Executive assistant superpowers should not be underestimated when considering the level of access that some executives have in an organization and the frequency by which they share their privileged access and information with their assistants.
In many organizations, some executives, who by the way have sometimes excessive and unnecessary access to data, facilities and systems, share their privileged access rights with their assistants making them some of the most powerful employees in terms of access to restricted assets. Executives rightfully delegate many administrative work to their assistants, however, such delegation of administrative tasks occasionally transfers access to systems and data to a third person increasing the risk of unauthorized access and disclosure. Sharing information by executives with their assistants may be necessary sometimes, however, security related data such as passwords may go against the security policies and best practices.
Typical executive assistants usually have access to many confidential information in their departments as they are involved with many tasks including documentation and processes related to hiring, performance reviews and termination. They also handle many of the executives’ administrative work such as expense reporting, email response, calendar management and purchases with executive’s credit cards.
As previously stated, some executives have powerful access to many resources and assets in the company, whether by design or accidentally, and when they share their unrestricted access with their assistants, they place their companies at risk because the access to information, system or facility which was intended for the executive may not be appropriate and intended for the assistant.
Executive Assistant Superpower Risks
One of the biggest risks presents itself when executives share privileged access with their assistants for a routine task without realizing that such action may lead to additional unauthorized access. For example, it is not uncommon for a busy executive to ask the assistant to contact the help desk for a password reset because they forgot their password and don’t have time to be on hold by the help desk person or automated music for a password reset. For the executives, this is a valuable time wasted so they rather have their assistants take care of the minor issues. In this example, even if corporate help desk procedures allow an executive assistant to ask for a password reset for the boss, how do we know the assistant doesn’t take advantage of this temporary power to satisfy his or her curiosity? The vast majority of executive assistants are ethical, decent, and hard working professionals, however, from a security risk management standpoint, cybersecurity professionals must always try to minimize the risk.
Continuing with the password example, once a password is reset with a temporary password, most systems will force the person logging in for the first time using the temporary password to change the assigned password upon initial login in order to allow the password owner to select a unique and personal password. What if after the assistant is granted a new password, the assistant logs into the system, selects a unique password, goes through the executive’s confidential information and emails, and gives the boss the new password afterwards? In case the executive lets the assistant change the temporary password, the executive no longer controls his or her access credential unless the executive changes the password again to prevent future misuse by the assistant. That said and depending whether the executive changes the password immediately or when prompted by the system upon its expiration, this leaves a window of opportunity for misuse. In either case, whether the executive changes the password immediately or thereafter, there is a window of opportunity for curious and unethical assistants to abuse their executive assistant superpowers. As stated before, the majority of executive assistants are ethical and hard working people, however, security best practices dictate to be vigilant in order to ensure security at all times.
There is no magic solution for this problem. Executives must periodically review and assess the access of their assistants to ensure their access rights are appropriate and limited to their job duties for performing their daily functions and prevent unnecessary disclosure of confidential information.