High-level executives, including board members and C-level executives, often have access to sensitive information, making them prime targets for bad actors looking to penetrate corporate defenses.\u00a0Their personal devices, among other points of entry, are glaring attack vectors for cybercriminals looking to get in on the top floor.As CISOs know, cyber incidents all too often include the human element\u2014and executives are all too human. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved a human element, the bulk of them involving phishing, business email compromise (BEC), and stolen credentials.Home is the new attack surfaceDriven by numerous factors, a new class of risk is emerging that targets the highest ranks of an organization through deeply personal avenues. The message to CISOs is that an executive\u2019s digital life could be the company's weakest link, and not just their corporate devices and accounts: home servers, home security equipment, family devices, and even social media interactions can present vulnerabilities and pose workplace security risks. \u201cIt means home is the new attack surface,\u201d says Chris Pierson, CEO at BlackCloak.It\u2019s a no-brainer to ensure that internal systems and people are in place to protect an organization, but it\u2019s much harder to manage risks from outside that can\u2019t easily be controlled. The digital lives of the leadership team, Pierson says, could be something of a ticking time bomb.In Pierson\u2019s experience with onboarding executives, a significant proportion (39%) have an aspect of their personal digital life that\u2019s been compromised. When personal and corporate lives connect, this can spell trouble for CISOs who find themselves fighting fires in an environment they don't control.The risk faced by executives has grown rapidly as the pandemic-driven rise of hybrid work increased the blurring of professional and personal digital lives. Complex geopolitical tensions, opportunities for digital activism against corporates\u2014particularly in industries with higher risk profiles\u2014and the prospect of financial gain from targeting wealthy leaders have all raised the stakes on the personal digital lives of executives.A large organization, especially if it's a publicly listed company with a C-suite leadership team that has a presence in the media and on social media can be a lightning rod for the attention of bad actors, says Gergana Winzer, partner of cyber services with KPMG Australia. \u201cSome of these small-time criminals have awakened to the reality of being able to make monetary returns by utilizing easy-to-buy malware or ransomware online and just deploying it across those types of high-net-worth individuals,\u201d Winzer says.When personal breach leads to enterprise attackThis class of personal risks can take many different forms, according to Pierson, who says one of the biggest risks is to intellectual property\u2014the loss of corporate documents from executives\u2019 personal devices or personal accounts where there are fewer or no controls. \u201cCorporate executives tend to have complex smart home systems with security cameras and servers hosting a multitude of devices and services, and these present potential points of entry,\u201d he says.But that\u2019s not to discount the lure of financial gain. \u201cExecutives, because they are also high net worth, can be attractive targets to criminals over banks and financial institutions that have more controls in place,\u201d Pierson says. "We see their personal emails being breached in business email compromised attacks, we see their personal devices being breached through malware, as well as other social engineering scams all the time. As a result, money is a big motivator for a lot of these attacks.\u201dThen there are the deeply personal attacks with malicious intent. Personal doxxing\u2014the exposure of names, addresses, phone numbers, and even personal photos and videos\u2014violates privacy and leaves executives open to exploitation. \u201cThese things are used as a means of extortion but can also have very impactful reputational damage and even intimidation,\u201d Pierson adds.According to experts, addressing these complex security considerations must not create added friction between the executives, their families, and their interactions with technology. Rather, the attack surface for those types of accounts, services, and devices needs to be shrunk and assurance needs to be there that the risks can be mitigated, Pierson says.How CISOs can mitigate risks for executivesEnsuring executives are protected outside the office environment and hardware can be difficult when CISOs can\u2019t directly intervene in their personal digital life. \u201cThey want to keep church and state separate,\u201d says Pierson. \u201cThey want that privacy divide, but they just want the risks covered and to know at a high level what's being done.