Traditional executive protection focuses on mitigating threats to an executive in the real world—blackmail, kidnapping, assault, and so on. Increasingly, however, executives are being targeted not physically but digitally.
They’re not usually targeted for their personal assets, but rather for the massive swaths of sensitive corporate information to which they have access—including confidential emails, customer databases, pending deals, and material inside information that can be exploited for competitive or financial gain.
And the Internet makes this much easier. After all, why go to the trouble of staging an elaborate in-person ploy when you can get what you want with a phishing email?
As more and more of our business and personal lives go online, we’ve seen explosive growth in the frequency of hackers targeting executives using their personal information. In fact, research conducted by Wombat Security has shown that one in three Fortune 500 CEOs have fallen for spear phishing attacks.
As such, the lines between infosec, executive protection and personal privacy are blurring. That means the tactics you need to protect your executives are changing too. Digital privacy precautions have become a key component of any successful executive protection program.
Digital Executive Targeting: a growing industry
The FBI publishes statistics on cybercrime against businesses, including attacks that focus on executives. The trend is alarming, with a 270 percent increase in identified victims since 2015 and losses of over $2.3 billion since 2013. Research conducted by the Ponemon Institute indicates that nearly half of all businesses have experienced some kind of malicious data breach.
The two main tactics used to target executives and conduct these crimes are phishing and impersonation, which we’ll explain below.
In phishing scams, the attacker conducts online research about the executive and uses this data to craft a tailor-made email and/or telephone campaign for the executive. When successful, the phishing scam gives the attacker access to the company’s computer system, allowing him or her to embezzle funds, steal information, or conduct blackmail.
Security consultant Chris Hadnagy describes just how easy it is to gain access in this way. In a proof-of-concept attack commissioned by one of his clients, he was able to quickly gain access to the client’s computer system using publicly available information online. He collected the following details about the CEO:
- His wife had survived cancer
- He was involved in cancer research fundraising
- His favorite sports team
- His favorite restaurant
Hadnagy then called the CEO, pretending to be a fundraiser and asking for support for a fake cancer drive, with prizes that included a free meal at the favorite restaurant and tickets to see the favorite sports team. The CEO was enthusiastic to get involved. Hadnagy asked him to look for an email with fundraising details in a PDF. Once the CEO opened the PDF, his computer was infected with malware that gave Hadnagy remote control.
The most pernicious aspect of a phising attack is that it only takes one successful attempt. Hackers can try and try with as many approaches as they can think of until one of them works. And when it does work, the results can be catastrophic.
One of the largest phising-related scams in history is the Carbanak attack that targeted (and is still targeting) financial institutions in multiple countries. Losses to date have totaled over $100 million, mostly extracted without notice using a “low and slow” technique over several years.
At the extreme opposite end of the spectrum is a ransomware attack, where a hacker locks up all of a company’s data unless a ransom is paid. San Francisco’s transit system was recently hacked in this way, with the attacker threatening to delete all information if a ransom of 100 bitcoins was not paid on short notice.
Another increasingly common executive targeting technique is impersonation. In this scenario, the attacker impersonates the CEO or other high-ranking executive and then tricks another executive into wiring funds or disclosing information that he or she normally wouldn’t. The FBI estimates that these types of scams cost businesses in excess of $200 million annually.
Two high-profile examples of how costly these attacks can be: In 2014, Omaha-based commodities firm The Scoular Company lost $17.2 million to this approach. In 2015, San Jose-based Ubiquiti lost $46.7 million. Furthermore, in Ubiquiti’s case, the company reported that there was no evidence that its computer systems had been compromised—the attack was carried out purely by preying on human error.
In the case of the Scoular attack, hackers emailed the company controller from an outside address, claiming to be the CEO. The attackers knew the company was considering a Chinese acquisition. They also knew that Scoular uses accounting firm KPMG.
In their email to the controller, they asked him to wire funds for a Chinese acquisition via the accounting firm, and to refrain from discussing the transaction through other channels due to SEC regulations. The contact at KPMG was a real employee, but the email address and phone number were fake, set up by the hackers. When the controller called the number, however, someone answered with the correct name and was familiar with the transaction. The controller wired the funds as instructed, and only later was the fraud uncovered. The attackers were never caught, nor were the funds recovered.
Sources of Executive Privacy Threats
It’s relatively easy to find personal information about most people online—especially so for prominent individuals like business executives. Attackers use a number of free or low-cost tools to research their marks and plan a scam, including:
People-search sites: There are dozens of data collection companies online that scape information about individuals from publicly available sources and compile them into comprehensive records. Some of this information comes from social media, other items from government records or marketing databases. On their own, each of these pieces of data is relatively worthless, but when compiled, they provide insights useful for attackers.
Marketing databases: When you surf the web, advertising companies use tracking cookies to serve up ads that they think best meet your tastes. In the process, they develop very comprehensive profiles of individual consumers. Hackers with access to these profiles can use them to customize their phishing attacks.
