C-suite executives are increasingly being sold on the need for cybersecurity in the workplace, but this message does not seem to be carried over to their personal lives. A new study from an executive protection platform, BlackCloak, found that of a sampling of 1,000 clients, 90% had no security and privacy protection software installed on their personal devices and a little over 25% already had been infected by some form of malware.
C-Suite personal devices feeding unethical data profiling industry
The main force preying on C-suite disregard for personal security and privacy is not hackers, but data brokers. A review of the sort of third-party data brokers that build detailed personal profiles on people from scraps of available information, sometimes in violation of platform policies or even national privacy laws, found that 99% of C-suite executives had a profile listed with at least 36 of these services. A little over 50% were listed with 100 of these services.
This is an issue that impacts all C-suite executives, not just those that are compromised by malware or even those that take active measures to protect their security and privacy in their home life. Many are leaking sensitive personal information via their public web and social media presence. These profiles can be a rich bounty for hackers and scammers, however, who are just as capable of purchasing access to them as anyone else. One key point of note the study uncovered is that 40% of C-suite executives have a home IP address listed in these data broker profiles; about 23% of all executives also leave ports open on their home networks.
Study indicates security and privacy practices in need of immediate, serious improvement
Security and privacy awareness in home life is showing definite lag behind awareness of what needs to be done in the workplace. Of the executives that had security deficiencies on their home networks, a wide variety of items were sitting open to attackers with little trouble to access: security cameras, routers, and connected storage devices among them. Internet of Things (IoT) device security appears to be a particular problem in this area.
In addition to slightly over a quarter of C-suite personal devices already having malware on them, 76% are also leaking personal information due to some sort of configuration oversight or the effects of a prior device compromise. 87% have had at least one of their passwords leaked to the dark web, and 54% are either re-using passwords or storing passwords somewhere insecure online. Only 47% are using password managers (indicating that password re-use is endemic with the remaining group) and only 8% make regular use of multi-factor authentication across their set of personal devices.
What can be done to improve executive security and privacy? The study recommends tailored education campaigns, of the same sort that are provided to the rank-and-file. These should focus on attacks that specifically target CEOs and executives and how they make use of common weaknesses in personal devices.