Contact Us

CEOs and data
leaks: how to
minimize cyber risk
from the top down

Author: Phil Muncaster

C-level executives are increasingly being targeted by cyber criminals keen on gaining privileged access to corporate networks. But a perhaps less well-documented trend is the growing risk of data leakage by CEOs and their colleagues.

While most of these incidents are accidental, there can be a serious financial and reputational cost to them. Fortunately, there are several simple security best practices that can help mitigate the resulting business risks.

Breaking the rules

Verizon research recently found that C-level executives are around nine times more likely to suffer social engineering attacks resulting in a data breach than they were in years gone by. But they're also highly prone to unintentionally sharing sensitive customer and corporate data with unauthorized outsiders, or storing it in unsanctioned locations.

The problem of data leakage stems from several overlapping factors. CEOs are famously short on time, which can lead to mistakes being made. They're also likely to juggle multiple devices and online email and messaging accounts. They may not have been asked to attend training and awareness courses, which means they may be less aware of, or concerned about, breaking security policies. Similarly, IT may be more willing to relax policies to support CEO productivity—or to let policy violations go unflagged for fear of offending the boss.

The story so far

The result is that CEOs are at risk of accidentally or deliberately bypassing policy to share sensitive data with unauthorized users—via email, SMS, USB sticks or cloud-based applications (especially chat, team collaboration and online storage apps).

There are no definitive findings on how widespread this is, as many cases go undocumented. However, Verizon's latest Data Breach Investigations Report found that 30% of breaches analyzed involved company insiders, and 22% were caused at least in part by human error. Q2 2020-21 figures released by the Information Commissioner's Office (ICO), the UK privacy regulator, revealed "email sent to incorrect recipient" accounted for 15% of official data loss reports it received.

Such incidents can draw unwanted attention from regulators, damage the brand reputation of an organization and CEO, and increase the risk of journalists, rivals and others getting hold of information, which could erode competitive advantage.

What needs to happen to help prevent data leaks

The key to managing this situation effectively lies with finding the right balance between productivity and security—although it's a difficult one to get right. And while the pandemic is still raging, many organizations have been less keen to do anything that might have an impact on staff output.

However, to mitigate the risks outlined above, consider the following steps:

  • Install monitoring and logging technology to understand how and where sensitive data flows.
  • Ensure CEOs (and their personal assistants) receive customized security training.
  • Use pop-up alerts to notify users when they're breaking policy and to help reinforce good behavior.
  • Consider disabling USB ports on CEO PCs and laptops.
  • Ensure security policies are enforced at the highest levels of the company.
  • Put tools in place to prevent the use of non-compliant devices to log on to corporate networks and downloads of unsanctioned apps.
  • Set up a data leakage prevention (DLP) system to help prevent CEOs from sending sensitive data outside the company.
  • Encrypt all data in transit and at rest on CEO devices.
  • Consider enforcing a zero-trust approach to limit CEO access to corporate resources they don't normally need to do their jobs.

These security best practices can help safeguard your company from even its most senior employees.

Learn how Verizon's Lookout Mobile Endpoint Security can help protect your organization's mobile devices.