Examining the Modern Attack Surface: Quantifying the Risks to Individuals and the Enterprise
The attack surface has expanded. The soft-underbelly of enterprise security is now personal digital lives – the digital privacy, personal devices, and home networks of executives, Board Members, and high-value employees with access to and influence over finances, confidential information, and proprietary data.
To quantify this emerging problem, BlackCloak recently conducted cybersecurity’s first comprehensive data report assessing how targeted threats and vulnerabilities that originate in business leaders’ personal digital lives present significant risk to both themselves and to the organizations that they lead.
Under the direction of CISO Daniel Floyd, BlackCloak aggregated and anonymized data from over 1,000 members just before they onboarded onto our digital executive protection platform. Representation includes C-Suite and Board Members, in addition to high-profile executives at more than 55 US-based Fortune 1000s, with roles spanning CEO, finance, legal, operations, sales, R&D, engineering, IT, and other positions of prominence and responsibility.
The following blog post examines the key themes and takeaways from the report, including the role that digital privacy, personal devices, and home networks play in the current threat landscape. You can download the full report, “Quantifying the Business Need for Digital Executive Protection”, for additional information and analysis.
Home network security is highly-vulnerable
The connected home is a prime target for cybercriminals. But few executives or security teams realize the prominence of this emerging threat.
BlackCloak researchers found that nearly a quarter of executives have open ports on their home network public IP address.
- 23% of executives have open ports on their home network
- Of those with open ports, 20% have open security cameras
Our researchers also identified home security cameras, home routers/firewalls, audio/visual equipment, and connected home storage as the most vulnerable home network assets.
While 23% represents only a minority of ports, it’s important to note that any number of open ports is highly unusual, as they are not typically accessible in standard home environments. Ports are often devices setup by third-party solutions providers for home theater and automation, internet accessible security cameras, networking devices like routers, firewalls and VPNs, and other IoT uses. Oftentimes they are misconfigured or running on outdated firmware and have multiple vulnerabilities.
The risks of home network security compromise are abundant. Should an adversary successfully breach the home network, they can easily intercept and reroute traffic, and gain access to all personal and work devices, files, and applications that are connected to that home network.
Personal devices often lack the most basic security and privacy protections
However secure corporate-owned devices are, personal devices are equally, if not more, insecure. BlackCloak research found that many personal devices lack the most basic security software and regularly leak data due to missing or improperly configured device settings – potentially exposing the individual and corporate assets to risk.
- 27% of executives’ personal devices contain malware
- 76% of executives’ personal devices are actively leaking data
- 87% of executives’ personal devices have no security installed
In addition, BlackCloak identified the most common device threats as malware (viruses and Trojans), exploits from unpatched devices, adware, potentially unwanted applications, and Wi-Fi threats from malicious networks.
Today, 75% of the U.S. workforce uses their personal phones for work, such as accessing corporate resources. This presents an abundance of opportunity for personal device compromise that can lead to malware and ransomware, account takeover, and data breaches, among other consequences.
Attacks on personal devices also pave the way for lateral attacks. This occurs when a cybercriminal uses an executives’ compromised device as a conduit to breach the broader organization, potentially leading to widespread damage and disruption.
Executives’ digital privacy is not very private
New BlackCloak research also found that most personal accounts, such as email, e-commerce, and applications, lack basic privacy protections. By default, many devices have geo-location enabled, which can make an executive’s whereabouts available for anyone to see – putting them at risk of physical harm.
Additionally, our research found that the security credentials of executives – such as bank and social media passwords – are readily available on the dark web, making them susceptible to social engineering attacks, identity theft, and fraud.
- Only 8% of executives have multi-factor authentication active across a majority of apps/devices
- 87% of executives have passwords currently leaked on the dark web
- 53% of executives are not using a secure password manager
- 54% of executives have poor password hygiene. This means that they do not use a password manager, they regularly reuse passwords and they store passwords in insecure locations (e.g. – Excel file)
Earlier this year, BlackCloak unveiled data highlighting the significant risks that online data brokers pose to individuals and their company. Some of the more concerning data points from this study include:
- 99% of executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100
- 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook
- 40% of online data brokers had the IP address of an executive’s home network
Online data brokers remain the primary source of truth for hackers and cybercriminals to obtain the information needed to deploy targeted cyberattacks, such as social engineering or business email compromise, or to commit online fraud and identity theft.
Protect executives to protect the company
Not all cybercriminals are attacking executives’ personal digital lives exclusively to move laterally into their organization. Many times, the executives themselves are the target due to their wealth or status. Nonetheless, an attack on an executive as an individual almost always has some consequence for the organization.
Attacking personal digital lives might be a new risk for enterprises to consider, but it is a risk that requires immediate attention. Adversaries have determined that executives at home are a path of least resistance, and they will compromise this attack vector for as long as it is safe, seamless, and lucrative for them to do so.
Download our full data report to learn more about executive cybersecurity and digital privacy risks, and how digital executive protection is the answer to protecting your company by protecting your executives in their personal digital lives.