the C-suite was the culprit

Given that C-level execs are the most likely to be targeted, it is logical to assume that some whaling and social engineering attacks on C-level personnel are successful. Nevertheless, to broadcast this tidbit would cost the company further reputational damage.

Monitoring, Analytics Are Key
Within the network, all communication should be encrypted, and all anomalous activity should be flagged. Through a unified endpoint management solution, it's easy for IT personnel to verify users' identities, as well as the health of their endpoints. Seeing as many C-level employees feel entitled to have access to all applications at all times, it's especially important to engage in privileged session monitoring.

By monitoring all privileged sessions, IT personnel can identify any anomalous behavior or failed login attempts from C-level users' accounts. These data points can help disabuse any C-levels of the notion that they should always have access to sensitive information. Additionally, as dictated by the principle of least privilege, all privileged sessions should be closed as soon as possible.

Through the use of a good VPN monitoring solution, IT personnel can pull VPN logs from a firewall, and then generate security reports for all C-level executives. These privileged user behavior analytics help to create context-aware correlations. After IT personnel combine privileged access data points with endpoint event logs, illuminating correlations can arise.

Given that top execs often have accounts with high privileges, their actions can lead to bigger consequences; for example, if a CEO inadvertently clicks on a malware link, the malware will immediately take effect due to the inherent high privileges on the CEO's account. While monitoring the CEO's access, any actions that happen due to their behavior will appear in event logs. These data points are then correlated in order to reconcile the threat and to ascertain that the malware launch was, indeed, due to the CEO's access. Again, these data points can help to convince C-level employees that they don't need access to everything all the time.

Embracing Zero Trust Without Exceptions
According to a survey we conducted, 58% of North American respondents reported a rise in phishing attacks. Moreover, 46% of North American respondents said endpoint network attacks were on the rise, and 37% reported an increase in malware attacks.

The unfortunate reality is that the recent migration to remote work has created some security challenges, and C-level employees need to be working alongside IT personnel to keep their networks safe. The last thing organizations need is C-level users refusing to adopt a zero-trust framework and acting as if the rules don't apply to them.

Recommended Reading: