Executive Security – In Data Privacy Chess, King and Pawn are Equal

CEOs, other top executives and their families are increasingly the target of violent physical attacks as ideological extremism is on the rise.   They’re also a prime target for cyber attacks by criminals seeking huge paydays from deep pocketed corporations.  Not surprisingly, the field of executive security – both in the physical and cyber world – is growing dramatically. 

However, many organizations seem to focus on protecting the C-suite as if it exists independent of the rest of the organization.  This approach delivers a false sense of security.  In reality, no matter how much cost and effort are invested in protecting executives and their families from attack, it will ultimately be a waste because threat actors can still easily achieve their damaging (if not deadly) goals by exploiting privacy deficits among the rank and file workforce. 

A culture of successful privacy management begins at the top of an organization.  The most effective C-level executives are those who lead by example and, by their own actions and demonstrable priorities, model behaviors the rank-and-file worker is compelled to follow.  When best practices flow down from the top floors, they yield positive results in nearly every facet of a business operation.  But only if they are allowed to do so. 

When it comes to privacy and security, attention must be paid in equal measure by the CEO as it is by the entry level worker in every department of the organization.  Unfortunately, many organizations make the mistake of only applying protective privacy measures to what they consider to be the “high value” targets of attacks by malicious actors. 

This paper illustrates the dangers of this misguided approach to privacy management.  The fact is an organization’s top executives – regardless of how much security may be deployed around the C-suite – are not protected at all if the entry-level workforce is unsecured.  One employee’s digital footprint can be sufficient to put the entire organization at risk.  And that’s just unacceptable given the stakes.

Validating the Rising Threats Against Executive Security

It is important to understand that threats explicitly facing executives (separate from the rest of the workforce) are real and on the rise.  Before delving into why organizations should avoid focusing on executive privacy management to the exclusion of what may be perceived as “lower value” targets, the following facts help illustrate the rising threat to leadership.

Here are some sobering facts from credible sources:

Gartner predicts the financial impact of cyber-physical system attacks resulting in fatalities is expected to grow and that liability for such incidents will pierce the corporate veil to personal liability for 75% of CEOs by 2024.

58% of US company CEOs received physical threats after taking a position on controversial issues such as race, politics, gender issues, etc.

35% of polled US executives reported growing concern about physical threats from extremist movements.

KnowBe4, a leading security awareness and training firm shares data revealing:

• 50% of all C-level executives have been the victim of phishing attacks.
• 82% of IT security pros say they’re concerned their top executives are vulnerable to phishing schemes.
• 45% of companies polled provide some cyber security training to all employees including executives.
• 20% do no training and rely only on existing cyber security practices – dealing with attacks only after they occur.

Influential Executive magazine reveals the increasing exposure of executives’ personally identifiable information through social media channels where execs are more frequently interacting with markets.  Based on polling of CEOs from the 2022 Fortune 500 list, it was revealed that the number of CEOs who have a social media presence has increased significantly over the past two years.  Specifically:

• 70% of Fortune 500 CEOs have a profile on at least one social media platform (up from 62% in the 2020 study).
• 97% of the polled F500 CEOs had an active LinkedIn profile.
• 133% increase in CEOs on Instagram.
• 15% increase in CEOs on Twitter.

The personally identifiable information (PII) shared by executives heightens their risk profile.  Some executives only post on their social equities about activities related to work.  Business travel schedules and meetings with colleagues, public appearances at industry events, corporate events, etc.  are content commonly published to business-related social networks like LinkedIn.  Marketing communications designed to put a human face on a large organization and its leadership are commonly disseminated on sites like Twitter, Facebook and Instagram.  The publication of this information can contain valuable markers for threat actors to leverage as they plan and execute attacks. 

Some executives maintain separate social media profiles for their private lives to share personal content with friends, family, etc.  It is not difficult for a threat actor to locate the personal pages of their executive target(s) and glean useful information from these sources as well.

Paired with other detailed information on executives found in external data sources like Data Broker sites and People Search Sites, the social media information rounds out the trifecta of external data privacy vulnerabilities.

Additional disquieting information was published this year by The Center for Protective Intelligence (CPI) at executive security company, Ontic.  A 14 page report titled, “Analysis into the Protection of Corporate Business Leaders” compiled physical and cyber attacks and incidents targeting corporate business leaders worldwide between January 1, 2003 through July 15, 2021.   The physical attacks included kidnappings, violent and non-violent protests, armed robberies, home invasions, shootings, and arson. Cyber incidents included CEO impersonation, business email compromise, cyber stalking, death threats, social media account and phone hacks, and online terrorist propaganda.

In the 206 incidents captured in the CPI research, eighty six percent of the attacks were physical and eighty five percent of the target executives were male.  Sixty-nine percent were CEOs and forty percent of the executives attacked were injured or killed.

The CPI report noted the top three industries targeted were technology, financial and entertainment.  However, energy, retail, healthcare, manufacturing and half a dozen other industries were also targeted for executive attacks highlighting the fact that threats against executives are broad and common.  The report contains a great deal of other data and insight such as motives, incident types, outcomes and other salient points proving the need for strategies to protect leadership from what is a growing threat.

