Organizations are allocating millions of dollars to protecting their information assets and employees but are neglecting to take steps to safeguard the very vulnerable digital assets and lives of key executives and board members. Sponsored by BlackCloak, Ponemon Institute surveyed 553 IT and IT security practitioners who are knowledgeable about the programs and policies used to prevent cybersecurity threats against executives and their digital assets.
The purpose of this research is to understand the risks created by the cybersecurity gap between the corporate office and executives’ protection at home. According to 42 percent of respondents, their key executives and family members have already experienced at least one attack by a cybercriminal.
In the context of this research, digital executive protection extends cybersecurity to outside the office domain by safeguarding the personal digital lives of company executives, board members and key personnel to mitigate the risks of cybercriminals targeting them for hacking, IP theft, reputational risks, doxxing/swatting and financial attacks.
Digital assets include all aspects of an executive’s personal life: address/cell/emails; personal cell, tablet, computer and accounts (email, social etc.), home network and any scams targeting them (doxxing, swatting, personal exposure etc.).
A key takeaway from this research is that while it is likely that executives’ digital assets and lives will be targeted by cybercriminals, organizations are not responding with much needed strategies, budget and staff. We found 58 percent of respondents say the prevention of cyberthreats against executives and their digital assets is not covered in their cyber, IT and physical security strategies and budget. Moreover, only 38 percent of respondents say there is a dedicated team to preventing and/or responding to cyber or privacy attacks against executives and their families.
The following findings are evidence of the risk to executives’ physical security and digital assets
Executives are experiencing multiple cyberattacks. According to the research, 42 percent of respondents say their executives and family members were attacked by cybercriminals and 25 percent of respondents say in the past two years executives experienced an average of seven or more than 10 cyberattacks. In addition to doxxing and malware infections, other attacks include personal email attacks or compromises (42 percent) and online impersonation (34 percent).
Attacks against executives have the same serious consequences as a data breach. Cyberattacks against executives resulted in the theft of sensitive financial data (47 percent of respondents), loss of important business partners (45 percent of respondents) and theft of intellectual property/company information (36 percent of respondents). More than one-third of respondents (35 percent of respondents) say the consequence was improper access to the executive’s home network, which is not secured or patched to the level an organization would require in its offices and facilities.
The finance and marketing departments are most likely to send sensitive data to executives’ personal emails, according to 23 percent and 22 percent of respondents respectively. However, the executive suite (21 percent of respondents) and board members (19 percent of respondents) are also guilty of sending sensitive information to personal emails.
Staff time and the steps taken to detect, identify and remediate the breach are the most costly following an incident. Thirty-nine percent of respondents say their organizations measure the potential financial consequences from such an attack. Fifty-nine percent of these respondents say their organizations measure the cost of staff time involved in responding to the attack and 55 percent of respondents say they measure the cost to detect, identify and remediate the breach.
It’s not if but when key executives will be targeted by organized criminals. Sixty-two percent of respondents say attacks against digital assets are highly likely and 50 percent of respondents say future physical threats against executives is highly likely.
Criminals are sophisticated and stealthy when targeting executives and other high-profile individuals. Executives are most likely to unknowingly reuse a compromised password from their personal accounts inside their company (71 percent of respondents) and 67 percent say it is highly likely that an imposter would send a text message to another employee at their company. Fifty-one percent of respondents say it is highly likely that an executive’s significant other or child receives an unsolicited email and clicks on a link taking them to a third-party website.
Organizations are not determining the extent of the threat to executives’ physical safety and security of personal digital devices. Only 41 percent of respondents say their organizations are assessing the physical risk to executives and their families and only 38 percent of respondents say organizations assess the risk to executives’ digital assets.
Executives are the weakest link in the ability to protect their lives and digital assets. Only 16 percent of respondents say their organizations are highly confident that a CEO or executives’ personal email or social media accounts are protected with dual factor authentication. The most confidence (48 percent of respondents) is that CEOs and other executives would know how to secure their personal email. Twenty-eight percent of respondents are highly confident that executives would know how to determine if an email is phishing and 26 percent of respondents say they are highly confident that executives would know how to set up their home network securely.
Only 32 percent of respondents say executives take some personal responsibility for the security of their digital assets and safety and only 38 percent of respondents say executives understand the threat to their personal digital assets.
As executives switch to their home networks and personal devices, visibility critical to detecting attacks is diminished. According to the research, it is very difficult to have visibility into the following areas when working outside the office: personal devices (74 percent of respondents), executives’ personal email accounts (66 percent of respondents), the executive’s home network to prevent cyberattacks (64 percent of respondents), executives’ privacy footprint (61 percent of respondents) and password hygiene (57 percent of respondents).
Executives working outside the office increase the attack surface significantly. Fifty-nine percent of respondents say ensuring executive protection is more difficult due to the increasing attack surface. However, only about half of respondents (53 percent) say attacks against the digital assets of executives outside the office domain is as much a priority as preventing such attacks when they are in the office. Only 50 percent of respondents say their organizations track potential attacks against executives, such as doxing, phishing and malware attempts.
To reduce the risk, executives should be trained to secure their devices and physical safety. Almost all organizations are not doing the basics in enabling executives to protect themselves and their personal digital devices. Training executives to secure devices in and outside the workplace is only conducted by 37 percent and 36 percent of respondents, respectively. More organizations (53 percent of respondents) are providing self-defense training but only 42 percent of respondents say their organizations conduct tabletop exercises specific to the threats against executives.
Steps taken to protect executives’ lives and digital devices are ineffective. According to 56 percent respondents, organizations are mainly focused on updating executives’ personal devices. Fifty-two percent of respondents say their organizations patch vulnerabilities and 51 percent of respondents say they use password managers. Only 45 percent of respondents say they are using dual factor authentication, 39 percent of respondents say they use botnet scanning and 36 percent of respondents say they analyze network connectivity on personal devices to detect malicious WiFi hotspots.