Today's article is a special commissioned report I've been working on with Agency since July. It's a deep dive into an emerging trend of attacks that begin with individuals and cross over to the companies they work for.
I first wrote about Agency in my article on Y Combinator's Winter 2022 batch. I was excited about them then — here's what I wrote at the time:
Agency is one of my favorite companies from this batch. I backed that statement up with my money — I like this company so much that I bought a plan for myself.
I'm even more excited now that I've had the unique opportunity to study the company and the problems they're solving in detail. I hope you enjoy the report.
Overview
Our work and personal lives have become one and the same. Attackers are seeking increasingly devious ways to exploit companies, including attacks on the personal accounts and devices of individual employees and business partners. People are now targeted as individuals because of their work lives. It’s time for cybersecurity to adapt to this new reality.
Managed security and privacy for individuals is an emerging paradigm for addressing this reality and keeping people’s digital lives secure. Forward-thinking companies and sophisticated individuals are turning to cybersecurity experts to help them defend personal devices and accounts. A new generation of personal services now makes enterprise-level cybersecurity accessible to individuals.
Agency commissioned Strategy of Security to explore the intersection of personal and enterprise cybersecurity and new approaches for managing the new wave of attacks. The analysis found vast differences in the tactics and rigor taken by organizations to keep their people secure at work compared to individuals at home. The traditional “you’re on your own” model for managing the security and privacy of individuals isn’t working. It’s time for a better approach.
Organizations that offer managed security and privacy services for employees’ digital lives — or forward-thinking individuals who subscribe on their own — are taking a proactive stance. They’re more prepared and resilient against attacks that impact their personal lives. They also prevent attacks from crossing over into their work lives. This is a security model built for the future.
Key Findings
The traditional model for personal digital security isn’t working anymore.
Over-reliance on one-off countermeasures like antivirus are leaving people exposed to new kinds of threats. The “go it alone” approach we’ve taken towards security in the past isn’t enough to keep us safe. It’s not how security is done in enterprises. In the future, it won’t be how security is done for individuals, either.
The individual threat model matters, and it’s converging with the enterprise threat model.
Just like company systems, individuals also face risks and threats on the internet. Acknowledging a personal threat model exists at all is a new concept. Worse, it’s quickly becoming a central part of enterprise threat models as personal security incidents escalate into enterprise security breaches.
Managed security and privacy for individuals can reduce the impact of security incidents on people and the companies they work for.
The best way to reduce the risk of personal cybersecurity incidents impacting a company is to proactively manage them. It’s not as straightforward as protecting company assets, though — many people don’t want their employers to have access to their personal devices and accounts. Managed security and privacy for individuals balances the risks faced by companies while respecting the fundamental right to privacy for individual employees.