Has your CEO’s personal information been hacked? It may be his or her own fault.
A study by F-Secure has found that 30% of CEOs have used their company’s email to register for a service that was breached. This exposed their passwords and other pertinent details.
The percentage is even higher in the U.S. — at 38%. The only countries with worse results are Denmark (62%), the Netherlands (43%) and Finland (40%). In contrast, only 14% in the UK have been victimized in this way, and 9% in Japan.
LinkedIn and Dropbox are the most likely services to be linked to a CEO’s email.
Worse, aside from email links, 81% have had their emails, physical addresses, birth dates and phone numbers revealed on spam lists and leaked marketing databases, F-Secure says.
That figure is 95% in the U.S., the UK and the Netherlands. France is next with 91%, followed by Denmark with 86%. Only 45% of Japanese CEOs have suffered this type of exposure.
F-Secure, a Finland-based cybersecurity company, studied the email addresses of over 200 CEOs at the biggest firms in ten countries — the executives had to have been employed at their firms for five years. It then checked them against its own database of leaked credentials.
If found that only 18% of CEO email addresses worldwide have not been hit with a leak or hack. But that percentage falls to 5% in the U.S., the UK and the Netherlands.
How can CEOs protect themselves?
For one thing, they can do something that would get them into trouble in government — use a private email address. As F-Secure points out, this may protect them if attackers have not checked out their private personas.
But that tactic may be risky.
“When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company’s IT, communications, PR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later,” says Erka Koivunen, chief information security officer for F-Secure.
Koivunen adds, “To an attacker, a CEO who uses private email to register for a service they use in an official capacity, spells a loner — someone who goes it alone and doesn’t bother to rely on his/her staff to provide protection.”
Here are F-Secure’s recommendations for executives: