Even before the 2020 global pandemic spurred the rise of remote work, cyber criminals had already started to target CEOs and company executives on their personal devices. This has only accelerated in the last year, and experts see a dangerous uptick of organization data loss events that originate from personal data breaches. We talked to Chris Pierson, founder and CEO of BlackCloak, about this new frontier in cyber risk.
Why are threat actors targeting CEOs and other high profile individuals at home?
It’s a much easier and cheaper proposition to compromise the executive, their family members, and their home and have an impact than target the organization itself. The company executives are always on, and COVID exacerbated this even more. The company may be protecting their work laptops, but no one is protecting personal devices, personal privacy, home networks.
Fifty-nine percent of the executives that we onboard have no antivirus on their computers or their personal laptops. Eighty-nine percent don’t have anything on any of their devices at all. Thirty-nine percent of the executives we onboard are compromised—i.e., their home is wide open or they have malware on a machine.
In addition, it’s very easy to access information about an executive that’s already out there and that’s the backdoor for an attack. A threat actor can easily find out the name of the executive’s spouse, or kids or cell phone number.
Why should companies be especially be concerned about these attacks?
What happens outside the castle wall actually does matter. If you think about these kinds of executive homes that are physically very secure—they might have guards and gates—at the same time, many of them have home routers and home automation that’s wide open for attack. And if the corporate machine is linked up to the home network that allows the intruder straight in.
Here’s an example: A CEO for a pharmaceutical company used a messaging app on their personal device and it was taken over by cyber criminals. And messages were sent out to other employees of the company to request a payment through a cryptocurrency address. So this was an illustration of how you can wreak havoc on the inside of a company without actually touching the inside of the company.
How has this threat played out in the last 12 months?
The biggest, absolute highest grossing and highest-impact cybercrime that we’ve seen this year for our corporate execs has been unemployment fraud. And this has impacted them in several different ways. First, it’s taken them offline. They may have to spend a day or more trying to figure out what to do to get rid of this issue. They can’t outsource it to someone else because it’s a very personal issue.
Second, the companies are actually getting impacted because that executive is now paying attention to other things. And third, the family is being impacted because now you have claims of unemployment that they have to go clean up.
We’ve had another case where an individual’s home printer was taken over by a cyber criminal for ransom because it was directly connected point-to-point to the corporate network.
What can individuals and companies do about this risk?
First, you should try to remove your data broker information from the web, but know that there is no way to control what is out there about you and your personal life on the Dark Web. Make sure that you’re not oversharing information on social media that would allow someone the ability to perpetrate a scam.
Second, your company needs to give more thought to security in the home. How do you know the strength of the router, the firewall, the networking equipment at all of these individual homes and remote work locations? It may be impossible to do so, but yet it’s almost like the insurance company is actually underwriting all of those locations. We need to think of this as instead of one in 20 locations, we are now giving hackers 20,000 locations to target.
The onus on organizations is to analyze and assess whether or not your corporate executives present a danger or a risk to the organization in their personal lives. If your company cannot completely secure itself against this risk, then you may need to contract additional services to ensure that your targeted executives are not creating a pathway to a breach.
In summary…
We want to thank BlackCloak and Dr. Pierson for his insights into the topic of personal cyber. This is of special interest to our cyber insurance company partners that offer cyber coverage as part of their homeowner, small business and farm program lines. Given that cybersecurity often starts with the individual employee, it’s no question that our new reality of mass remote work has blurred lines between personal and corporate cybersecurity exposures, resulting in losses. We will continue to watch these issues with great interest.
