Comment by ninjagoo
8 hours ago
> most executives do not have an information/network security background but do have privileged access to extremely valuable information, even if an attacker just has access to their email.
In a properly structured organization, of which there are many and who are required by regulations and/or best practices, senior executives tend to have need/role-based access to information, just like everyone else in the organization. So they may have access to strategic business information, but not patient records or payroll. They may have access to planning data, but not the financial records of individual or clients. Etc. etc.
Smaller or newer orgs may not have this compartmentalization, but in general I think the principle holds true for orgs over a certain number of folks in size.
I do not disagree with anything you said.
Generally, when it comes to 'privileged' information within an executives inbox it is business information or trust releastionships and not specific PII/PHI of an user. It was me being terrible at trying to impart that even the most begin seeming access may have major consequences even if it is not a total compromise of everything given the massive scope of 'what could happen' with executives vibe coding applications, like something managing their inbox past their EA, or something trivial seeming.
Right but your Head of HR may have access to the drive with employee PII in it, or your CTO may be able to view your IT team's password manager.
These are 'proper' (sometimes) access controls, but can still be abused. Not from email...but you get the idea.