Integrating Executives’ Cybersecurity with External Data Privacy
99% of executives’ PII is found within the databases of some of the most notorious Data Brokers.
Executive Takeaways
- Almost all executives’ personally identifiable information (PII) is available within Data Brokers’ databases, making them highly susceptible to cyberattacks.
- Cybersecurity protection is not enough to safeguard against social engineering and spear-phishing attacks, which are on the rise due to PII proliferation.
- Implementing External Data Privacy (EDP) solutions that use Proactive Risk Mitigation (PRM) as a framework is crucial to shrinking the attack surface and mitigating modern threats.
- Social engineering and spear-phishing attacks are the most significant threats facing executives today, accounting for 91% of all attacks.
- Scanning all employees, including executives, for exposed PII and supplementing cybersecurity protection with EDP is highly recommended.
First, we must state in no unclear terms that cybersecurity is vital to organizations and their employees, including executives. Without it, networks, applications, and digital assets would constantly be at risk.
But is modern cybersecurity (for brevity, “CS”) protection for executives enough digital security for the C-suite? Well, since modern CS does nothing to address the PII exposure problem, no it is not.
When combined with the fact that an estimated 99% of executives’ PII is found within the databases of some of the most notorious Data Brokers, the news is not good.
This spread of executive PII has resulted in them being unduly targeted in attacks. According to some studies, the C-suite is 12 times more likely to be targeted [1]. Of course, this has left security teams scrambling for answers.
Supplementing External Data Privacy (EDP) within a cybersecurity framework may be highly effective in dealing with modern threats, especially social engineering and spear phishing.
The state of cybersecurity
Innovation-wise, cybersecurity has advanced significantly. Cutting-edge tools can detect, isolate, and rectify many threats facing organizations, but not all.
In truth, a top priority for executives should be scanning for their exposed PII. If exposed, an EDP company can help remove this disclosed information and continuously monitor for new leaks.
We highly recommend a 100% free, comprehensive scan for your potentially compromised PII.
Cybersecurity is reactive
If we look at modern CS through an objective lens, we see primarily reactive applications. In other words, they are designed to respond to security incidents after they have already occurred.
The current threat environment requires that protection for executives from digital attacks be dynamic and proactive, not passive and reactive. Further, no CS solution takes into account PII exposure.
Only by implementing Proactive Risk Mitigation (PRM), and its device, EDP, can organizations effectively shrink the attack surface.
What is Proactive Risk Mitigation?
PRM refers to a risk mitigation strategy that is always operational. Cutting-edge EDP solutions are designed using PRM as a primary framework because only in this way is a holistic strategy for defeating the modern threat infused by PII within reach.
Any executive security protocol must incorporate PRM.
Without it, individuals and their employers are at an increased risk of attacks.
Risks to Enterprises
Social engineering-related attacks can lead to potentially disastrous security outcomes for enterprises, including:
- Data breaches: resulting in the theft of sensitive information, including financial information and credentials used to access vital corporate systems.
- Business disruption: deceiving employees into disclosing confidential information that can interrupt business operations.
- Compromised systems and networks: tricking individuals into downloading malware or granting unauthorized access, leading to the partial or complete compromise of corporate systems and networks
- Reputational damage: customer, partner, and stakeholder loss of trust and confidence due to a socially engineered attack.
Modern threats facing executives
Phishing and social engineering are two of the most significant threats facing executives today, and their prevalence is the direct result of the amount of publicly-available PII. According to Microsoft, spear phishing accounts for 91% of all cyberattacks [1].
Social engineering (including spear phishing)
Using PII gleaned from open sources combined with social engineering techniques, threat actors craft personalized messages to create a sense of familiarity and trust. These messages often appear to come from a fellow executive, trusted business partner, or vendor.
A typical attack might look like this: an attacker spends considerable time scanning Data Brokers, People Search Sites, and open web sources searching for the most data-exposed executive within a company. Next, the attacker compiles and compares the data across profiles and determines that the CFO is the most exposed.
