As many people around the world began sheltering in place at the beginning of the Covid-19 pandemic, the number of online attack surfaces expanded rapidly, allowing threat actors to exploit vulnerabilities and take advantage of ill-equipped organizations and their key individuals. Overall increased online activity and the present environment of uncertainty continue to fuel opportunistic cybercriminals, and if the past year and a half has shown experts in the digital economy anything, it’s that every advance in digital transformation also empowers new threat actors ready to exploit any vulnerability.
Entrepreneurs and executives alike increasingly operate in what is often described as “the new world of work,” connoting comprehensive digitization and automation of people, processes and entire systems that depend on geographically and virtually distributed workforces, vendors, supply chains and business partner networks. While this new tech-enabled business ecosystem offers unprecedented opportunities, it also demands that business leaders understand and respond to the associated risks inherent within the digital space. Due to the new and rapidly changing nature of digital technologies, processes and digital risk itself, this is admittedly challenging. In recognizing that the personal data of individuals (think emails, usernames, passwords, names/surnames) offer a key attack vector for any corporate or organizational network, leaders must also come to understand that executives are often extremely high-value targets.
Amid the pandemic, my threat intelligence firm, Constella Intelligence, has observed new vulnerabilities for individuals, executives and brands across the digital ecosystem. We have seen leaked identity records left to circulate on open sources and these records being leveraged by threat actors who are looking to build digital profiles of potential targets. These digital profiles are used to assist threat actors with account takeover, disinformation campaigns and phishing scams. According to TUBE, 80% of reported security incidents come in the form of phishing scams. Scams like these are often aimed at corporate executives, board members and other high-ranking officials. Nearly 60% of the data breaches my firm analyzed in the past year contained attributes exposing personally identifiable information (PII) such as first and last names, phones or email addresses. As outlined in my firm’s 2021 Identity Breach Report, this personal data is incredibly valuable for digital threat actors.
Sensitive personal data is the proverbial “oil” that is fueling the digital breach economy. Just as critically, many executives appear to be particularly vulnerable and poorly prepared. Our research shows that energy and telecommunications companies are increasingly targeted for breaches/leakages. Fortune 500 companies in these sectors have been exposed in an estimated 11,000 breaches or leakages since 2016. In fact, more than 40% of these exposures have occurred since 2020. Executives are being increasingly targeted as a key vector of attack in these breaches; of the Fortune 500 executives that we surveyed in the energy and telecommunications sectors, over 40% have had their corporate credentials exposed in the last five years.
Another company’s research found that C-level executives are 12 times more likely to be pursued by attackers and nine times more likely to be victimized.
For threat actors, attacking an executive opens the door to accessing corporate networks. Because of this, brands are at a greater risk than ever due to the interconnected nature of our digital ecosystem and the deepening relationship between digital threats and pernicious reputational outcomes for companies. Among several resulting consequences, including the enhanced ability of threat actors to carry out phishing, account takeover and impersonation campaigns, sensitive PII can be used to create fake social media accounts with real information, creating networks of fake profiles for the deployment of coordinated, targeted disinformation campaigns. The Chief Information Officers Council provides information on how situations like phishing, account takeovers and misinformation campaigns can cause digital safety risks for social media users.
Fortunately, chief information security officers (CISOs) are becoming more and more commonplace in large organizations. A few years ago, it was predicted that 100% of large companies around the world would have a CISO position, or an equivalent role, by 2021. This rise of cyber professionals in the C-suite is an encouraging start, but it’s not enough. Why? Because threat actors and tactics are constantly evolving just as quickly as our technologies are advancing, making successful cybersecurity preparedness a strategic and organization-wide matter. Moreover, the connection between digital risk and reputational, financial and even legal harm inflicted upon individuals and companies is unequivocally stronger than ever. This not only results in challenges from a technical perspective, but it can have serious reputational, financial and potential legal repercussions as well. These setbacks can be significant for organizations that can afford neither reputational nor financial setbacks associated with targeted threats to their human, technological and organizational infrastructure. Just as bad, executives themselves can see their reputations and personal brands irreparably damaged if they’re not vigilant.
What can executives and leaders do to reduce digital risk to their companies and brands?
• Focus on strategies for both prevention and remediation that consider the roles of employees and leaders as well as organizational best practices and protocols.
• Use strong (unique, complex) passwords in combination with multifactor authentication, when possible, across all accounts.
• Mandate the use of a business virtual private network to provide end-to-end encryption and safeguard the company’s network.
• Err on the side of caution when visiting unfamiliar websites — experts observed a spike in malicious domains in the early months of the pandemic.
• Even if you do not actively use social media, protect your turf by having a secure and verified presence. If you do not create a profile, threat actors will happily fill the void.
We have long known that PII drives a wide range of harmful activities in the breach economy — however, executives are becoming a principal attack vector due to their high-level access to corporate networks. Business leaders are not immune to the risks of the digital ecosystem. In fact, they present lucrative opportunities for the malign activities of threat actors. It is time to transcend narrow views of the challenge ahead and build comprehensive, holistic, human-centered and tech-enabled approaches to addressing digital risk for organizations and individuals.