Over the years, the scope of executive protection has expanded to incorporate multiple security elements, and generally individuals and their corporate security teams can feel reasonably secure that they have covered all the bases when it comes to focusing on the traditional risks in the physical realm for example, security risks related to residential and office security, travel, special events, and geo-political unrest, and internal and external risk management.
However, the exploding potential in cybercrime raises two additional executive security questions for every security team:
- How vulnerable is your executive to threats that originate and are carried out in the digital realm, and
- How do you effectively address and mitigate these risks?
Today’s current protection strategies must also recognize the other ways in which the executive can be at risk in the digital world at risk for being extorted, controlled, or attacked.
What motivates an attacker to target an executive?
While there are as many motivations for cyber-related crime as there are criminals, three common motivations to consider are:
- Disruption. The endgame is to cause maximum disruption or embarrassment to the victim’s life;
- Greed. The goal is financial gain to extort monetary payment from the victim; and
- Political. To force a desired change in behavior, e.g., stop an existing or planned corporate action over which the executive has control. In all these scenarios, family and community connections, social media, and publicly available information can be leveraged with devastating effect in the digital realm.
How do attackers use websites to find information about executives?
Cyber criminals can find the attack vectors on social media sites, like Facebook, corporate profiles, and LinkedIn or even an executive blog. Imagine an executive with a granddaughter who is on Facebook and is a member of a sorority at her university. It can be easy for a cyber criminal to hijack the account of someone who is a Facebook friend and connect with the unsuspecting granddaughter. The cyber criminal can get detailed information about her just being on the account, always on the lookout for that one crucial thing the compromising photograph, the suicide threat. Through the granddaughter, the criminal can get access to other family members and their profile information, paving the way to compromising the executive target.
One day the executive opens up his personal email account and finds a message, referencing everything the cyber criminal has gleaned about the granddaughter or other family members, in a menacing and possibly overtly threatening way. The message goes on to explain that unless certain things are done or unless a payment is made in bitcoin, the cyber criminal will release the information. The threatened disruption in the life of a child, grandchild or spouse can exert extreme pressure on the executive to comply with the demands. This is a modern attack. The understandably alarmed executive alerts the security team. What is your security response plan?
Consider another devastating digital access scenario. Cyber criminals quietly and strategically access the email account of the executive’s personal assistant (PA). The goal is to get enough information to ultimately create a shadow PA account and start injecting themselves into the executive’s life. In this way, the cyber criminals start collecting information to learn everything the PA knows about the executive’s habits from the preferred car service to hotel accounts to private planes to the travel itinerary of the executive on a sensitive overseas trip. Eventually, they will access information that the executive spends a huge amount of time and money to protect. This leads to yet another email with a threat. If the cyber criminal’s demands are not met, the executive is threatened, sensitive corporate activities are derailed, or worse yet, the personal security of the executive is compromised.
Some executives have a different Achilles heel. While there are those executives who are neither intimidated by threats, nor concerned about their own reputation or privacy, those executives and their corporations may have highly valued investor relationships. In this scenario, the cyber criminal can create an account in the victim’s name and identify investors or board members — in essence, financial targets. Then the cyber criminal will proceed to reach out to these targets, leaving behind the wreckage of broken deals, a professional network in collapse and a ruined reputation. This kind of attack is often able to work where the victim has not properly protected and maintained their social media accounts.
Best practices for protecting executives in the digital realm
The foundation for digital executive protection is a meaningful risk assessment. Executives, their family and friends must realize that their social media and community activities need to be evaluated for what connections the executive has to them; what kind of information they provide; and how this information can be leveraged. Some basic protective actions that should be instituted include:
- Executives should have accounts officially set up in their name but never used for personal communication; these accounts will be designed for the public and monitored and maintained by the PA and security staff.
- For personal use, executives should set up an account with a completely different name.
- The spouse of the executive should maintain one account for social activities and a separate one under a different name for personal use.
- Teenage family members are sometimes more difficult to impress with social media security concerns, but efforts should be taken to train the young person in social media best practices. Their social media activity needs to be reviewed, and security professionals need to show teenagers how they can be tracked and/or extorted, kidnapped, threatened and tracked. Young family members’ accounts should be regularly monitored and checked.
- Senior executives, senior politicians, decision-makers or influencers must claim their digital persona and own it completely in all forms, control it and lock it down so no one else can get it. You can accomplish this by:
- Take your name and all its variants and set up Gmail, Yahoo and Outlook accounts in fact, every known account possible and use a random automatically generated password for each of them. Also make sure they are linked to another account and routinely checked for anything going through them
- Do the same for domain names. Spend the money to buy your name and lock it down
- Routinely check LinkedIn, Facebook, Twitter wherever people could pretend to be you and take these accounts down, making it clear that you do this regularly.
- Build in “canary” data into your account, e.g., a friend or connection who in reality is you data that criminals cannot resist, but that if someone were to impersonate you, you would get the email
Who is responsible for protecting an executive against personal cyber threats?
These digital protective measures are just as valuable as physical protection measures, but an important question is, “Who is going to run all this?” The executive? No. The PA? No again. Both are too busy with daily activities to devote the time and energy to set up, track and monitor all the necessary accounts and activity.
When engaging a partner to provide executive protection, companies and executives should ensure they choose a security vendor who is experienced at combining digital protection with a rigorous threat management process. These experts will be able to
- help to evaluate who attackers might be that want to do you harm, from individuals to groups, and
- look at not only physical protection but also your electronic, social and digital protection.
By taking a digital approach and running it through the lens of existing physical and threat management experience, security teams and their executives can feel more confident that they have truly covered all the bases of executive protection.
To talk to someone at Kroll regarding your executive protection needs, please contact us.