Just in case you still need convincing about why you should take password hygiene seriously, F-Secure has released the results of a recent study we undertook looking into CEO email exposure. According to our research, 30% of CEOs of world-class companies have had their password leaked on an online service they registered for using their work email.
To put it another way, nearly one in three top CEOs has been “pwned” on a service that was later breached.
And now the passwords they used in those breached services are out there, floating around on the internet, available for the taking by any enterprising cyber criminal.
Over and over again, studies find that a large share of people reuse passwords across multiple accounts. So all a threat actor needs to do is grab his victim’s password from the leaked database of a breached service, and plug it in to some other sites his target is likely to use as well.
Our research centered around company email addresses for CEOs at over 200 of the biggest companies in ten countries. But even if you’re not a big fish, it’s wise to tighten up your password protocol. According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default, or stolen passwords. And as ill-equipped as most companies are to deal with breaches (according to data from our risk management assessments), a breach caused by unauthorized credential use would be extremely difficult to spot.
All good reasons to use a password manager*, which security experts recommend just because password management is too hard to do it alone.
We also found that the vast majority of CEOs – 81% – have had their personal information leaked (email address and things like phone number, address, birthdate, etc.) in the form of spam lists and leaked marketing databases. Have a look at our infographic by clicking the image below:
The report begs the question, should CEOs use their company email to register for online services? Turns out there are good reasons to do so in certain cases. For the full findings, and for password advice from a white hat hacker, download our free report, CEO Email Exposure: Passwords & Pwnage.
*F-Secure Password Protection, the only available password manager that comes integrated with endpoint security clients, is a brand new component of F-Secure Protection Service for Business, available November 1.