Has your CEO’s personal information been hacked? It may be his or her own fault.
A study by F-Secure has found that 30% of CEOs have used their company’s email to register for a
service that was breached. This exposed their passwords and other pertinent details.
The percentage is even higher in the U.S. — at 38%. The only countries with worse results are Denmark
(62%), the Netherlands (43%) and Finland (40%). In contrast, only 14% in the UK have been victimized in this way, and 9% in Japan.
LinkedIn and Dropbox are the most likely services to be
linked to a CEO’s email.
Worse, aside from email links, 81% have had their emails, physical addresses, birth dates and phone numbers revealed on spam lists and leaked marketing
databases, F-Secure says.
That figure is 95% in the U.S., the UK and the Netherlands. France is next with 91%, followed by Denmark with 86%. Only 45% of Japanese CEOs have suffered this type
of exposure.
F-Secure, a Finland-based cybersecurity company, studied the email addresses of over 200 CEOs at the biggest firms in ten countries — the executives had to have been
employed at their firms for five years. It then checked them against its own database of leaked credentials.
If found that only 18% of CEO email addresses worldwide have not been hit
with a leak or hack. But that percentage falls to 5% in the U.S., the UK and the Netherlands.
How can CEOs protect themselves?
For one thing, they can do something that would get them
into trouble in government — use a private email address. As F-Secure points out, this may protect them if attackers have not checked out their private personas.
But that tactic may be
risky.
“When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the
company’s IT, communications, PR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover
them later,” says Erka Koivunen, chief information security officer for F-Secure.
Koivunen adds, “To an attacker, a CEO who uses private email to register for a service they use in
an official capacity, spells a loner — someone who goes it alone and doesn’t bother to rely on his/her staff to provide protection.”
Here are F-Secure’s recommendations
for executives:
- Use a unique and strong password.
- Don’t invent password logic that can be used against you.
- Use two-factor authentication.
- Know the
lookout or recovery scenario.
- Be careful about using social login.
- Use a password manager.