Monthly Archives: June 2023

Understanding the Serious Risks to Executives’ Personal Cybersecurity & Digital Lives

Organizations are allocating millions of dollars to protecting their information assets and employees but are neglecting to take steps to safeguard the very vulnerable digital assets and lives of key executives and board members. Sponsored by BlackCloak, Ponemon Institute surveyed 553 IT and IT security practitioners who are knowledgeable about the programs and policies used to prevent cybersecurity threats against executives and their digital assets.

The purpose of this research is to understand the risks created by the cybersecurity gap between the corporate office and executives’ protection at home. According to 42 percent of respondents, their key executives and family members have already experienced at least one attack by a cybercriminal.

In the context of this research, digital executive protection extends cybersecurity to outside the office domain by safeguarding the personal digital lives of company executives, board members and key personnel to mitigate the risks of cybercriminals targeting them for hacking, IP theft, reputational risks, doxxing/swatting and financial attacks.

Digital assets include all aspects of an executive’s personal life: address/cell/emails; personal cell, tablet, computer and accounts (email, social etc.), home network and any scams targeting them (doxxing, swatting, personal exposure etc.).

A key takeaway from this research is that while it is likely that executives’ digital assets and lives will be targeted by cybercriminals, organizations are not responding with much needed strategies, budget and staff. We found 58 percent of respondents say the prevention of cyberthreats against executives and their digital assets is not covered in their cyber, IT and physical security strategies and budget. Moreover, only 38 percent of respondents say there is a dedicated team to preventing and/or responding to cyber or privacy attacks against executives and their families.

The following findings are evidence of the risk to executives’ physical security and digital assets

 Executives are experiencing multiple cyberattacks. According to the research, 42 percent of respondents say their executives and family members were attacked by cybercriminals and 25 percent of respondents say in the past two years executives experienced an average of seven or more than 10 cyberattacks. In addition to doxxing and malware infections, other attacks include personal email attacks or compromises (42 percent) and online impersonation (34 percent).

Attacks against executives have the same serious consequences as a data breach. Cyberattacks against executives resulted in the theft of sensitive financial data (47 percent of respondents), loss of important business partners (45 percent of respondents) and theft of intellectual property/company information (36 percent of respondents). More than one-third of respondents (35 percent of respondents) say the consequence was improper access to the executive’s home network, which is not secured or patched to the level an organization would require in its offices and facilities.

 The finance and marketing departments are most likely to send sensitive data to executives’ personal emails, according to 23 percent and 22 percent of respondents respectively. However, the executive suite (21 percent of respondents) and board members (19 percent of respondents) are also guilty of sending sensitive information to personal emails.

 Staff time and the steps taken to detect, identify and remediate the breach are the most costly following an incident.  Thirty-nine percent of respondents say their organizations measure the potential financial consequences from such an attack. Fifty-nine percent of these respondents say their organizations measure the cost of staff time involved in responding to the attack and 55 percent of respondents say they measure the cost to detect, identify and remediate the breach.

 It’s not if but when key executives will be targeted by organized criminals. Sixty-two percent of respondents say attacks against digital assets are highly likely and 50 percent of respondents say future physical threats against executives is highly likely.

Criminals are sophisticated and stealthy when targeting executives and other high-profile individuals. Executives are most likely to unknowingly reuse a compromised password from their personal accounts inside their company (71 percent of respondents) and 67 percent say it is highly likely that an imposter would send a text message to another employee at their company. Fifty-one percent of respondents say it is highly likely that an executive’s significant other or child receives an unsolicited email and clicks on a link taking them to a third-party website.

Organizations are not determining the extent of the threat to executives’ physical safety and security of personal digital devices. Only 41 percent of respondents say their organizations are assessing the physical risk to executives and their families and only 38 percent of respondents say organizations assess the risk to executives’ digital assets.

 Executives are the weakest link in the ability to protect their lives and digital assets. Only 16 percent of respondents say their organizations are highly confident that a CEO or executives’ personal email or social media accounts are protected with dual factor authentication. The most confidence (48 percent of respondents) is that CEOs and other executives would know how to secure their personal email. Twenty-eight percent of respondents are highly confident that executives would know how to determine if an email is phishing and 26 percent of respondents say they are highly confident that executives would know how to set up their home network securely.

Only 32 percent of respondents say executives take some personal responsibility for the security of their digital assets and safety and only 38 percent of respondents say executives understand the threat to their personal digital assets.

As executives switch to their home networks and personal devices, visibility critical to detecting attacks is diminished. According to the research, it is very difficult to have visibility into the following areas when working outside the office: personal devices (74 percent of respondents), executives’ personal email accounts (66 percent of respondents), the executive’s home network to prevent cyberattacks (64 percent of respondents), executives’ privacy footprint (61 percent of respondents) and password hygiene (57 percent of respondents).

Executives working outside the office increase the attack surface significantly. Fifty-nine percent of respondents say ensuring executive protection is more difficult due to the increasing attack surface. However, only about half of respondents (53 percent) say attacks against the digital assets of executives outside the office domain is as much a priority as preventing such attacks when they are in the office. Only 50 percent of respondents say their organizations track potential attacks against executives, such as doxing, phishing and malware attempts.