\u201dPierson says CISOs need to understand precisely how and where the two risk environments\u2014corporate and personal\u2014intersect. \u201cLook at your \u2018About Us\u2019 leadership page. That's where it starts. Understand how deep that goes in terms of the next layers down and then figure out the biggest risks that those individuals may face in their personal lives and what the CISO can do to try to reduce or mitigate them.\u201dSophisticated, well-coordinated cyberattacks may not begin in the company\u2019s systems but start by compromising an executive and then propagate from there, Winzer says. As a precautionary measure, CISOs need to be vigilant for changes in leadership and executive team risk profiles, which means staying curious and being constantly interested in finding the blind spots. And those blind spots can be huge\u2014a CEO who makes frequent media appearances, has stock market dealings that are open to public scrutiny, or is simply well enough known to be included in social media conversations is sending up a flare for potential hackers. \u201cAs a CISO, I need to be aware of the threats that can potentially harm that individual and their ability to do their work within the organization,\u201d she says.Protect the corporate \u201ccrown jewels\u201dTo address the potential vulnerabilities that can bleed from personal into corporate, Winzer recommends CISOs undertake a risk assessment that includes identifying the company\u2019s \u201ccrown jewels\u201d that need to be protected. This needs to include an evaluation of potential risks, including through personal attack, and developing mitigation strategies.Winzer says this means making sure as many threats or vulnerabilities as possible are documented and taken into consideration, which helps to assess the likelihood and impact of any personal breach. \u201cCalculate what the threat means to the C-level executives and board members and then take action from there, but it needs to be based on the risk appetite and what the company believes to be important to protect,\u201d she says.Mitigation strategies might include policies around what and how much information these executives can disclose about themselves publicly, according to Winzer. \u201cIt\u2019s really important to get as much information as possible to evaluate the threat, put it in your risk register, and then do something about it, rather than ignoring it. Because that's everything in cyber\u2014every time we have ignored something it has come and beaten us up.\u201dEnsure high-level executives get cybersecurity trainingIn addition to risk assessment and mitigation strategies, in-house education can also help in securing an executive\u2019s digital footprint. Steven Sim,\u00a0a member of the ISACA Emerging Trends Working Group,\u00a0says C-suite, like all staff, should attend tailored awareness training which includes phishing simulation exercises and tabletop exercises. \u201cThese exercises should also have the C-suite and, where possible, the board participating in decision-making during a simulation of an organizational crisis brought about by a cyber incident,\u201d he says.\u201cThese should be part of a multiyear security improvement program, if not already put in place as business-as-usual, that should cut across people, processes and technologies,\u201d Sim says. And with the specter of regulatory fines and reputational damage, it needs to extend across the digital and business supply chain and intelligence ecosystem of the security community.Sim recommends the risk register for both C-suite executives and their enterprises be updated consistently, as the cyber threat landscape evolves rapidly with new tactics or techniques. Security metrics, key risk indicators, and key performance indicators of cybersecurity initiatives and projects must be continually measured to ensure the delivery of a successful cybersecurity improvement program. \u201cThis helps an enterprise to meet its current risk appetite and also look ahead to pave a way to futureproof against potential threats to its C-suite executives and the enterprise,\u201d he says.Consider corporate cultureCulture is another important element that mustn\u2019t be overlooked in managing executive risk, according to Winzer, which should ensure everybody carries shared responsibilities when it comes to cybersecurity. In practice, this means the CISO taking a holistic approach, rather than relying on patches or education programs. While many CISOs have been doing this for years, she recommends that to really uplift the cyber culture requires a strong collaborative approach across the C-suite. \u201cThe CISO, the CFO, and the CEO all need to work together to ensure the culture [of shared responsibility] is being propagated across the organization,\u201d she says.Above all, shared responsibility is to understand that there\u2019s shared risk. \u201cIf a CEO gets affected and personal data and files are leaked, including sensitive information about their status or the things they know about the company, trade secrets and the like, then it becomes the CISO\u2019s problem. It's not just the CEO\u2019s private problem anymore.\u201d\u201cIf everybody's aware they have responsibilities around their own role and cybersecurity, it becomes much easier for the CISO to do their job,\u201d Winzer says.