No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Family Ties: How Hackers Target the Personal Lives of Board Members

Locking down leaders’ work devices isn’t enough

by Chris Pierson
October 4, 2023
in Cybersecurity, Featured, Governance
hacker targeting family concept

Robust cybersecurity measures for employees, executives and board members are increasingly pushing fraudsters to find other targets — and they are. By targeting board members’ homes and even their families, cyber criminals can gain access to a human supply chain of compromised accounts. BlackCloak CEO Chris Pierson breaks down these threats and warns: The SEC is watching.

Hackers are constantly on the hunt for new corporate victims. However, as companies get better at securing their networks, many threat actors are bypassing these defenses by conducting highly targeted personal attacks on key company personnel — where protections are typically more lax.

Board members are an ideal target for these attacks because they have high levels of access to company information, frequently serve on multiple companies (creating a sort of “human supply chain”) and their authority figure status is a perfect opportunity for downstream phishing attacks on other company executives and employees — known as business email compromise (BEC), which is one of the costliest types of fraud, according to federal crime data.

Since one successful attack on a board member can result in extensive access and opportunity for the cybercriminal — and not just at one company but at multiple organizations — board members cannot afford to be under-protected. This issue becomes even more important with new SEC regulations, which require greater oversight by board members of cybersecurity risks.

3 areas where hackers are most likely to strike

Board members can be targeted by hackers in any number of ways, but what we typically see in these cases are three main types of attacks:

Breached personal accounts

The average person has dozens of online accounts, and board members are no exception. The sheer number of these personal accounts (including email, social media, online shopping, streaming, airline miles, etc.) creates an enormous online attack surface that hackers can exploit much more easily than a business network.

What do hackers want with non-work accounts? Cybercriminals can use personal accounts to harvest many types of sensitive information, leapfrog to other accounts (including work accounts) and stage attacks on the victim’s contacts, including their colleagues.

One of the most valuable personal accounts is email. If a hacker can compromise a board member’s private email, they can use it to impersonate them in order to launch phishing attacks on other employees. Due to the board member’s high status, these attacks can be extremely effective at soliciting sensitive company files and information, tricking employees into wiring funds to accounts controlled by the criminal or persuading the IT team into sharing or resetting the board member’s network passwords, thereby giving the hacker direct access to highly sensitive corporate systems.

Hackers will also use personal email accounts to hunt for any stored files or other sensitive information that may have been shared by the company. That means a hacker can pull off a significant corporate data breach without ever having to break into the actual business network.

Sensitive personal information, files and correspondence can also be used for blackmail and extortion. Document extortion, in particular, is a growing threat, as hackers will hunt for specific types of embarrassing personal information, such as tax documents, pictures and divorce papers, which they can use to demand large payoffs.

Most personal accounts are poorly protected due to weak passwords and the lack of multi-factor authentication. This makes them vulnerable to attack. To make matters worse, there is a huge criminal marketplace for stolen passwords (estimated at 24 billion), which means the hacker can often walk right in through the front door, so to speak. In our own research, we’ve found that 69% of executives have had passwords leaked online.

Home network intrusions

Most home networks are extremely easy to hack, and this is especially true for board members. While it may seem counterintuitive, the more expensive the home, the more likely it is to have significant vulnerabilities just waiting to be exploited.

This is because wealthier individuals tend to incorporate a lot of smart technologies in their homes, including home automation and camera systems. While these systems are top-of-the-line, they are usually not secured correctly by the integrator or patched regularly, which leads to weaknesses and vulnerabilities.

In other instances, Internet of Things devices abound inside homes (e.g., TVs, speakers, thermostats, DIY cameras, etc.). While these devices are called smart, they’re often pretty simplistic when it comes to cybersecurity, and most have advanced controls like dual-factor authentication turned off by default. Most of these devices also have the problem of leaving privacy and security up to the homeowner and having the controls or options require deeper cybersecurity know-how.

Wi-Fi routers are also major risk vectors. If this device has a default password or any unpatched vulnerabilities, a hacker can gain full access to the home network. Once inside the home network, a hacker can “sniff” the Wi-Fi traffic to look for unencrypted information, pivot to other devices in the home like laptops and printers, eavesdrop on sensitive phone calls, spy on the person and their family through connected cameras and even pose physical threats, such as disabling alarm systems and door locks.

