Analysis by Leadership Role
The overall picture of executive vulnerability isn’t pretty. But which leadership roles are the most vulnerable? Picnic’s data suggests that organizations are doing a better job at insulating CEOs and CFOs from risk than other roles – but history shows that cyberattackers don’t mind taking a different route. Criminals will find the easiest way in.
The most exposed leaders across companies were:
- Chief Technology Officers (CTOs): By the time an IT leader ascends to CTO, they are likely to have created credentials for thousands of applications and systems throughout their careers. It’s not surprising then that they also face the most breaches and exposed CTCs. But CTOs also lead in being victimized by personal data breaches. Given their access to sensitive technologies and data, this concerning rate of exposure highlights a need for tech leaders to take a much more proactive approach to protection.
- Chief Revenue Officers (CROs): CROs have the most contact information exposed. While it’s natural that those leading sales organizations have made themselves continually easy to reach, it also means they are more vulnerable to social engineering attacks or identity theft. Their personal emails and phone numbers are the most exposed of any role.
- General Counsels (GCs): GCs have the most data broker profiles. This heightened visibility may be due to their public role within organizations and their involvement in legal and regulatory matters, but it also exposes them to more risk. Given GCs’ access to critical financial information and intellectual property, they represent highly valuable targets to hackers.
- Chief Marketing Officers (CMOs): Chief Marketing Officers demonstrate significant digital exposure and are the second most likely to have been caught up in both personal and corporate data breaches. CMOs have the most exposed CTCs from corporate breaches. This makes them more susceptible to credential theft, business email compromise, and other cyber threats.
Analysis by Industry
C-suite leaders in every industry are carrying significant data exposure baggage – but some sectors’ executive digital footprints are riskier than others. Here are the most exposed:
Software: C-level executives in the computer software industry exhibit the highest level of digital risk, experiencing the most personal breaches and the most total breaches.
Healthcare: The data shows that across all C-level Executives, Healthcare CEOs have the most personal data exposure, including home addresses, personal emails and dates of birth. This exposure places them at the highest risk for targeted attacks. Other healthcare C-level roles are similarly exposed, leading all industries with exposed personal phone numbers.
Higher Education: The more open nature of academia may make these institutions more vulnerable to attacks – the higher ed sector leads in corporate breaches and trails only the computer software industry in terms of breaches and exposed CTCs.
Government Administration: Government entities have the most data broker profiles. This is concerning because of the potential for misuse of this information and that government employees could be targeted for attacks because of their role and responsibilities.
Information Technology and Services: IT services company executives also face a high level of risk with the second most personal breaches and are among the top three most commonly exposed industries across all types of exposed credentials.
Conclusion
The state of executive digital security is precarious, with widespread vulnerabilities exposed across all sectors and titles. The statistics presented in this report underscore the urgent need for proactive measures to protect executive leadership. Organizations must adopt comprehensive security strategies that include:
Monitoring Digital Footprints: Continuously assessing the exposure of the C-Suite and their families to physical and cyber threats born out of exposed PII in the public web.
Mitigating PII Leaks: Taking down data broker profiles continuously and neutralizing compromised credentials.
Employing Specialized Protection Platforms: Using executive protection services that can identify and remediate vulnerabilities.
Training and Education: Ensuring that executives are aware of the risks they face and the best practices to mitigate those risks
Real-World Hack: How an Ethical Hacker Targeted a Cybersecurity CEO
Robert M. Lee is a recognized authority in the industrial cybersecurity community and was named Security Executive of the Year for 2022 by SC Media. As CEO and co-founder of Dragos, he is routinely sought after for advice and input about cybersecurity for industrial and critical infrastructure and is regularly asked to brief national leaders. With his consent, in a live hacking demonstration, ethical hacker Rachel Tobac targeted Lee to illustrate the multifaceted risks executives face. Tobac leveraged open-source intelligence (OSINT) to gather publicly available information, which formed the basis for a series of social engineering attacks.
The information Tobac collected included:
Contact details: Phone numbers, addresses, email addresses, social media accounts were all available on the Internet without specialized tools. These initial datapoints allowed Tobac to determine the best ways to reach Robert M. Lee, and provided more information for later steps in her attack.
Involvement in 12 data breaches: Lee’s information was caught up in unavoidable third-party breaches that affected huge swaths of the U.S. population. Still, they exposed a wealth of personal information, including emails, phone numbers, physical addresses, and, critically, plaintext passwords.
A short video clip from social media: It’s difficult for CEOs to do their job without making public appearances in support of their brands. Lee is often asked to do so due to his prominence in the cybersecurity community. But one seemingly innocuous piece of content was used to create a highly realistic voice clone.
With these elements in hand, Tobac demonstrated how this information could be weaponized:
Caller ID Spoofing: Tobac spoofed Robert M. Lee’s phone number, making it appear as though calls were originating from him. This added a layer of credibility to her planned voice cloning attack.
Voice Cloning for Information Extraction: Tobac used an application that created a voice clone of Lee to call a member of his team, asking them to reveal his password manager’s master password.
Crafting targeted phishing emails: The combination of personal information and breached credentials allowed for highly convincing and personalized real-time phishing attempts. The emails seemed as automated and professional as they might be coming from a trusted service provider.
Zoom Impersonation via Deepfake: By using only two minutes of video, Tobac created a deepfake that could allow her to impersonate Lee in a Zoom meeting.
Tobac emphasized how hackers that attack the C-Suite know they must start with a believable pretext. This most often means posing as someone with whom the target has a work or personal relationship. She noted that hackers exploit the fact that people are more likely to make mistakes when they are stressed or distracted, such as early in the morning.
Tobac’s exercise with Lee underlines the urgency for security teams to protect both executives and the systems they can access. Security leaders must now go well beyond the network to monitor and remove executives’ digital footprints. Executives must be aware of the risks to adopt best practices for mitigating them.
About Picnic
Picnic Corporation is at the forefront of cybersecurity and privacy innovation, empowering protection of enterprises and their executives with turnkey protections offered as a managed service. Picnic’s technology continuously neutralizes public data exposure for organizations and their employees. By continuously monitoring and reducing exposure to open-source intelligence (OSINT), Picnic enables a proactive defense mechanism that extends beyond the corporate perimeter, safeguarding business continuity and organizational integrity.