An assistant holds the calendar, the correspondence, the access to half the accounts that run a private life. A breach of the assistant is a breach of the principal. The assistant's email, the assistant's phone, the assistant's device are operational extensions of the person they work for, and they are typically secured to a different standard than the principal would tolerate for themselves.
Attackers know this. The path to a difficult target frequently runs through someone adjacent to them whose defences are softer. A phishing message sent to the assistant, indistinguishable from a routine schedule confirmation, can place malicious code on a device that holds three years of the principal's diary.
The leak from this kind of compromise is usually not noticed. The assistant continues to work. The principal continues to be served. The information that has been quietly read is used elsewhere, sometimes months later, in ways that appear unconnected to the original compromise.
The defence is to bring the assistant inside the same envelope of protection as the principal: the same device standards, the same email hygiene, the same multi-factor posture, and a written understanding of what is and is not appropriate to handle by ordinary means.
·
An honest account of what is presently knowable is the starting point. The rest depends on the matter.
More from the desk
The recovery email on a domain you no longer own
AI voice cloning and the phone call from a relative
Domain spoofing and the near-perfect email
The old recovery question that was once true
The second passport and its quiet footprint
Executive impersonation and the wire transfer