Executive Committee members are 12 times more targeted by cyber-attacks than other employees (Verizon Data Breach Investigations Report). Since executives are the embodiment of the company, attacking them impacts both their reputation and the company's image. The trust of customers, partners and employees is undermined, especially when senior executives are at the root of the breach.
The executive's personal sphere: a boon for hackers
The personal sphere of executives is particularly well exploited by hackers to target their companies: easier to access, less well protected because it falls outside the company's usual protection perimeter, it provides hackers with all the material they need to carry out personalized, credible and high-impact attack scenarios.
By analyzing the human attack surface of 100 Executive Committee members of French SMEs, Mid-sized company and major groups in all business sectors, ANOZR WAY was able to identify the professional and personal data of executives publicly exposed on the various strata of the Web and darkweb. For 60%, their family and friends circles are easily identifiable (first name, last name, contact details, photos, location of spouses, children, etc.). 72% of executives have their home or second home address publicly displayed, and 52% have their personal cell phone number. "I'm not very active on social networks, so I'm not afraid of anything" is a phrase often used by executives. However, Jacques M., CFO of a major industrial group, was a target of attack because of the only photo posted on his Facebook account, "liked" by just one person: his wife. The hackers identified her and easily found her Facebook account, the address of their personal home, as well as information about their children: photos and the schools they attend. A wealth of information that could be used in a variety of targeted attack scenarios, enabling the CFO to be pressured through his family.
Hybrid business/personal use opens up new horizons
Similarly, Michelle L., director of an international group, was the victim of identity and account theft, including her mailbox, as a cybercriminal took control of her personal cell phone number and reset all her accesses. Thanks to the personal data exposed on the Web and the dark Web, the cybercriminal was able to impersonate her telephone operator - providing the information gathered earlier to pass identity verification. He pretends to have lost his phone and asks for a new SIM card to be sent to another address. Once activated, he takes control of the line: he receives all calls intended for Michelle, as well as messages. This enables him to reset the passwords to the various accounts. More generally, knowing the victim's address, it's easy enough to use one of the physical attack techniques, such as breaking into the home and connecting a USB key to the computer, or easily hacking into the manager's wifi network, which, of course, has no attack detection tools. Even simpler, it's possible to steal mail, such as the new SIM card which, at the hacker's request, has just been sent to the executive's home.
Hybrid business/personal uses are aggravating risk factors (use of personal phone for work, use of work email for personal use, use of the same passwords everywhere, etc.).
The exposure of private life is still a blind spot for managers themselves, who still underestimate the impact that its visibility can have. This personal sphere is widely exploited by attackers, who feed off all the information they can find on the Internet, from social networks to the darkweb.
In addition to cyberattacks, this makes direct physical attacks possible. This means that corporate security is not limited to the company's "borders": it is essential to protect the private life of the company's directors, their families and close contacts. Our study shows that a 68% reduction in risk is possible for each executive by controlling this digital footprint.
