BlackCloak on Monday released some eye-popping numbers on how vulnerable top executives are to security breaches.
In a study based on responses from more than 1,000 BlackCloak members, the researchers found that 23% of executives have open ports on their home networks; of those with open ports, 20% have open security cameras.
To add to the bad news, 27% of executives’ personal devices contain malware, 76% of their personal devices are actively leaking data, and 87% of executives’ personal devices have no security installed.
Possibly most disturbing of all to security pros: Only 8% of executives have multi-factor authentication active across a majority of apps and devices. And 87% have passwords that are leaked on the dark web.
These stats are also likely an indication of how vulnerable the general population is, but the C-suite executives are more valuable targets to threat actors, particularly with their access to or discussions about highly sensitive corporate information, said John Hellickson, Field CISO at Coalfire. Hellickson said C-suite executives often pressure the IT department to enable the use of their personal devices and/or personal email accounts, circumventing some of the policies and controls the organization has in place.
“The cybersecurity industry does well in focusing on the security of the corporate environment, but we struggle with offering 'commercial-grade security' in the personal-home environment,” Hellickson said. “It's common knowledge that humans are often the weak link, and these stats just prove that many board members and corporate executives are easy targets for spear phishing and targeted attacks.”
Melissa Bischoping, endpoint security research specialist at Tanium, said corporate devices and data extend beyond the physical business perimeter, and increasingly appear in the home network — a network that’s out of management scope by security teams. As a result, Bischoping said maintaining visibility and control over the corporate-owned devices is necessary to ensure data protection.
“While measures like multi-factor authentication aren’t perfect, these basic best practices are essential, especially for the board/C-suite who often opt-out of the requirement as a matter of convenience,” Bischoping said. "Beyond multi-factor authentication, other security fundamentals include adopting modernized password practices, reliably deployed and configured endpoint security software, and embracing zero trust and data loss prevention as the organization matures. It's also critical to raise awareness throughout the organization around common CEO-spoofing campaigns for smishing/vishing and other social engineering attacks."
Taylor Ellis, customer threat analyst at Horizon3ai, said while conducting some open-source intelligence (OSINT), it’s very common to find the personal information of executives, board members, and high-value employees hiding somewhere on social media. For instance, Ellis has seen a board’s chairman put his private phone number on Facebook, along with his email address, photos flaunting a crystal-clear ID badge (which with some photoshop can easily be copied), and his strong love for the San Francisco 49ers.
“As a social engineering fanatic, you can do a lot with that information,” Ellis said. “While all individuals should be educated about maintaining privacy with social media, figures of interest (especially in the public eye) need to be more careful. As seen in the latest media scandals, the personal lives of figureheads can often interfere with the organization’s image, causing a negative impact to its operations and mission. Therefore, it’s definitely important to educate personnel on how to maintain their privacy while working in a lucrative position.”