2026 Cyber Health Score Report: The Executive Vulnerability Gap

We launched The Cyber Health Company with the hypothesis that executives running the country’s largest organizations were operating with significant personal security vulnerabilities that created enterprise risk. After assessing hundreds of executives and high-net-worth individuals, we now have data that confirms this hypothesis, and the numbers should concern every CISO.

The Cyber Health Score

Personal cybersecurity has always existed in a strange liminal space. It’s clearly consequential; yet, it’s not measured, poorly understood and often dismissed as “not our problem” by security teams focused on corporate infrastructure.This creates what I call the “implicit equilibrium,” in which individuals outsource security to product owners (e.g., Apple, Google, or their bank) and treat acute problems reactively as they arise. For the average employee, this works well enough. For high-risk individuals such as executives with access to sensitive corporate data, decision-making authority, and significant personal wealth, this posture is increasingly untenable.The fundamental issue is that you can’t improve what you don’t measure. Without a rigorous framework for assessing personal cyber risk, we’re left with security theater: generic recommendations, compliance-driven checklists, and hope masquerading as strategy.That’s why we’re bringing quantitative rigor to personal cyber risk. Like a medical checkup, it combines two critical inputs:

  1. Voluntary intake: Approximately 70 questions covering security practices, privacy behaviors, and infrastructure choices. This is the “inside looking out” view, including what controls and habits someone has in place.
  2. OSINT diagnostic: An external research report simulating an attacker’s reconnaissance. This is the “outside looking in” view, exploring what information is publicly exposed, what data has been breached, and what attack vectors exist.

The score itself ranges from 0 to 1000, with higher scores indicating lower risk. We calculate it by multiplying a base score (measuring security posture across ten threat categories) by a coefficient (measuring target attractiveness based on wealth, access, and network).This dual-component approach reflects the economic reality that attackers are rational actors who optimize for return on effort. An executive with poor security practices, significant resources and access presents a fundamentally different risk profile than someone with identical security practices but less attractive payoff.

What The Data Shows: A Summary

We analyzed intake and OSINT data from our members during onboarding, before any remediation work, and found consistent and concerning patterns. Below is a summary of the most urgent findings. The full report is available at cyberhealth.co/score-report.

Mobile: The Forgotten Perimeter

BYOD has won. 86% of executives carry only one phone, meaning personal life and enterprise security coexist on the same device. Yet the security posture of that device is often shockingly poor:

  • Only 7% had SIM swap protection enabled (83% didn’t even know what it was)
  • 26% rely exclusively on SMS for personal MFA
  • 69% wait at least a week to install security updates

Modern attacks increasingly target the mobile device as the path of least resistance. When Jefferies Financial Group CEO Rich Handler lost control of his Instagram account to an attacker, it was more than personally embarrassing. It was a preview of how personal device vulnerabilities create enterprise exposure.

Credentials: The Persistent Weakness

Despite two decades of password security awareness campaigns, credential hygiene remains stubbornly poor:

  • Only 26% randomly generate passwords from a manager or browser
  • 25% use the exact same password for new accounts
  • 49% use variations on existing passwords
  • 32% store passwords in Notes or comparable unencrypted documents
  • Only 21% use dedicated password managers (1Password, Dashlane, Bitwarden)

For 74% of individuals in our dataset, credential stuffing attacks are effectively trivial, and as AI-powered brute-force attacks become increasingly common, weak password practices create exponentially greater risk.

Social Media: Reconnaissance Goldmines

Not all executives actively promote themselves on social media. We found that only 13% use it professionally, but legacy accounts often leak enormous amounts of reconnaissance data. For example:

  • 85% of executive Facebook profiles had public photos and friends
  • 82% of Venmo accounts were publicly leaking contacts or payment history
  • 41% had high-quality photo, video, AND audio samples suitable for deepfakesource material

The biggest problem isn’t active social media use, but neglected accounts with default privacy settings that platforms optimize for engagement, not security.

Why This Matters For Security Leaders

These findings should concern every CISO because vulnerable executives create business risk.When an executive’s personal email gets compromised, attackers don’t just steal family photos.They gain intelligence for spearphishing campaigns against corporate targets, identify relationships that can be exploited for social engineering, and discover personal financial pressures that might make someone susceptible to bribery or extortion. An executive’s personal phone is a potential entry point into corporate systems, especially given how extensively personal and professional use overlaps on the single device 86% of executives carry. When an executive’s social media and public exposure create detailed profiles forattackers, it lowers the cost and increases the success rate of targeted attacks against your organization. The executive vulnerability gap is an organizational problem masquerading as a personal one.