Ransomware attacks and data breaches have taken over the news cycle recently, putting executives and the C-suite in the spotlight as primary targets and victims. As a CEO, it’s important to understand that all too often these cyber attacks are the direct result of corporate credential exposures of lower-level employees. For example, the Colonial Pipeline was breached using an exposed employee credential, not that of an executive. Nevertheless, nearly all industry digital protection services are designed to monitor only a select number of high-profile company employees, forcing security teams to choose which few individuals to safeguard.
It can be easy to forget the consequences that come with living and working in a highly digitalized world — meaning that risks increase as more and more employees engage with an interconnected suite of digital tools and services in today’s distributed virtual workplace. And with cyber threats continuing to grow and evolve, we as CEOs must ask ourselves, why isn’t there the same level of digital protection for employees below executives or the C-suite if they also have access to critical systems and sensitive data?
The title of this article may seem to suggest that executives are no longer highly vulnerable targets for threat actors, but that is far from the case. The personal data and corporate credentials of executives continues to proliferate in the breach economy, making them high-value targets executives in the breach economy. A 2021 Identity Breach Report from my company, Constella Intelligence, found that over 40% of executives from a sample of Fortune 500 companies in the energy and telecommunications sectors were exposed in a breach over the last five years and out of a sample of 55 Fortune 500 energy executives, nearly 1/4 have had their passwords exposed.
Digital risk protection for executives should still be a top priority for your company. However, if you are going to invest in executive protection to prevent data loss and reputational or financial harm, then it would only make sense to also consider investing in employee protections for those who also have access to critical systems and sensitive data. Employees in areas such as IT, HR, and finance must be on your radar as potential targets for cyber threat actors seeking to inflict damage on your organization, people, and brand.
According to the IBM Cost of a Data Breach Report 2021, compromised credentials are the most common initial attack vector for data breaches. And breaches caused by compromised credentials also have the longest lifespan of any initial attack vector, taking 341 days to discover and contain, with an average cost of $4.4 million. Once cybercriminals have access to a corporate email, they can leverage it to launch an attack.
Constella’s 2021 Identity Breach Report also found that nearly 60% of the data breaches analyzed exposed some form of personally identifiable information (PII), and 72% of these breaches included passwords. As a CEO, this is frightening. Knowing that breaches regularly occur and employees who are not at the executive level are frequently targeted makes it inexcusable for a company to forego digital risk protections for employees with privileged access to the corporate digital network.
It is the job of executives to help their companies create a safe environment for their employees and for their business to flourish, and the next landscape to address is digital risk. The continued prevalence of remote work has made it critically important to protect employees below the level of the C-suite, as exposed records present a serious threat. Employees are accessing corporate accounts on personal devices daily, and this flexibility has become commonplace in the new hybrid work model. However, with new workforce trends come new risks.
I believe that most executives understand that this digital ecosystem of hybrid, distributed workforces and increased remote solutions creates vulnerabilities for their companies but simply aren’t sure how to address the risks. It’s also possible that leaders fear venturing into the unknown world of cybersecurity with complicated algorithms and high-tech processes and are more comfortable leaving the problem to eventually be solved by the security team. After all, they would alert the C-suite if there was a threat to systems and data due to lack of employee protections, right?
As a member of the cybersecurity community and a CEO, I urge my fellow corporate executives to speak with their security teams and ask important questions about employee protection against external digital risks, threat actors, and exposed corporate credentials circulating on the surface, deep, and dark web.
Now more than ever, discussions must be had on digital and cyber protections for employees, not just executives and the C-suite.