The Corporate Sneakernet: Protecting the Enterprise as Executives Circumnavigate Security Controls
Security teams are investing more time and resources in securing corporate networks than ever. As they plan for business continuity, remote work, and the transition to the next new normal, CISOs and security buyers are asking for significant budget increases in 2021.
But as security professionals work hard to protect employees and digital assets within the “four walls” of the organization; unknown to them, serious threats to the company are being made possible by their own executives and their use of the “corporate sneakernet.”
What is the “corporate sneakernet?”
Executives, board members, and key personnel are busy people. They work around the clock, from anywhere, on multiple devices. They know that security controls are important, but they also don’t want them to hinder productivity.
To accommodate this balancing act between security and efficiency, the controls imposed on executives may be more lenient than the rest of the company – a bad practice – or they simply work around them.
For example, before leaving the office at the end of the day an executive might “sneak” a file to their personal email so they can review it anywhere, a remote sharing account, or onto a USB flash drive so they can work on it on a tablet that they share with the rest of the family. There is no ill will here, they just want to get things done.
Circumventing corporate security controls to move information from one device to another is nothing new. It’s called the “sneakernet,” a 1990s slang term used to describe the unsanctioned physical movement of files typically using a flash drive or floppy disk.
Gaps in security exacerbate concern about the corporate sneakernet
CISOs and security leaders can’t outlaw this behavior and they don’t have the reliable controls to do so. But it’s imperative that they are aware of the risks of the corporate sneakernet and the use of personal devices and networks for work-related tasks.
For example, most personal email does not have dual-factor authentication. Home networks are not secured or patched to the level a corporation would insist on in the office. Home devices are also not adequately protected and often have malware on them. BYOD policies are irrelevant because they can’t be applied to devices and IoT used by spouses and children.
The result of a lack of controls is sobering. As BlackCloak has onboarded new clients, we have observed that four in ten corporate executives have malware on their personal devices or have wide open home networks. In 59% of cases, even basic anti-virus software is missing.
As protected and secure as any company’s digital assets and networks are, as soon as an executive heads home or switches over to working on a family device or personal email account, the CISO loses control and the company is at risk. Without the proper controls, criminals can easily hack into company resources using the executive as a conduit to sensitive information.
Targeting the executive to target the company
Consider this scenario. A fictional CEO of an insurance company, Bob Charles, has a corporate laptop, VPN, and multi-factor authentication to access corporate resources. But sometimes when at home, on the road, or at his vacation home; Bob leaves his corporate device at the office and uses his unsecured personal iPad to stay on top of his job. To do so he unwittingly “sneaks” around the system by sending copies of potentially confidential files he may need to his Gmail account, without thinking for a moment how unprotected that device and email account are. Furthermore, Bob’s wife and kids use the same iPad and Bob has no control over what is uploaded or downloaded to the device.
Bob is now an active participant in the corporate sneakernet. With no corporate security shield or teams to monitor and protect him, he is also potentially the weakest link in his company’s security infrastructure, and a juicy target for bad actors.
Protect Your Company by Protecting Your Executives
Despite the hard work of CISOs and their teams, security protections on personal devices, accounts, and home networks are falling well short. It’s all too easy for business leaders and executives to “get around” corporate controls with the sneakernet. To close these security holes, CISOs and security teams must find ways to protect executives at home without getting in the way of their productivity or their privacy (which traditional corporate security controls can compromise) and give everyone the peace of mind they need.
Read more about BlackCloak’s services for corporate executives and board members in their personal lives. Or, contact us to learn more about how our simple, unobtrusive, bespoke concierge cybersecurity and privacy model can protect executives as they navigate the corporate sneakernet.