The key takeaway from all the above evidence is that executive security is more relevant now than ever.  Getting it right is critically important and can literally save lives.  Each of the sources of the data referenced offers a critical component of what should be a holistic strategy to protect organizations and their leadership.  Yet none of them provides a truly proactive solution.

Privacy Bee focuses on external data privacy management which is indispensable when it comes to reducing attack vectors negatively impacting security and business continuity.  This strategy is the only one that adopts a pre-emptive posture by removing the PII and other personal data threat actors use to perpetrate the most contemporary kinds of attacks.  However, the key to the demonstrable success of this strategy is its application to all relevant employees within an organization.  Because, even if the executives’ external data privacy is protected, threat actors routinely exploit other employees within an organization to gain access to executives – physically as well as financially. 

The Dangers of a Narrow Scope When Addressing Executive Security

Threat actors are cunning.  They realize that security is bound to be tighter around their primary targets.  This is why they’re growing more adept at exploiting weaknesses surrounding other employees of the enterprise.  As a result, we’re seeing an explosion of social engineering strategies wherein threat actors find ways of gaining access to the organization through vulnerabilities way farther down the chain of command. 

In one ironic recent example reported by Information Age, attackers compromised the security systems of a cyber security firm by intercepting the onboarding email sent to the personal address of a newly hired, low-level employee.  Within minutes, the threat actors were able to access the company’s SharePoint and contract management systems, as well as financial, marketing and procurement systems.  The extent to which the executives of this company were protected by executive security solutions was irrelevant.  The hackers still gained access to systems generally only accessible by upper-level management. 

In 2023, threat actors are using techniques like Phishing and Spear Phishing, Whaling, Smishing, Pretexting, Business Email Compromise attacks, Tailgating and others to get to executives – physically and electronically.  Each of these attack types are made possible by the availability of data on employees that exists external to organizational information systems.  Here’s how these attacks can succeed in exposing an executive to physical harm even if they don’t focus directly upon the executive at their inception.

Phishing and Spear Phishing

Phishing scams are perpetrated by sending what seem to be legitimate messages to employees purporting to require urgent action.  They typically require a recipient to click a link, download an attachment or enter credentials on a spoofed website.  Commonly deployed in a broad attack on indiscriminate targets within a given organization, these attacks are frequently successful at allowing unauthorized access to internal systems.  Once inside, the threat actor can potentially access information pertaining to the whereabouts or upcoming activities of the executive target or even their home addresses. 

For more details on Social Engineering threats, read Privacy Bee’s article, “The Executive’s Guide to Social Engineering and Spear Phishing”.

Spear Phishing

Unlike broad-based phishing scams, Spear Phishing attacks are typically directed at a specific individual within an organization.  Unsecured external data on rank-and-file employees can be analyzed to determine – for example – the administrative assistant to the Chief Executive or other key subordinates close to the executive target.  In these instances, a threat actor need not necessarily gain access to the executive to gain visibility into sensitive information surrounding public appearances, or financial systems/controls under the executive’s purview.   

For more detailed examples of Phishing and Spear Phishing, read the Privacy Bee article, “Spear Phishing Attacks: Types, Elements and Detection”.

Whaling

Cyber criminals use whaling attacks specifically to hunt the metaphorical “whale” or top executive.  This involves sending spoof emails to C-level execs appearing to originate from within their own organization.   In one example, the sender claims to be a bashful whistleblower with confidential information about a co-worker.  The sender expresses hesitance to report the situation in person.  Instead, they attach their “evidence” – often a picture, or spreadsheet or PDF – to the Whaling email.  When an executive, rightly concerned about the apparent complaint or potential crime opens the attachment, malware can be injected into their system and their safety is compromised.

Smishing and Vishing

Done via text message or voicemail, these scams involve sending bogus texts or voice messages to receptionists, customer service reps, HR departments and other internal employees.  The messages may claim to be mortgage companies “verifying” email addresses or executive assistants requesting password updates on their bosses’ behalf.  The criminals are very creative at developing plausible and seemingly insignificant requests sent through SMS or voicemail channels.  Their approaches are informed by detailed personal information gathered from unsecured external data sources.

For more details on prime sources of unsecured external data, read the white paper, “Exposing the Threat to Data Privacy Posed by Data Brokers and People Search Sites”. 

Business Email Compromise (BEC) Attacks

In 2021, more than $2.4 billion was lost by American companies via BEC attacks.  The FBI received nearly 20,000 complaints of business email compromise that year alone.  BEC attacks can be committed using impersonation when scammers pose as employees, trusted vendors or clients seeking payment, banking information changes/updates, or other sensitive information.  BEC is also perpetrated via account compromise where hackers gain access to a legitimate employee email account and send messages to the entire organization containing malware or other malicious code.  There is also “thread hijacking” wherein scammers look into compromised email boxes for messages containing, “Re:” then reply-all with a malware payload.  Recipients of these messages are almost always caught unaware because they recognize the sender in an ongoing thread.