Quite often, the only real challenge to hacking a home network is figuring out the right one to target. This is why a board member’s personal IP address is sensitive information that needs to be protected. If a hacker can find this information, they can then run a “port scanning” attack on that IP range to hunt for vulnerable devices that can be exploited. Our research has found that 40% of board members and executives have home IP addresses listed in various data broker websites, where almost anyone can access them.

executive data security retro concept
Cybersecurity

Executive Digital Hygiene: The Threat Is Coming From Inside the C-Suite

by Staff and Wire Reports
June 29, 2022

 “Alexa, how many execs and board members of U.S. companies have unsecured home networks and open ports on public IP addresses?” The answer is: way too many.

Read moreDetails

Targeted family members

Another pathway into the board member’s accounts and, ultimately, the company, is through targeted attacks on family members. These attacks are becoming increasingly common against high-net-worth individuals.

Hackers can find a person’s family members through open-source intelligence research, such as searching through social media posts or public bios, or by simply buying the information directly from a data broker. Last year, we found that 95% of board members and executives (out of the 1,000 we analyzed) had confidential personal and family information for sale on these websites. These same sites also sell the person’s contact information, including phone, email and social media, making it easy for a hacker to target them.

All it takes is one hijacked messaging account from a spouse or child to trick a board member into clicking on a link or sharing information that can lead to a serious breach. Some criminal actors are going even further with these attacks by targeting family members with extortion (including sextortion) and virtual kidnapping in order to extort board members.

Defending against targeted attacks

The best way to prevent targeted personal attacks is to reduce the board member’s personal attack surface. This involves removing sensitive information from the web and hardening devices and online accounts.

Personal information exposure by data brokers is one of the most overlooked problems in executive cybersecurity today. It is absolutely critical for board members to have this information removed. This is not an easy task, since there are hundreds of data brokers out there.

Board members should also take several basic steps to protect their personal devices, home network, IoT devices and online accounts. This includes changing all default passwords to strong, unique passwords and adding dual-factor authentication whenever possible. All devices should also be kept up to date with the latest software, firmware and security patches. It’s also important to have robust anti-malware on all devices and a firewall on the network to protect these devices.

Since IoT devices can be a gateway for hackers, they should be kept off the main Wi-Fi network and moved to a guest network.

Board members should also have contingency planning in place for when — not if — they are attacked. To this end, it’s critical for all sensitive files and information to be kept encrypted and to have data backups in place that are kept off the home network, such as external hard drives or cloud-based backups.

Lastly, board members should conduct regular security assessments of their home network, devices and online accounts to ensure they are properly protected lest the companies they serve on need to disclose a material cybersecurity risk involving their personal lives. 


Tags: Board of DirectorsBoard Risk OversightCyber RiskCybercrime
Previous Post

Coping With ‘No’: From Rejection to Redirection

Next Post

Analysis: 37% of Messages Shared on Collaboration Apps Contain Personally Identifiable Information

Chris Pierson

Chris Pierson

Chris Pierson, founder and CEO of BlackCloak, specializes in digital executive protection. He is the former chief privacy officer of Royal Bank of Scotland and CISO for two fintech companies and served for over a decade on the Department of Homeland Security’s privacy committee and cybersecurity subcommittee. Pierson is also the former president of the FBI’s Arizona InfraGard, and he is a distinguished fellow of the Ponemon Institute.

Related Posts

news roundup new

Few Business Leaders Feel Fully Prepared for Challenges of 2025

by Staff and Wire Reports
June 20, 2025

Data center operators not using full slate of available sustainability tactics; companies continue to use AI without policies

kroger

Blocked, Sued and CEO-Less: How Kroger’s Board Must Navigate Triple Crisis

by Conor Johnston
June 9, 2025

Failed mergers often trigger talent exodus and shareholder fury, but strategic refocusing on core competencies can turn regulatory setbacks into...

money

CCO Salary Increases Cooling Off

by Staff and Wire Reports
June 6, 2025

35% of executives give boards high marks

matrix numbers cybersecurity concept

Why Scalable Global Frameworks Like ISO 27001 Matter

by Sam Peters
May 29, 2025

Updated security standard addresses modern threats with expanded digital protections

Next Post
slack on phone

Analysis: 37% of Messages Shared on Collaboration Apps Contain Personally Identifiable Information

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights