CISOs, IT lack confidence in executives’ cyber-defense knowledge

IT security teams lack confidence in their executives’ ability to prevent attacks on their personal hardware, systems, and network. This is according to a study sponsored by BlackCloak, a provider of digital privacy protection for high-profile executives, for which Ponemon Institute surveyed 553 US IT and IT security practitioners.

Asked to rate from 1 to 10 how confident they were in CEOs and executives’ abilities to know how to recognize a phishing email, only 28% of respondents were confident. A similar percentage (26%) applying to security teams’ trust in high-level executives to securely set up their home network and protect their personal computers from viruses.

A solution to this problem is, as anyone can guess, training. Verizon’s 2022 Data Breach Investigations report found that 82% of breaches involved the human element, which varies from phishing, use of stolen credentials and business email compromise (BEC) to name a few. The latter includes organizations being targeted due to a breach in a partner. Partners may be targeted due to a breach of a company’s emails, and so on, with some cases not even originating from a breach.

Verizon argued that technology alone won’t solve the problem, so training is required to those deploying the technology to ensure they know the different requirements to each user and to users, CEOs included, whether they like it or not.

As the BlackCloak Ponemon Executive Risks study revealed, simple things like executives reusing compromised passwords from personal accounts inside the company is still happening according to 71% of respondents.

The risks of unsafe private networks

With executives’ digital assets and lives likely to be targeted, companies are still struggling to come to grips with this. According to the report, 58% of respondents say the prevention of cyberthreats against executives and their digital assets is not covered in their cyber, IT, and physical security strategies and budget. Only 38% of respondents say there is a team dedicated to preventing or responding to cyber or privacy attacks against executives and their families.

The report also found that among the respondents, 42% said their executives and family members were attacked by cybercriminals. More alarming for executives is the finding that cyberattacks against executives resulted in the theft of sensitive financial data (47% of respondents), loss of important business partners (45% of respondents), and theft of intellectual property or company information (36% of respondents).

Some things to note is how sensitive information gets out of the enterprise network. Finance (23%) and marketing (22%) departments are most likely to send sensitive data to executives’ personal emails. The executive suite (21% of respondents) and board members (19% of respondents) are also guilty of sending sensitive information to personal emails to one another.

Why executives should be on top of personal digital security

The executive board should be concerned about this and work to get on top of the problem as risks include exposure of home address, personal mobile number, personal email (57%), online impersonation (34%), physical attack (25%), and extortion (25%). Only 32% of respondents say executives take some personal responsibility for the security of their digital assets and safety and only 38% of respondents say executives understand the threat to their personal digital assets.

What CISOs and IT security can do

CISOs need to understand precisely how and where the two risk environments — corporate and personal — intersect to get ahead of this problem. Here are four things to work on to ensure key executives are protected outside the office environment.

• Be vigilant for changes in leadership and executive team risk profiles. These blind spots can be a CEO who makes frequent media appearances, has stock market dealings that are open to public scrutiny, or is simply well enough known to be included in social media conversations.
• Identify the company’s “crown jewels” that need to be protected. This needs to include an evaluation of potential risks, including through personal attack, and developing mitigation strategies.
• Ensure high-level executives get cybersecurity training. All staff should attend tailored awareness training which includes phishing simulation exercises and tabletop exercises, C-level and board executives included.
• Shared responsibilities. CISOs should work with other high-level executives that shared responsibility is being carried across, this means understanding shared risk.

Providers of executive digital protection software

Most of the technology companies providing executive digital protection offer three solutions to the problem: search — for publicly identifiable information (PII)—, remove any data that can be used in attacks, and monitor for new information. For companies looking for technology products that focus solely on the protections of high-level executives, here is a short list of some of the current providers.

BlackCloak’s Concierge Cybersecurity and Privacy platform covers several aspects of executive security including ongoing deep and dark web scans, identity theft protection, device privacy hardening, weekly penetration testing of the home network and intrusion detection. It also covers personal device security and offers remediation services.

DeleteMe has possibly the simplest product on offer, it removes an average of 450 individual pieces of personal data exposed across hundreds of data brokers and other sites, according to the company.

Reputation Defender by Norton is a simpler product that also has dark web scans, social media profiles that expose information about leadership are flagged, and gathers information that could be used for spear phishing and social engineering attacks.

360 Privacy’s Digital Executive Protection also checks and removes PII, scans deep and dark web for threats, leaked information and passwords, and a household security plan.