For more details on BEC, read the Privacy Bee article, “Business Email Compromise: Anatomy, Types and Impact”.

The examples are manifold and the evidence is clear, threat actors need not attack executives directly in order to find their mark.  The danger in focusing solely on executive security to the exclusion of the rest of the organization – as well as associated vendor organizations and other third-party connections – leaves the executive as vulnerable as having no security in place at all.

Cost Effective Methods for Reducing All Employees’ and Vendors’ Digital Footprints

Once an organization accepts and internalizes that all executive security – physical security and cyber security – flows from external data security, it becomes apparent that external data privacy must be managed tightly for all employees with any functional or personal connection to executive leadership.  Privacy Bee offers a revolutionary platform to do just that.  

Applying the Privacy Bee solution to the entire rank-and-file workforce is not cost prohibitive and provides an attractive fringe benefit to offer in talent acquisition.  However, an organization needs only to attain licenses for employees with information systems access and/or corporate domain email accounts.  Roles like hospitality and building maintenance for example often don’t represent a way in for threat actors.  Organizations should also extend Privacy Bee for Business protection to cover any third-party vendor organizations, external contractors or anyone else who has information systems access to their IT systems. 

Although the mandate for robust external data privacy management practices comes from the executive level, collaboration between the leadership of all internal departments and all facets of the business organization must be collaborative and focused on the same objective.  External data privacy management succeeds when organizations view security not as a surgical endeavor, applying efforts to key segments of the operation.  Rather, when they understand that physical and cyber security is an ecosystem encompassed by external data privacy, they embrace the holistic approach.

This graphical representation illustrates the totality of what must be accomplished to achieve strong functional security for any business or organization and by extension, strong executive security.  Most executive security strategies available today include hardened physical security protocols.  This is the innermost, lightest blue circle in the graphic.  Password protection on workstations and business machines, governance policies restricting the use of portable and external media/hardware, physical plant security like key card access to office locations, surveillance cameras and other such policies are widely used.

Beyond the physical security measures, most companies also typically employ strategies for protecting cyber security in the cloud and online.  This is represented by the darker blue, middle circle in the graphic.  Common cyber security best practices include hardening endpoint security, data encryption, password protocols, vendor risk management (VRM), identity access management (IAM) firewalls, spam filters, antivirus scans and employee cyber security trainings.  

Where contemporary practices begin to fail is in the outermost, darkest blue circle in this graphic.  This is the area Privacy Bee refers to as “External Data Privacy” or EDP.  Physical security and cyber security measures are, by definition, inwardly focused.  That is, these strategies are designed to keep prying eyes from accessing data that is behind the walls of the fortress.  Yet, the vast majority of today’s data breaches aren’t the result of bad actors successfully penetrating these defenses via brute force attacks.  Rather, social engineering has become the primary attack vector resulting in data breaches and the catastrophic consequences that typically follow.  And these attacks are planned and enabled using the extraordinary volume of unsecured personal data about every worker in every organization, available for sale – and in many cases, even for free – on the internet.

The Privacy Bee for Business platform provides the following powerful features 100% free of charge. 

External Data Privacy Audit (EDPA) which analyzes and aggregates hundreds of available data points on your company to build an analytical summary of the privacy risks and opportunities within your organization.  This free audit is great for deriving accurate financial impact analyses useful in developing a data-driven business case for external data privacy management.

Employee Risk Management delivering real-time monitoring of employee privacy risks including robust analytics, flagging of high-risk employees, departmental insights and other capabilities.

Privacy Risk Assessments can be completed by the entire workforce for free, helping evaluate existing privacy practices and exposing data privacy risks.  Completing the PRA annually also builds trust with clients and vendors – many of which are increasingly requesting proof of risk mitigation strategies as a condition of doing business. 

These free audits and assessments are imperative to identifying risks and vulnerabilities.  Once identified, Privacy Bee for Business can handle the removal and cleansing of exposed external data for every employee with a license.  The cost of which is a tiny fraction of the costs associated with data breaches, ransomware, reputational damage, and most importantly loss of life or health at the hands of threat actors. 

The rest of the suite of privacy features included on the platform – Vendor and Cookie Consent, Vendor Risk Management, Privacy Trust Badging, Consent Core and Privacy Bee University – burnish the organization’s bona fides with respect to privacy policy and risk mitigation.  They demonstrate to the market, prospective customers, business partners, regulatory bodies and investors that the organization takes privacy and security seriously not only for its executive team but for the entire enterprise and all who associate with it. 

Beyond executive protection, other important benefits of robust external data privacy management include:

• Employee safety
• Protection from doxing and identity theft
• Steep reduction in HR poaching
• Endpoint privacy
• Boosted productivity – lowered spam and telemarketing bothers
• Digital hygiene and wellness
• Training and data privacy awareness for all employees

Why pay for narrowly focused and less effective executive security services when you can protect the entire enterprise, all its workers and third-party partners with a platform that provides far more expansive and effective risk mitigation for less?