CAMBRIDGE, Mass.--(BUSINESS WIRE)--PiiQ Media concludes a cyber security risk assessment of exposed online PII for top executives across all US Fortune 100 companies. The assessment was conducted using PiiQ Media’s Threat Intelligence software, automating risk analysis and scoring of exposed PII across the top social media platforms. The results underscore the extreme weakness in personal social media, email, and password security. The effects of these vulnerabilities have devastating effects on corporate risk and enterprise data security for companies large and small.
PiiQ Media ran a comprehensive information security assessment of top executives for the highest valued companies in the US. The premise being, even companies with the largest security budgets and security teams are likely not implementing effective measures to improve employee personal security and thus have blind spots in corporate security. The results are more startling than we expected. Collectively, we have a serious problem.
The largest corporate attack surface being exploited by criminals today is social engineering employees through phishing and spear phishing attacks. Spear phishing attacks have the greatest rates of success due to the personal nature of the attacks, typically imitating familiar people or organizations with relevant content to the target. The source of the information that allows criminals to build targeted spear phishing attacks is exposed PII through social media and other online services.
To compound matters, social engineering based attacks are evolving in sophistication, using Artificial Intelligence to automate PII collection (reconnaissance) as well as victim engagement (targeting). Current anti-phishing solutions tend to focus on the targeting side by looking for markers that may indicate an email is suspicious. These types of detection technologies fail frequently in detecting the more advanced phishing or spear-phishing based attacks that don’t use usual markers.
PiiQ Media is committed to delivering software and solutions to mitigate the unanswered risks off PII exposure collected in the reconnaissance phase, identifying and mitigating exposed Personally Identifiable Information (PII), as well as email security compromises and protections and thus helping organizations reduce successful attacks today as well as the more sophisticated attacks tomorrow! We encourage companies that recognize these vulnerabilities to adopt a more detailed and actionable corporate social media use policy that details steps employees can take to improve their email and social media security. PiiQ Media has a free for use corporate social media use policy, with a personal checklist, that can be downloaded here.
Cyber criminals are increasingly turning to exploiting people rather than systems. Corporate cybersecurity teams are challenged to effectively protect employees who increasingly use personal devices (BYOD) for work purposes while using the same devices to access personal online social media platforms and services. Additionally, the trend in adopting work from home (WFH) business models in response to COVID-19 reduces visibility and control over the digital security of employees, thus increasing the risk of personal and corporate exploitation. COVID19 based Phishing attacks alone are up 667% in March 20201. Phishing attacks account for more than 80% of reported security incidents2 with the average breach costing $11.45M to US corporations3. Cyber criminals are finding increased success in targeting and exploiting specific individuals because of the wealth of Personally Identifiable Information (PII) exposed online through social media and other online platforms and services.
PQ-Risk CXO Scores Social Media PII Exposure and Risk Click here for PiiQ explainer video
FIRST TO MARKET - PQ-RISK CXO offers a Cybersecurity SaaS solution, successfully aggregating publicly available, profile data across the major social media platforms with the capability to automatically contextualize a unique spear phishing email based on the analyzed PII and assessment results. It identifies where personal data provides potential inroads for criminals to exploit personal or corporate attack surfaces through family, friends, interests, SMS check-ins, or email/domain security.
PiiQ Media Illustrates Executive Exposure In First of Its Kind Fortune 100 Social Engineering Risk Assessment
Through this analysis, PiiQ Media creates both a risk-trend analysis as well as risk exposure reports based on 500 top executives. Some of the key trends identified in the analysis;
- 61% of executives have discoverable personal email addresses and 98% of executives have a discoverable business email address.
- 61% of executives have three or more social media profiles that were easily discoverable.
- 32% of executives have email accounts that do not have proper DMARC/DKIM/SPF records set which allows attackers to more easily impersonate valid email accounts
- 23% of executives have business email addresses tied to personal social media accounts.
