Good morning.
As companies rely on CFOs to mitigate risk, cyberattacks (and the costs associated with them), are a major concern. Now, there’s also a growing trend of cybercriminals targeting C-suite executives in their personal lives, instead of targeting them through their companies, according to a new report.
“This is a significant change in tactics, as in the past, most hackers would try to breach a company directly by hacking into its corporate network or compromising employee email accounts,” Chris Pierson, CEO of BlackCloak, a digital executive protection company that consults for Fortune 500s, tells me. “Now, we’re seeing many cybercriminal groups flip the script, by bypassing the corporate network altogether and going after the executives at home and through personal online accounts, where it is a lot easier to pull off a breach.”
BlackCloak and the Ponemon Institute released a report on Monday that found 42% of companies have experienced cybercriminal attacks on their senior-level corporate executives, which can compromise sensitive business data. The findings are based on a survey of 553 U.S.-based cybersecurity leaders.
“The purpose behind these attacks varies from hacker to hacker, but it usually boils down to financial theft or fraud, extortion, or reverse-breaches, where they try to gain access to corporate accounts, data and systems by sneaking in through the executive’s accounts, which are usually an open backdoor,” Pierson says.
“Email account takeover is perhaps the most prevalent way to compromise an executive,” he says. “In these cases, cybercriminals take over the personal email account of an executive using breached passwords from the dark web in order to find corporate documents, intellectual property, or other personal information.”
The report highlighted several of the most prolific attacks on executives:
The survey also found that 58% of respondents said that cyberthreat prevention for executives and their digital assets are not covered in their cyber, IT, and physical securities strategies and budgets.
In May, Dragos Inc., a cybersecurity firm, said in a blog post it was a target of a cyber extortion scheme against its executives. "The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date," according to the company. The cybercriminal’s texts showed research into family details as they knew the names of family members of Dragos executives.
“In our digital executive protection work, we’ve seen almost every type of attack imaginable,” Pierson says. “We’ve seen hackers carry out complex social engineering attacks on executives and their spouses to pull off hundreds of thousands of dollars in financial fraud. ‘Document extortion’ is another increasingly popular tactic.” Hackers will steal documents like tax records, divorce papers, and other legal documents, and threaten to release them on the web unless they’re paid a ransom, he says.
Ransomware incidents
Cybersecurity is a topic of interest this week as Verizon released its 2023 Data Breach Investigations report on Tuesday. The research analyzed 16,312 security incidents and 5,199 breaches. The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million.
"Globally, cyber threat actors continue their relentless efforts to acquire sensitive consumer and business data,” Craig Robinson, research vice president at IDC, said in a statement. “The revenue generated from that information is staggering, and it's not lost on business leaders, as it is front and center at the board level.”
Sheryl Estrada
sheryl.estrada@fortune.com
