The unprecedented level of corporate cybersecurity risk now extends far beyond the four walls of the enterprise. There is no longer any difference between personal and corporate protection when it comes to members of the executive team and board. High-level individuals now have a single, unified digital life, and senior leadership working from home is increasingly exposed.
This is why executives have become the ideal target for any hacker. These high-profile individuals not only have the greatest level of access within the company, but they often have sensitive data stored on their devices. They can also access the company’s financial accounts, and their email account can be used to instruct other employees to perform sensitive tasks.
Historically, executives are well-protected when inside the corporate network, but in most cases, that security vanishes as soon as they step outside. Their home networks, personal devices, and personal accounts often have little to no meaningful protection.
The Threats and Vulnerabilities in Executives’ Digital Lives
To put the lack of cybersecurity and online privacy protection in an executive’s personal digital life into perspective, BlackCloak recently aggregated and anonymized data from hundreds of our corporate executive clients prior to their onboarding with our digital executive protection solution.
Here’s what we found:
- 39% had malware on their personal devices
- 59% had antivirus on their personal devices
- 40% had their home IP address available for sale via online data brokers
- 75% of personal computers are either totally unprotected or operating using default security settings
- 68% were writing down their passwords on personal notebooks or storing them in their contacts list on the phone.
It’s important to note that these threats and vulnerabilities aren’t just consequential to the executive and their family. They’re also of significant risk to the enterprise. For example, the availability of an executive’s home IP address could lead to DDoS attacks or communications hijacking of important information to the business. Malware that moves freely on a personal device can rather seamlessly move laterally into the enterprise network, especially if the home network and device security isn’t up to standards.
And with 65% of people using passwords for both work and personal accounts, one password compromise could lead to unauthorized access, data theft, and other threats to the enterprise.
Remote Work Security Cannot Apply
It is very difficult for a CISO or corporate security leader to protect the personal digital lives of their executives once they leave the confines of the office. CISOs do not have nearly enough visibility into what goes on in the home of an executive; no insight into the security of the home network, the personal devices used, the personal email accounts, passwords, and privacy footprint of the executive when they are out of the office.
In addition, CISOs cannot monitor the home network of the employee because there is really no way to use corporate tools in the home environment without capturing data the company really should not see or have access to – everything from types of devices in the home to netflow data.
And good luck enforcing any corporate policy with the spouse and children. Neither are under any obligation to follow any cybersecurity or privacy best practices, or implement any technology that the company recommends.
Digital Executive Protection to Reduce Risk
CISOs have a massive undertaking securing their corporate networks and assets. The last thing they need to worry about is protecting executives, board members, and key personnel at home. Yet, if the executives’ home is overlooked, it leaves a major gap in overall security strategy.
To help mitigate risk, CISOs should talk to their executives about having
their personal information and family’s personal information removed from all data broker websites – the hotbed of information used to commit fraud, scams, and identity theft. This can be time consuming, but it’s absolutely worth it.
Further, executives must transfer the cybersecurity best practices used at work into their personal digital lives. At a minimum this includes committing to strong password security and dual-factor authentication; regularly updating operating systems, firmware and IoT devices, and making sure you and your family is trained and hyper-vigilant to email security threats.
It’s unfortunate that the attack surface has expanded yet again. But the reality is that it has grown infinitely bigger; an unintended consequence of vastly improved enterprise security. And as a result, executives have become the soft-underbelly of enterprise security. Attacking executives at home to bypass corporate security controls and move laterally into the enterprise has evolved from an occasional hassle into a mainstream threat.