The F100 Assessment highlights the expanse of publicly available information that criminals and hackers have at their disposal. These vulnerabilities exist across top executives for the highest valued companies in the US, which indicates the PII exposure on average for the rest of corporations is likely extensive. The exposed PII allows criminals to cultivate familial phantom identities and content that increases the success of targeted spear-phishing attacks. The more data bad actors can acquire, the more targeted and plausible the “hook” or the penetration of the “spear”. In such efforts, context is king. The F100 Assessment report is broken down into ten identifiable PII exposure points, its associated risk, and the percentage of executives found to be at risk within the fortunate 100 executives.
Table 1. Cross section of PiiQ Media Fortune100 Executive Assessment
EXPOSED PII |
ASSOCIATED RISK |
% |
Exposed relationships that divulge shared employment |
Personal relationships can expose key personal attributes as well as providing context. This allows an attacker to impersonate someone and have necessary context to fool the victim. |
99% |
Passwords exposed in Data Breaches |
Breaches that contain passwords pose serious risk to individuals and corporations primarily due to password reuse across services |
44% |
Business email accounts associated to personal social media accounts |
A business email should never be associated with personal internet services, such as social media. It opens up a larger set of responses through business email that needs to be policed. |
23% |
Of paramount concern is email security protocols and adherence. The ability to map business emails to personal networks presents a clear pathway for bad actors to infiltrate business networks and should be avoided at all costs. Password exposure is similarly a point of significant cybersecurity concern for all too obvious reasons. The F100 Assessment continues to list other such areas of exposure as well as elaborate on why they present risk.
Chief Technology Officer, Aaron Barr elaborates, "We can’t remove everything. For many professionals self-promotion in social media runs tandem with promoting and building company business and therefore is encouraged in social media, specifically Linkedin. It is vital to clearly understand and develop procedures to use social media effectively for personal and professional pursuits while limiting the exposure and risks to compromise. It is vital to personal and professional security to manage social media information effectively".
If you take anything away from this study, it is 4 tips to immediately improve your personal and corporate security.
- Business email is only used for business! Most business email address structures are easy to guess. FN.LN@company.com. Limit the types of communications so it becomes easier to discern legitimate communications from illegitimate.
- As it relates to personal emails, everyone should have at least 3; One for spam, one for social media and other online service type platforms, and finally one for financial and personal. Protect your financial and personal email address like 'gold'! If you do this right your most protected email account should never get spam.
- When it comes to passwords - length and uniqueness is the rule of thumb. Don’t re-use passwords and ensure length is over 10 characters minimum. One technique is to develop passphrase bases but use unique combinations of characters, numbers, and special characters added to the phrase base to make the password unique. Use a password manager if you need to but DON’T reuse passwords. Unfortunately it is common for people to re-use the same email address and password for their social media account and their bank. That is a recipe for disaster. Credential stuffing is on the rise, and based on our study, having 91% of the top executives' emails breached at the world's best organizations, knowing that 44% of them had exposed passwords completely visible - well that should speak for itself.
- Regularly review your social media profiles and the information that is publicly available. Don’t use the same usernames as your email address. Use different profile photographs per platform and avoid using personal photographs is optimal. Don’t make it easy for attackers to discover all your profiles and peruse through personal information that can be used against you.
Headquartered in Cambridge, MA PiiQ Media is a privately funded, post seed, pre-series A, Data Science and Social Media Analytics company, specializing in SaaS & Cybersecurity solutions while also offering consulting engagement services.
To review the PiiQ Media Fortune 100 Executive Assessment in its entirety, please click here.
To receive your own Corporate Cyber Security PII Risk Assessment, please contact Alanna Nardella-Frost, alanna@piiqmedia.com.
*** Prevention is the New Detection ***
_______________________________________
1 ”Coronavirus-Related Spear Phishing Attacks see 667% Increase in March 2020” Security Magazine, April 16, 2020
https://www.securitymagazine.com/articles/92157-coronavirus-related-spear-phishing-attacks-see-667-increase-in-march-2020
2 Fruhlinger, Josh ”Top Cybersecurity facts, figures and statistics for 2020” CSO Online, Mar 9, 2020
https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html
3 Coble, Sarah ”Cost of Insider Threats Rises 31%” Infosecurity Magazine
https://www.infosecurity-magazine.com/news/cost-of-insider-threats-rises-31/