Never mind the risk of a board member leaving a folder of sensitive documents in the back of a taxi. The greater threat today exists once executives leave the boardroom and cross the threshold of home.
“Alexa, how many execs and board members of U.S. companies have unsecured home networks and open ports on public IP addresses?”
The answer is: way too many. Experts warn that the modern attack surface has expanded, and board members’ homes are now the soft underbelly of enterprise security. Ignorance or negligence relating to securing today’s connected homes is creating substantial risk for board members with access to and influence over company finances, confidential information and proprietary data.
Be it ever so humble, the home is now a prime target for cybercriminals — but studies show execs and security teams typically overlook the vulnerabilities represented by things like home security cameras, routers and firewalls, home theater setups, home data storage solutions and various smart-home gadgets.
Recent data analysis from BlackCloak quantifies the problem. Researchers found that nearly a quarter of executives have open ports on their home network public IP address. Of those with open ports, 20 percent have completely open home security cameras.
The company aggregated and anonymized data from about 1,000 customers who subscribe to BlackCloak’s digital executive protection platform as part of its onboarding process for new clients. They looked at data from more than 1,000 board members and C-suite executives, plus high-profile/high-value employees at more than 55 U.S.-based Fortune 1000s. Roles spanned CEO, finance, legal, operations, sales, R&D, engineering, IT and other positions of prominence and responsibility, according to BlackCloak.
These open ports are often set up by third-party solutions providers for home theater and home automation, internet-accessible security cameras, networking devices like routers, firewalls and VPNs and other “internet of things” (IoT) uses.
While 23 percent represents only a minority of ports, the company notes that any number of open ports is considered highly unusual, as they are not typically accessible in standard home environments. Oftentimes they are misconfigured or running on outdated firmware and have multiple vulnerabilities.
According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), there’s a common misconception that home networks are too small to be at risk of a cyber attack. Perhaps true 10 to 15 years ago, CISA now estimates that most attacks “are not personal in nature and can occur on any type of network — big or small, home or business. If a network connects to the internet, it is inherently more vulnerable and susceptible to outside threats.”
In the case of high-profile board members for large companies, however, the homes in question are presumably larger, so is the size of the home network, and so is the potential for targeting by cybercriminals.
And in fact, board members’ homes are indeed vulnerable to personal attacks, as board members are common targets for online data brokers, according to BlackCloak. Some of the more concerning data points from the study include:
- 99 percent of executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100 sites.
- 70 percent of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook.
- 40 percent of online data brokers had the IP address of an executive’s home network.
Should a cybercriminal successfully breach a home network, they can easily intercept and reroute traffic and can gain access to personal and work devices, including files and applications connected to that home network.
“For professional cybercriminals, it’s infinitely easier for them to breach the poorly secured, or completely insecure, home network and move laterally into the digital infrastructure of an organization than it is for them to directly attack the well-defended corporate network itself,” Said BlackCloak CEO Chris Pierson. “That’s because there are currently no consumer-grade network security solutions built to protect home networks against targeted cyberattacks, and enterprise-solutions cannot simply extend into the home. As a result, the home network is largely responsible for the massive expansion of the attack surface that’s occurred in recent years.”
Personal devices often lack the most basic security and privacy protections
However vulnerable an executive’s home may be, personal devices are equally, if not more, insecure. BlackCloak research found that many personal devices lack the most basic security software and regularly leak data due to missing or improperly configured device settings, potentially exposing the individual and corporate assets to risk.
Highlights include:
- 27 percent of executives’ personal devices contain malware
- 76 percent of executives’ personal devices are actively leaking data
- 87 percent of executives’ personal devices have no security installed
BlackCloak identified the most common device threats as malware (viruses and Trojans), exploits from unpatched devices, adware, potentially unwanted applications and WiFi threats from malicious networks.
Attacks on personal devices also pave the way for lateral attacks. This occurs when a cybercriminal uses an executive’s compromised device as a conduit to breach the broader organization, potentially leading to widespread damage and disruption.
Executives’ digital privacy is not very private
New BlackCloak research also found that most personal accounts, such as email, e-commerce and applications, lack basic privacy protections. By default, many devices have geo-location enabled, which can make an executive’s whereabouts available for anyone to see, putting them at risk of physical harm.
The research also indicates that the security credentials of executives, such as bank and social media passwords, are readily available on the dark web, making them susceptible to social engineering attacks, identity theft and fraud.
Highlights include:
- Only 8 percent of executives have multi-factor authentication active across a majority of apps/devices.
- 87 percent of executives have passwords currently leaked on the dark web.
- 53 percent of executives are not using a secure password manager.
- 54 percent of executives have poor password hygiene, referring to re-use of passwords and lack of a secure password storage system.
Protect executives to protect the company
Not all cybercriminals are attacking executives’ personal digital lives exclusively to move laterally into their organization. Many times, the executives themselves are the target due to their wealth or status. Nonetheless, an attack on an executive as an individual almost always has some consequence for the organization.
Attacking personal digital lives might be a new risk for enterprises to consider, but it is a risk that requires immediate attention. Adversaries have determined that executives at home are a path of least resistance, and they will compromise this attack vector for as long as it is safe, seamless and lucrative for them to do so.