C-level executives are increasingly being targeted by cyber criminals keen on gaining privileged access to corporate networks. But a perhaps less well-documented trend is the growing risk of data leakage by CEOs and their colleagues.
While most of these incidents are accidental, there can be a serious financial and reputational cost to them. Fortunately, there are several simple security best practices that can help mitigate the resulting business risks.
Breaking the rules
Verizon research recently found that C-level executives are around nine times more likely to suffer social engineering attacks resulting in a data breach than they were in years gone by. But they're also highly prone to unintentionally sharing sensitive customer and corporate data with unauthorized outsiders, or storing it in unsanctioned locations.
The problem of data leakage stems from several overlapping factors. CEOs are famously short on time, which can lead to mistakes being made. They're also likely to juggle multiple devices and online email and messaging accounts. They may not have been asked to attend training and awareness courses, which means they may be less aware of, or concerned about, breaking security policies. Similarly, IT may be more willing to relax policies to support CEO productivity—or to let policy violations go unflagged for fear of offending the boss.
The story so far
The result is that CEOs are at risk of accidentally or deliberately bypassing policy to share sensitive data with unauthorized users—via email, SMS, USB sticks or cloud-based applications (especially chat, team collaboration and online storage apps).
There are no definitive findings on how widespread this is, as many cases go undocumented. However, Verizon's latest Data Breach Investigations Report found that 30% of breaches analyzed involved company insiders, and 22% were caused at least in part by human error. Q2 2020-21 figures released by the Information Commissioner's Office (ICO), the UK privacy regulator, revealed "email sent to incorrect recipient" accounted for 15% of official data loss reports it received.
Such incidents can draw unwanted attention from regulators, damage the brand reputation of an organization and CEO, and increase the risk of journalists, rivals and others getting hold of information, which could erode competitive advantage.