Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

CXO Insights

The Director’s Cut: Trusted Perimeters Become Board Liabilities

image
ROB SLOAN
julio 06, 2026 - 4 Min de lectura

Board-level cyber risks requiring oversight: perimeter compromise through weak credential hygiene, frontier AI accelerating vulnerability exploitation, AI governance influencing cyber insurance outcomes, and third-party vendor breaches creating downstream customer exposure.

 

Perimeter Security Compromise Should Concern Boards

A credential-harvesting campaign targeting Fortinet firewalls and VPN gateways has compromised more than 30,000 internet-facing devices across 194 countries, according to Dark Reading. Affected organizations span government, telecommunications, healthcare, financial services, education, and critical infrastructure. Researchers were able to gauge the scale because they discovered an exposed attacker server containing the group’s tooling, victim database, and a repository of verified working usernames and passwords.

The campaign appears to have relied not on a new Fortinet flaw, but on weak account hygiene, including reused credentials and default administrator passwords left unchanged after earlier breaches. Researchers say the operation was highly automated and likely self-sustaining. Indicators reportedly point to Russian-speaking threat actors, and the apparent motive may have been mixed: financial gain and possible cyber espionage.

For directors, the lesson is broader than Fortinet. This incident shows how vulnerable companies remain when they rely on perimeter devices and long-lived credentials as trusted gateways into the business. Yesterday’s security models are not built to withstand today’s attacks. Modern zero-trust approaches can reduce reliance on legacy perimeter devices, narrowing attack surface and limiting the damage if credentials are compromised.

What Directors Should Ask Management:

  • How confident are we that administrative and remote-access credentials are regularly rotated, protected by multifactor authentication, and not vulnerable to reuse from prior breaches?

  • If one internet-facing security device or privileged account were compromised, how effectively could we contain the intrusion before it disrupted operations or exposed sensitive data?

  • What progress are we making in reducing dependence on older perimeter-based access models and moving toward zero-trust controls?

Frontier AI Is Raising Cyber Risk

CyberScoop reports a new warning from the Five Eyes intelligence alliance that frontier AI models are likely to reshape cybersecurity within months, not years. The warning came as a researcher published a cache of alleged zero-day exploits—previously unknown software flaws that attackers can use before vendors issue fixes—reportedly created with AI. At least two were already said to be under active attack. Together, the developments suggest AI is accelerating how quickly vulnerabilities can be found, weaponized, and deployed in the wild.

AI does not change every security principle, but it is sharply compressing the time available to respond. Organizations with legacy systems, slow patching cycles, weak identity controls, and unnecessary internet exposure will be easier to exploit at machine speed. Cyber risk assumptions now age faster, and resilience depends on whether management can reduce exposure, act quickly, and contain damage when attacks scale.

What Directors Should Ask Management:

  • Where do legacy systems or unnecessary internet-facing assets create exposure that adversaries could exploit faster than we can respond?

AI Governance Could Reshape Cyber Insurance

WSJ Pro Cybersecurity reports that cyber insurers are starting to ask not just whether a company has baseline controls, but how quickly it can respond when those controls fail. As AI shortens the time between vulnerability discovery and exploitation, underwriting is shifting toward patch speed, incident response readiness, vendor oversight, and the ability to contain fast-moving attacks. The issue is not only premium pricing; weak AI governance could affect how risk is assessed, what coverage terms look like, and how closely claims are scrutinized after an incident.

For directors, this is a governance issue as much as an insurance issue. If management cannot show disciplined oversight of AI use, third-party exposure, cyber resilience, and response speed, the organization may face narrower coverage, tougher underwriting, or more difficult claims discussions after a breach. AI governance is becoming part of financial resilience, not just technology governance.

What Directors Should Ask Management:

  • What evidence can we provide insurers that we can identify, contain, and recover from AI-accelerated threats quickly?

Klue Breach Exposes Hidden Third-Party Risk

A breach at Klue shows how quickly third-party cyber risk can spread across a customer ecosystem. Attackers reportedly used a compromised legacy credential to steal active connection tokens that linked Klue to customer Salesforce environments, giving them access to data from nearly 200 downstream organizations. Exposed information reportedly included business contact details, quotes, and support-related records rather than core products or internal systems.

For directors, the lesson is not about Klue alone. It is about how much trust companies place in vendors, integrations, and long-lived credentials that can quietly create broad downstream exposure. The situation became even more disruptive when a second threat actor reportedly obtained the stolen data and some customers reported being extorted by two separate criminal groups. The takeaway is clear: one vendor weakness can quickly become a customer problem.

What Directors Should Ask Management:

  • Do we know which suppliers could create the largest downstream blast radius if their credentials or integrations were compromised?

 

*****

Zscaler is a proud partner of NACD's Northern California chapter. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email rsloan[@]zscaler.com to learn more.

form submtited
Gracias por leer

¿Este post ha sido útil?

Exención de responsabilidad: Este blog post ha sido creado por Zscaler con fines informativos exclusivamente y se ofrece "como es" sin ninguna garantía de precisión, integridad o fiabilidad. Zscaler no asume ninguna responsabilidad por errores u omisiones ni por las acciones que se tomen basándose en la información proporcionada. Cualquier sitio web o recurso de terceros enlazado en esta publicación de blog se proporciona únicamente por conveniencia, y Zscaler no se hace responsable de su contenido ni de sus prácticas. Todo el contenido está sujeto a cambios sin previo aviso. Al acceder a este blog, acepta estos términos y reconoce ser el único responsable de verificar y utilizar la información de manera adecuada según sus necesidades.

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Al enviar el formulario, acepta nuestra política de privacidad.