Government/corporate records: A large amount of personally identifiable information is available through public records maintained by the government. There is usually a public interest in having these materials accessible piecemeal. Combined, however, they create a useful profile for hackers, especially when it comes to tracking down property holdings or political contributions.
Extracurricular organizations: Chances are your executives are involved in some type of community-focused work, whether a charity or a professional organization of some sort. The websites for these organizations often provide information that is useful for targeting an executive’s interests, as shown above in the Hadnagy example.
Social media: Unsecured social media accounts can offer insights into the personal life of an executive. Especially useful are details about an executive’s family, which can give the attacker an aura of authenticity and trustworthiness.
Personal devices: Increasingly, people use their personal smartphones and computers for work activities. These devices are not usually as secure as a company-maintained devices and may have preexisting viruses or other malware that make them easy to hack.
Key Principles of Executive Privacy Protection
As in any element of executive protection, thorough preparation is the most important activity in securing your executive’s online privacy.
It’s also important to note that digital privacy protection is not about absolute obliteration of all data—a nigh impossible task. Rather, it’s about making your executive an unappealing target by suppressing the vast majority of personally identifiable materials. Online scammers are constantly vetting large numbers of prospective marks. If the amount of content out there is too thin, an attack on your executive will look like too much effort and they’ll aim for someone else.
With that in mind, here are a few steps you should incorporate into your executive protection routine.
Opt-out of people-search sites
The vast majority of online people-search sites have an opt-out process that allows you to remove personal information from their databases. They often make the process complicated and opaque, but you should definitely conduct as many opt-outs as you can. A couple of key details to keep in mind:
Search for name variations: These sites often create separate records for all variations on a name. For example, you would need to opt out for both “John Smith” and “J. Smith”.
Monitor monthly: People-search sites will recreate new records automatically if they find any variations on your executive’s personal data. Therefore, you need to audit your removals monthly and resubmit removal requests as necessary.
There’s no denying that this is a lot of work. That’s why ReputationDefender offers ExecutivePrivacy, a service that can automate this entire process for you so you can focus on other digital privacy tasks. Our research team maintains a list of opt-out procedures for the most common people search sites, data brokers and other online sources of personally identifiable information, updating it as new players come and go. Currently, we track dozens of these sites, issue opt-outs for our clients, and monitor monthly to remove any new records that may appear.
Research data sources
You should conduct regular Web searches for other sources of personally identifiable information, then take action according to the type of site:
Sites you control: Make sure the company website, the executive’s personal site, and other company assets like a LinkedIn or Medium blog do not give away too much critical information about your executive. Information about interests, future plans, or extracurricular ventures can all be used in an attack. Of course, you’ll get pushback if you try to scrub everything—these items have value for marketing purposes and other company activities. But you should work with other stakeholders to find a balance between disclosure and protection.
Accessible third-party sites: If the executive is a member of any nonprofit organizations or industry groups, ask them to remove or minimize the presence of his or her personal information on their websites.
Social media: Audit the social media presence of the executive and his/her family across all major networks (Twitter, Facebook, LinkedIn, Pinterest, etcetera). If you find any unsecured profiles, get them locked down so that personal information is not available to outsiders.
Sites you can’t change: News media, government organizations, and other third parties may not be receptive to requests to have information about your executive removed from their sites. In these cases, your best bet is education. Compile a list of threats based on the information available on these sites and discuss it in your briefings with the executive and other security staff.
Lock down devices
One of the core tenets of information security is the principle of least access, and this idea has major implications for the digital privacy protection. Often, executives have extended access to corporate systems because their work touches on so many aspects of the company. They may also be resistant to security efforts like two-factor authentication that slow them down. However, the less access an executive has to the company’s systems, the less dangerous a potential hack will be.
You can make an argument for reduced access by explaining that it will allow the executive to be more nimble: spending less time worrying about security protocols and more time managing the business. Of course, such an approach will need to be paired with support resources so the executive can actually access information that is needed.
There is no one-size-fits-all answer to device security, but part of your executive protection duties will be to work with the IT department to find workable and effective security protocols. Done well, this will streamline the executive’s workflow and enhance corporate and personal security—it can become a perk instead of a nuisance.
Evolving Strategies for Evolving Technologies
As shown above, today’s executive protection playbook includes a digital privacy element that was virtually nonexistent even 10 years ago. Ongoing research into new and emerging digital threats is now an essential part of effective executive security.
Given today’s digital landscape, the first step in protecting the digital privacy of your executive is to make it as hard as possible to find out information that would be useful in spear phishing or impersonation attacks. The next step is to minimize the impact of any data breaches should they occur, via effective information access protocols.
Over time, however, you should expect these tactics to evolve as hackers find new and ingenious ways to exploit the digital vulnerabilities of alluring targets like corporate executives. The world of cybersecurity is a permanent game of cat and mouse, and constant vigilance is necessary to stay ahead of the curve.