• by Ray Schultz , Columnist, October 30, 2017

Has your CEO’s personal information been hacked? It may be his or her own fault.

A study by F-Secure has found that 30% of CEOs have used their company’s email to register for a service that was breached. This exposed their passwords and other pertinent details.

The percentage is even higher in the U.S. — at 38%. The only countries with worse results are Denmark (62%), the Netherlands (43%) and Finland (40%). In contrast, only 14% in the UK have been victimized in this way, and 9% in Japan.

LinkedIn and Dropbox are the most likely services to be linked to a CEO’s email.

Worse, aside from email links, 81% have had their emails, physical addresses, birth dates and phone numbers revealed on spam lists and leaked marketing databases, F-Secure says.

That figure is 95% in the U.S., the UK and the Netherlands. France is next with 91%, followed by Denmark with 86%. Only 45% of Japanese CEOs have suffered this type of exposure.

F-Secure, a Finland-based cybersecurity company, studied the email addresses of over 200 CEOs at the biggest firms in ten countries — the executives had to have been employed at their firms for five years. It then checked them against its own database of leaked credentials. 

If found that only 18% of CEO email addresses worldwide have not been hit with a leak or hack. But that percentage falls to 5% in the U.S., the UK and the Netherlands.

How can CEOs protect themselves?

For one thing, they can do something that would get them into trouble in government — use a private email address. As F-Secure points out, this may protect them if attackers have not checked out their private personas.

But that tactic may be risky.

“When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company’s IT, communications, PR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later,” says Erka Koivunen, chief information security officer for F-Secure.

Koivunen adds, “To an attacker, a CEO who uses private email to register for a service they use in an official capacity, spells a loner — someone who goes it alone and doesn’t bother to rely on his/her staff to provide protection.”

Here are F-Secure’s recommendations for executives:

• Use a unique and strong password.
• Don’t invent password logic that can be used against you.
• Use two-factor authentication.
• Know the lookout or recovery scenario.
• Be careful about using social login.
• Use a password manager.