A business’s executives, leadership, and board of directors are sources of sensitive, privileged, and confidential information, and that makes them primary cyber attack vectors for hackers. That's why a robust executive protection program that protects these individuals both online and off is paramount.
According to FBI statistics, CEO fraud is now a $12 billion scam. And when private information about these high-profile, high-net-worth individuals is exposed online, it carries a high degree of risk for both that individual and his or her business—not to mention threats against the physical security of the executives and their families. The threat is so significant that Facebook’s board of directors recently granted Mark Zuckerberg a $10 million yearly allowance to pay for the personnel, equipment, and services needed to keep him and his family safe.
But it’s not just the high-profile executives of the world who need sophisticated protection. In today’s digital world, even those who practice stealth wealth are targets of hackers who practice the utmost due diligence in identifying targets and form cyber attacks exploiting their most private details. So even if you don’t flaunt your wealth to the public, anything that exists in the digital world is fair play.
Today C-level executives are twelve times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past. Taking the safety of their business, associates, and family seriously means taking their own safety seriously. It’s now crucial for executives to work together with their physical and cyber security teams alike to understand risks in the physical and digital landscapes and develop a plan that protects against it all.
Here are five things to know about improving an executive’s security posture.
1. Know your surroundings.
Executives have to travel all over the world to do their jobs, sometimes at a moment's notice. Their tight schedule usually leaves little time to prepare for anything outside the purpose of the business trip, but a lack of preparation could have devastating consequences. As law-abiding private citizens, it may feel unnatural to consider themselves targets of surveillance or espionage, but business executives of this caliber are closely watched by a host of potential adversaries.
These adversaries include industry competitors, sophisticated hacking groups, and even far-ranging espionage wings of national governments -- each of these groups is hot after the IP of global businesses and have executives in their crosshairs, which is why it’s never been more critical that executives traveling abroad lean on counterintelligence and situational awareness.
Executive security teams need to know the criminal and geopolitical environment of the area in which they're traveling so they can identify all possible threats, whether overt or more inconspicuous and provide a thorough briefing to the executive. Traveling executives have been the target of kidnapping plots in certain parts of the world, and after the arrest of Huawei CFO in Canada, several foreign individuals arrested in China as retaliation. This context may be the difference between a safe, successful trip abroad and being hacked or fooled into giving up sensitive information that could materially harm the company.
Economic espionage is a rampant threat to executives even when they’re at home. It can take the form of state-sponsored actors attempting to bolster a country’s economic position or its state-owned enterprises. Consider when PricewaterhouseCoopers (PWC) reported in 2017 that the China-based APT, known as KeyBoy, was shifting its focus to target Western organizations, most likely for corporate espionage purposes.
But domestic competitors can also perform economic espionage. Seattle-based Zillow Group recently filed two lawsuits against real estate rival Compass, alleging that it stole Zillow’s IP.
2. Know your team.
Global espionage and insider threats to business are nothing new on their own, but the fact that they are now overlapped represents a burgeoning threat to companies and their executives. Professional spies, usually employed by a nation's embassy, are plentiful near world capitals. But more covert operations happen in places of business, with undercover agents posing as private citizens to infiltrate an organization’s IP and trade secrets. These spies become trusted employees, but maintain primary allegiance to a foreign government.
Not all insider threats are related to economic or state-sponsored espionage. Sometimes disgruntled employees have a personal vendetta and simply want to inflict as much damage as possible to a business or its executives. According to the Information Security Forum, these insiders, who may have access to sensitive information about an executive, are responsible for 54 percent of data breaches.
Employees themselves could also be targets of competitors practicing economic espionage. In the previously mentioned Compass lawsuit, Zillow alleges the company poached employees who went on to divulge business and technology secrets, violating their non-compete agreements.
3. Know the internet.
With executives now being one of the primary cyber attack vectors for businesses, internet-scale visibility is crucial for protecting companies and the people they consist of. Doxxing (publicly posting someone's sensitive information) is now a primary weapon for spies, extortionists, and all manners of online criminals to target business executives and other high-profile personas.
In 2013, Romanian hacker Marcel Lazar Lehel, more notoriously known as “Guccifer”, leaked snippets of information on the personal lives of several high profile individuals, including Colin Powell, with the intent of cyberstalking him to the point of causing emotional distress.
In the private sector, this famously happened to Sony executives. The FBI believes the hackers were working for North Korea and breached the company's networks, stole data which included unreleased movies, financial information, company plans, and personal emails, and published it for the public. The reputational hit was tremendous -- investigation and remediation expenses related to the cyber attack cost it $41 million, according to the AP.
4. Know who you are (and who you aren’t).
Spearphishing attacks are now a preferred method for cyberattackers to infiltrate a business. These actors will pose as an executive or other high-ranking employees, performing months of surveillance to learn their language, habits, and schedules so that their emails are realistic and gain the trust of their targets. These emails, which are often sent when the executive is traveling so that they cannot be verified quickly, try to convince employees to transfer money or provide sensitive information.
For example, the Crelan Bank in Belgium lost $75 million in a business email compromise (BEC) scheme. The hackers who compromised the CEO’s email account managed to impersonate him by creating a convincingly similar email and ordering payment be made to a bank account owned by the criminals.
Cyber attackers will also impersonate high-profile executives on social media, which can confuse customers and tarnish the reputation of the executive and the company they work for. In its 2017 Global Risk Management survey of 1,843 organizations around the world, Aon found that the top-rated risk was damage to their reputations or brands.
5. Make sure your physical and cyber security teams know each other.
Physical security teams are rarely technical enough to detect a cyber threat, and cybersecurity teams usually don’t understand how a cyberthreat can manifest itself into a physical situation if not properly handled. While many companies have both teams in some form, they each have different terminology and tactics. It is critical to introduce physical and digital security teams, establish a standardized language and process to communicate and collaborate effectively, especially in a crisis. The higher the degree of cooperation, the fewer the threats that come to fruition.
Knowing is half the battle, but knowing what to do is the other half. Now that the lines between cyber attacks and physical attacks are blurrier than ever, security teams need to work together to detect risks online and develop clear plans of action to address them in the real world if need be.