An eye-opening security and privacy study from BlackCloak finds that C-Suite personal devices are rarely secured properly, and a worrying amount are already compromised.
The study draws on a sample of over 1,000 C-Suite and board members that subscribe to BlackCloak’s digital executive protection platform; their personal devices and home network security were analyzed prior to onboarding. Among the most concerning findings are that nearly 1 out of 4 have open ports on their home networks, a little over 1 out of 4 already have malware on their personal devices, and almost 9 out of 10 have no security and privacy measures whatsoever installed on these devices.
Report finds C-Suite security and privacy in a woeful state
According to BlackCloak, this is the first data analysis to specifically focus on the personal devices and home internet use of C-Suite executives. The company’s sampling of subjects come from 55 US-based Fortune 1000s and have a broad range of responsibilities, including heading up IT, engineering and R&D departments.
The findings are generally that C-Suite members are somehow still not aware of the security and privacy implications of failing to properly address both home networks and personal devices. While the personal devices may be somewhat more difficult to get to, the study finds that 23% of executives have open ports on their home network public IP address. Of those that have open ports, 20% have security cameras on the network. The study also found connected home storage, routers, firewalls and audio/visual equipment essentially open to an attacker with minimal determination and skill.
The researchers note that these amounts are unusual as compared to what would normally be expected for the general public; ports are usually not accessible by default with equipment intended for the home. The likely explanation is faulty setup of security systems, home automation or theater systems, or components that are outdated and have known vulnerabilities.
While it is usually tougher for attackers to ride the internet directly into C-Suite personal devices, the security and privacy numbers here are even more worrisome. 87% of executive devices have no security measures at all installed, 76% are actively leaking data (due either to misconfigured settings or prior compromise), and 27% have already been infected with malware.
Security and privacy hygiene for online accounts is also in need of some improvement. 87% of C-Suite executives have had a password leaked on the dark web, 53% do not use password managers, and only 8% are regularly using multifactor authentication (MFA) across their various accounts and devices. Additionally, 54% of the C-Suite reported some element of poor password hygiene, such as re-use of passwords or storing them in an insecure location.
Personal devices leaking sensitive information to data brokers
Another element of security and privacy that appears to be frequently overlooked by C-Suite executives is the amount of information that their personal devices are broadcasting to data brokers, who are constantly gathering scraps to form dangerously detailed profiles over time.
The researchers found that 99% of C-Suite executives had personal data profiles listed with at least 36 data brokers, and more than half were listed with over 100 of these companies. 70% of these data broker files had personal information scraped from public social media profiles, such as pictures and employment information from LinkedIn and Facebook. And 40% had logged the IP address of an executive’s home network.
Data brokers are an underlooked source of intelligence for attackers. The profiles contain a great deal of information useful for fraud and targeted phishing schemes, and C-Suite executives are at greater risk than most due to both their personal wealth and the access they can provide to their organization. This issue is compounded when executives ask the IT department to allow their personal devices access to the company network for the sake of convenience. If the device is not secured, this is very likely the weakest link available to begin moving laterally into a company network; it’s also one that attackers are well aware of and actively seeking out.
A similar issue appears when executives bring work devices home to an improperly secured network. And even if the executive keeps the technical end of their security and privacy practices locked down, oversharing on the internet can provide scammers with all of the material they need to commit fraud. One very common example is the business email compromise attack, in which the attacker generally impersonates the executive in communications with the company staff (usually those that are authorized to make payments or release sensitive information). These attacks have increased in sophistication to the point that there have been cases of the use of AI algorithms to impersonate the executive’s voice on the phone.
Melissa Bischoping, Endpoint Security Research Specialist for Tanium, shared some thoughts on securing executive devices when the executive themselves might not be persuaded to do so: “Beyond Multi-Factor Authentication, other security fundamentals include adopting modernized password practices, reliably deployed and configured endpoint security software, and embracing Zero Trust and Data Loss Prevention as you mature your organization. It’s also critical to raise awareness throughout your organization around common CEO-spoofing campaigns for smshing/vishing and other social engineering attacks, as exposed CEO data – and public info from social media posts – can make for a very convincing lure to dupe victims.”
Rajiv Pimplaskar, CEO of Dispersive Holdings, added: “The Black Cloak report presents some hard hitting and staggering datapoints on acute vulnerabilities and urgent need for executive protection … Avoidance is better than remediation and the best strategy is to lower the probability of detection of the executive’s digital footprint across public cloud and the Internet. In the intelligence and forensics world this is known as managed attribution where source and destination relationships are obfuscated … Businesses should urgently implement next generation VPN technologies with cloud obfuscation capabilities to prevent executive “digital bread crumbs” from creating targets. Strong authentication combined with improved protection for high value users and locations can be and should be core to a modern data protection strategy.”