Zscalerのブログ

Zscalerの最新ブログ情報を受信

CXO Insights

The Director’s Cut: Trusted Perimeters Become Board Liabilities

image
ROB SLOAN
July 06, 2026 - 4 分で読了

Board-level cyber risks requiring oversight: perimeter compromise through weak credential hygiene, frontier AI accelerating vulnerability exploitation, AI governance influencing cyber insurance outcomes, and third-party vendor breaches creating downstream customer exposure.

 

Perimeter Security Compromise Should Concern Boards

A credential-harvesting campaign targeting Fortinet firewalls and VPN gateways has compromised more than 30,000 internet-facing devices across 194 countries, according to Dark Reading. Affected organizations span government, telecommunications, healthcare, financial services, education, and critical infrastructure. Researchers were able to gauge the scale because they discovered an exposed attacker server containing the group’s tooling, victim database, and a repository of verified working usernames and passwords.

The campaign appears to have relied not on a new Fortinet flaw, but on weak account hygiene, including reused credentials and default administrator passwords left unchanged after earlier breaches. Researchers say the operation was highly automated and likely self-sustaining. Indicators reportedly point to Russian-speaking threat actors, and the apparent motive may have been mixed: financial gain and possible cyber espionage.

For directors, the lesson is broader than Fortinet. This incident shows how vulnerable companies remain when they rely on perimeter devices and long-lived credentials as trusted gateways into the business. Yesterday’s security models are not built to withstand today’s attacks. Modern zero-trust approaches can reduce reliance on legacy perimeter devices, narrowing attack surface and limiting the damage if credentials are compromised.

What Directors Should Ask Management:

  • How confident are we that administrative and remote-access credentials are regularly rotated, protected by multifactor authentication, and not vulnerable to reuse from prior breaches?

  • If one internet-facing security device or privileged account were compromised, how effectively could we contain the intrusion before it disrupted operations or exposed sensitive data?

  • What progress are we making in reducing dependence on older perimeter-based access models and moving toward zero-trust controls?

Frontier AI Is Raising Cyber Risk

CyberScoop reports a new warning from the Five Eyes intelligence alliance that frontier AI models are likely to reshape cybersecurity within months, not years. The warning came as a researcher published a cache of alleged zero-day exploits—previously unknown software flaws that attackers can use before vendors issue fixes—reportedly created with AI. At least two were already said to be under active attack. Together, the developments suggest AI is accelerating how quickly vulnerabilities can be found, weaponized, and deployed in the wild.

AI does not change every security principle, but it is sharply compressing the time available to respond. Organizations with legacy systems, slow patching cycles, weak identity controls, and unnecessary internet exposure will be easier to exploit at machine speed. Cyber risk assumptions now age faster, and resilience depends on whether management can reduce exposure, act quickly, and contain damage when attacks scale.

What Directors Should Ask Management:

  • Where do legacy systems or unnecessary internet-facing assets create exposure that adversaries could exploit faster than we can respond?

AI Governance Could Reshape Cyber Insurance

WSJ Pro Cybersecurity reports that cyber insurers are starting to ask not just whether a company has baseline controls, but how quickly it can respond when those controls fail. As AI shortens the time between vulnerability discovery and exploitation, underwriting is shifting toward patch speed, incident response readiness, vendor oversight, and the ability to contain fast-moving attacks. The issue is not only premium pricing; weak AI governance could affect how risk is assessed, what coverage terms look like, and how closely claims are scrutinized after an incident.

For directors, this is a governance issue as much as an insurance issue. If management cannot show disciplined oversight of AI use, third-party exposure, cyber resilience, and response speed, the organization may face narrower coverage, tougher underwriting, or more difficult claims discussions after a breach. AI governance is becoming part of financial resilience, not just technology governance.

What Directors Should Ask Management:

  • What evidence can we provide insurers that we can identify, contain, and recover from AI-accelerated threats quickly?

Klue Breach Exposes Hidden Third-Party Risk

A breach at Klue shows how quickly third-party cyber risk can spread across a customer ecosystem. Attackers reportedly used a compromised legacy credential to steal active connection tokens that linked Klue to customer Salesforce environments, giving them access to data from nearly 200 downstream organizations. Exposed information reportedly included business contact details, quotes, and support-related records rather than core products or internal systems.

For directors, the lesson is not about Klue alone. It is about how much trust companies place in vendors, integrations, and long-lived credentials that can quietly create broad downstream exposure. The situation became even more disruptive when a second threat actor reportedly obtained the stolen data and some customers reported being extorted by two separate criminal groups. The takeaway is clear: one vendor weakness can quickly become a customer problem.

What Directors Should Ask Management:

  • Do we know which suppliers could create the largest downstream blast radius if their credentials or integrations were compromised?

 

*****

Zscaler is a proud partner of NACD's Northern California chapter. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email rsloan[@]zscaler.com to learn more.

form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

免責事項:このブログは、Zscalerが情報提供のみを目的として作成したものであり、「現状のまま」提供されています。記載された内容の正確性、完全性、信頼性については一切保証されません。Zscalerは、ブログ内の情報の誤りや欠如、またはその情報に基づいて行われるいかなる行為に関して一切の責任を負いません。また、ブログ内でリンクされているサードパーティーのWebサイトおよびリソースは、利便性のみを目的として提供されており、その内容や運用についても一切の責任を負いません。すべての内容は予告なく変更される場合があります。このブログにアクセスすることで、これらの条件に同意し、情報の確認および使用は自己責任で行うことを理解したものとみなされます。

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。