Executive Online Protection

Should Chief Security Officers Bear Responsibility for Digital Executive Protection?

Physical threats against executives are on the rise. Intensified by unprecedented societal tension, pandemic fatigue, and the economic crisis, corporate leaders are being confronted and assaulted, their vehicles vandalized, and homes invaded.

Often perpetrated by disgruntled employees or other bad actors, these threats are very real. According to the 2021 State of Protective Intelligence Report, published by the Ontic Center for Protective Intelligence, 24% of CEOs and/or their family members had received threats and/or were harmed in their private residence or while traveling. Furthermore, an astonishing 15% of executives have received kidnapping threats. Some of these attacks have become worryingly brutal and tragic.  

Perhaps unsurprisingly, the motivation for a large percentage of these attacks is related to executives expressing their political views. The Ontic Center report found that 58% of CEOs had received physical threats for taking a position on political or racial justice issues. While 56% received threats relating to encouraging vaccination and mask use.

The threat is so significant that executive protection is now a multi-million-dollar line item in some corporate budgets. In 2021, Meta Platforms, Inc. (aka Facebook), spent more than $15.2 million for expenses related to protecting CEO, Mark Zuckerburg, at his homes and on the road.

Executive’s personal digital lives heighten physical risk

Physical protection is one thing. But an executive’s digital footprint can also create physical risk. 

As corporate leaders conduct business over home or public Wi-Fi networks, they are a lucrative target for threat actors seeking access to sensitive information about executives and their families, including where they live and their travel plans. Bad actors also trade this sensitive data or personal information on the dark web, leaving executives vulnerable to kidnap, ransom, or worse.

These developments are alarming and should resonate loudly with the C-suite and Board of any company. After all, protecting the executive protects the company.

Digital protection is paramount

It’s no longer enough to surround executives with physical guardrails and James Bond-like security detail. Companies spend millions to protect executives and their digital lives at work, but they won’t truly be safe unless they are protected in their personal digital lives.

But who owns this problem? Here we have a dichotomy: Physical executive protection – when traveling, at Board meetings, and at high profile events – falls under the purview of the Chief Security Officer (CSO). However, digital executive protection is trending towards the responsibility of the CISO or information security team – but there’s a caveat, this protection is only possible when an executive is in the office or using corporate devices. The moment an executive conducts business from their personal device – at home or on the go – the cloak of protection is lost. This puts them and the organization at risk. 

Consider this scenario: An executive’s personal email is hacked and his upcoming travel schedule is revealed. Due to his company’s pandemic workplace policies, he’s subsequently met by angry employees who protest and threaten him with chants and projectiles if their freedoms aren’t restored. The company wasn’t prepared because they had no visibility into the hack – they can only see what’s taking place within the company’s four walls – leaving the executive digitally and physically vulnerable.

It’s time to raise the bar on executive protection

To overcome the limitations of traditional corporate security measures, CSOs must understand how executives’ physical and digital worlds collide and put a plan in place to extend security protections beyond the corporate perimeter.

Here are four things to know about safeguarding an executive’s online privacy and, ultimately, their physical safety.

1. Protect executive online privacy

A common tactic for going after the top brass at a company are social engineering attacks. Today, there are over 15 billion stolen passwords floating around the dark web. With an executive’s password in hand, a bad actor can login to their personal devices and snoop around for sensitive data about their whereabouts and travel plans.

The first step to preventing these forms of hacks is to remove sensitive executive personal information from online data brokers and perform regular dark web scans for compromised data. In addition, privacy settings should be implemented on the executive’s personal devices and computers to protect against data leaks, identity theft, and social media account takeover.

2. Protect the executive’s home

Home networks are inherently insecure. Just look at the statistics. One in five Wi-Fi networks are accessible over the internet by strangers, one in four devices are infected with malware, and seven in ten households have exposed account passwords. Unfortunately, as smart devices – refrigerators, washing machines, and home entertainment systems proliferate – each with poor security controls, the problem is only getting worse.

Each device on the home network is easy prey for a bad actor. To protect the executive’s home, regular penetration testing and home network scans to detect weak security controls are recommended.

3. Ensure device security

The personal devices of executives are just as insecure as their homes. In the past, companies were unable to extend corporate security to executives and their families due to privacy, legal, and other considerations. But that has all changed. CSOs can now protect the digital lives of executives with cybersecurity protection specific to personal lives.

Going beyond the manufacturer’s security controls, home networks and devices should be monitored and secured with enterprise-grade threat monitoring tools such as those typically used to secure corporate networks and devices.

4. Elevate incident response

For complete peace of mind, CSOs and executives need expert support in the event that a digital threat manifests into an ongoing attack. Because their personal digital lives are not protected by corporate cloak or protection, help from cybersecurity experts should never be more than a call or a click away – 24x7x365. That’s because time is of the essence: 97% of malware attacks manifest in four hours or less.

Note: Each of these four measures should be as unobtrusive and frictionless as conventional, physical executive protection services are.

To revisit the earlier scenario. Implementing these measures could have resulted in a considerably different outcome for the corporate leader. For example, had the proper privacy and device protections been in place, such as appropriate password security or dual factor authentication, then hackers would have been significantly less likely to penetrate the executive’s email address and learn his whereabouts. Additionally, the attempted breach would have set off alarms, and to air on the side of caution, the physical protection teams could have altered their plans. 

Indeed, the moment malicious activity was detected – whether on an unsecured Wi-Fi network or personal device – the email hack would have been stopped in its tracks and the threat thwarted.   

The ball is in the CSO’s court

Companies spend millions of dollars to protect executives – both physically and across the corporate digital landscape – but they won’t really be safe unless their personal digital lives are protected too. Now that the lines between physical attacks and cyberattacks have blurred, it’s imperative that CSOs develop a clear plan of action for digital executive protection, or at the very least, work in lock step with their CISO counterparts.