Using the CFO’s contacts list and personal details gleaned from social media, the attacker crafts a highly personalized email asking for a favor: a vendor requests an immediate payment or services will be discontinued. Not knowing any better, the fellow executive responds to the request by wiring funds to the scammer’s bank account.
Physical Threats
Like all public faces, CEOs, CFOs, and other executives draw considerable ire from society. Such is especially true in the United States, where the country has experienced severe recessions (e.g., “The Great Recession”) and environmental disasters (especially oil spills) as direct results of perceived corporate greed.
Unfortunately, this buildup of resentment has been known to manifest in physical altercations. Perpetrators have included disgruntled employees and shareholders, physical activists, anarchist groups, and others.
PII often includes contact information, such as home addresses, and it is easy for a determined threat actor to acquire this information. Data Brokers, for example, have knowingly sold such data to criminal groups.
Find out what information criminals can access by scanning each employee for exposed PII.
Mobile device threats
Mobile devices are quickly becoming the favorite target of threat actors. An estimated 60% of attacks occur via mobile devices.
The above statistic is concerning, especially considering that most smartphones do not contain the relatively robust security software of their PC counterparts. As a consequence, cybercriminals can exploit these vulnerabilities to execute malware, phishing, or ransomware attacks.
Criminals may also execute modern social engineering attacks designed specifically for mobiles, such as smishing (SMS attacks) or vishing (voice phishing).
A new security framework is needed
The current security measures prescribed by most enterprises to counter executive security threats must be improved to combat modern attacks. And few would argue against the notion that the publication of C-suite employees’ PII is the key factor that enables these attacks.
Despite this, most organizations appear to be doing a poor job of educating employees on related attacks. For example, one study found that less than 25% of companies educate their employees on social engineering risks [2].
Executives’ digital and physical protection requires a holistic security solution—including dedicated social engineering training (!)—that includes a strategy for dealing with the risks of exposed personal data.
Partnering with a reputable EDP company is necessary for this increasingly complex cyber threat environment. An EDP provider can shrink the attack surface and mitigate risk by reducing or eliminating the amount of PII available.
Potential Solutions
Ultimately, the best way for executives to protect themselves from cyberattacks and other threats posed by PII exposure is through certain technical and non-technical security measures.
Here is a short list of related measures:
1. Raise social engineering awareness
As mentioned, only about one in four enterprises educate their employees on the threat of social engineering. Integrating social engineering education into cyber security training is vital to identifying and preventing social engineering attacks.
2. Use secure Wi-Fi
When conducting business, executives should ensure they use networks with the strictest security protocols, mainly when opening email attachments, as this is one of the most common attack vectors. Public Wi-Fi should never be used when conducting company business.
3. Maintain security protocols
Per a survey by Help Net Security, nearly three-quarters (74%) of C-suite respondents admitted asking for permission to bypass one or more of their organization’s security protocols within the past year. 56% did so more than once [3]. Bypassing security protocols unnecessarily raises the already considerable risk of social engineering and resultant cyberattacks.
4. Integrate EDP
As mentioned, EDP is the only solution that proactively mitigates the risk of personal data dissemination, publishing/sale, and exploitation.
Partnering with an EDP provider can shrink an organization’s attack service by searching for exposed privacy risks.
Learn about the Privacy Bee platform and how it can de-risk our organization.
References
[1] Microsoft. What is spear phishing? Keep you and your data safe. (2018). Retrieved February 3, 2023, from Microsoft.com website: https://www.microsoft.com/en-us/microsoft-365/business-insights-ideas/resources/what-is-spear-phishing-how-to-keep-yourself-and-your-data-above-water
[2] Silviu, S. (2019, October 14). Most Employees Receive No Social Engineering Awareness Training. Retrieved February 3, 2023, from Bitdefender.com website: https://businessinsights.bitdefender.com/most-employees-receive-no-social-engineering-awareness-training
[3] Truta, F. (2020, May 29). Executives Bypass Security Protocols for Fear IT Admins Might Peek into Their Private Lives. Retrieved February 6, 2023, from Bitdefender.com website: https://businessinsights.bitdefender.com/executives-bypass-security-protocols-for-fear-it-admins-might-peek-into-their-private-lives