 To reduce the risk, executives should be trained to secure their devices and physical safety.  Almost all organizations are not doing the basics in enabling executives to protect themselves and their personal digital devices. Training executives to secure devices in and outside the workplace is only conducted by 37 percent and 36 percent of respondents, respectively. More organizations (53 percent of respondents) are providing self-defense training but only 42 percent of respondents say their organizations conduct tabletop exercises specific to the threats against executives.

 Steps taken to protect executives’ lives and digital devices are ineffective. According to 56 percent respondents, organizations are mainly focused on updating executives’ personal devices. Fifty-two percent of respondents say their organizations patch vulnerabilities and 51 percent of respondents say they use password managers. Only 45 percent of respondents say they are using dual factor authentication, 39 percent of respondents say they use botnet scanning and 36 percent of respondents say they analyze network connectivity on personal devices to detect malicious WiFi hotspots.

 Read the full white paper at BlackCloak’s website

 

Two-thirds use tech to avoid face-to-face interactions; the truth we don’t want to face

Click to watch this Amazon driver (heroically) deliver packages in the rain

Bob Sullivan

Machines dehumanize people.  I’ve long had a mental experiment in mind that I’d love to pull off one day — force people to walk at a grocery store the way they drive on a highway.  You know: cut each other off, flip the bird, breathe (literally) down someone’s neck on line.  It would all look and feel absurd, at least for most. All this to show people that we do things when we are in control of machines that we’d never do in “real” life. In other words, the machines control us, not the other way ’round.

Another easy thought experiment: a real-life mall where everyone says the things they’ve said (or heard) on Instagram or TikTok comments.   If you don’t know what I’m talking about, consult a woman.

This is bad for our souls.  When you treat another person like an object, you’re a jerk. But I believe it also rebounds into you, and a piece of your humanity dies every time you dehumanize another person, even if it “feels” good at the moment.  And this is how humans lose the robot war, without ever firing a shot.  We just surrender our humanity and take the robots’ side.  So if you are worried about ChatGPT, I think we have a lot more to worry about.

Cars, naturally, were just the beginning of this underhanded “invasion.” Smartphones have become a far more potent weapon in this dehumanization effort.  I don’t have to work hard to make my case – we’ve all seen someone staring down hypnotically at a handheld screen while a store clerks ask, “Can I help you? CAN I HELP YOU!?” a dozen times.

I saw a survey this week that provides a bit more evidence for my concern. It was sponsored by a website named PlayUSA.com, which describes itself as a news service that provides independent information about the legal U.S. gambling industry. The survey was designed to examine the impact of tech products on loneliness and it found:

  • 62% of respondents like that tech is replacing social interactions
  • 60% use self-service kiosks and mobile apps to skip talking with people
  • 75% report a decrease in social skills due to tech
  • 74% made a delivery driver leave food outside even if they could have opened the door to grab the delivery
  • 30% say they give drivers better ratings for not talking

As always, there’s a host of caveats to this survey.  It was conducted online, using Google forms, which does not produce the best random sample. The company told me it conducted four different surveys from four different age groups to ensure balanced generational perspective — so it tried. That doesn’t give you a sample that’s truly as diverse as the U.S. population, of course.  Doing so is tricky even under the best of circumstances.

Still, the results ring true. They do not necessarily prove my thesis — that tech is making us more lonely – or worse, dehumanizing us. After all there are plenty of other explanations for this behavior.  It can feel safer to avoid meeting in person with a delivery driver; plenty of women will tell you chit-chatting with a driver can turn into something more uncomfortable very quickly; and self-checkout is often quicker than waiting for a cashier.  Plenty of people with crippling social anxiety now have an avenue for living that has made their lives infinitely better, and I don’t mean to discount that.

Still, for most, our lives are designed to be full of human interactions large and small, or at least I believe they should be. I’ve written before about Eric Byrne’s theory of transactional analysis —  that the sum of your everyday hellos and goodbyes and “how-are-yous” really do add to or subtract from your mental health.  The pandemic severely limited our ability to engage in such daily niceties, but technology is keeping us that way.  There are plenty of studies suggesting younger Americans are suffering from depression and social anxiety at rates we’ve not seen before.  Tech clearly enables isolation.

But I worry about something more.

Tech tends to put a great distance between powerful people and weak people. It enables abuse because it can make abuse invisible. You would never yell at an older person in a grocery store for taking an extra moment to be sure-footed while stepping forward in a line.  You probably wouldn’t hesitate to scream at that same person when behind the wheel in a car.

One more thought experiment: The next time someone drives or cycles dinner to you, imagine if you would do the same for them.   I venture to guess you’d never directly ask someone you knew to cycle in the pouring rain for 15 minutes to bring you ice cream – but it’s sure easy to click “deliver” on an app and have the goodies left by the door.

I’m not saying food delivery is evil, or even bad. But I am saying that it’s unhealthy to avoid looking another human being in the eye when you make them do something for you.  And my real fear about artificial intelligence? It’ll put yet another layer of 1s and 0s between powerful people and weak people. Another victory for robots in this war we are losing.