Modernizing your Approach to Executive Digital Risk Management

The use of technology to network with people, spread messages, and share your life is now ubiquitous across all levels of society—including corporate executives.

However, this prolific expansion of sharing personal data and its near permanent presence across social media and the Internet creates unique vulnerabilities not often immediately discernible by the executive or those who maintain the c-suite’s professional or personal social media accounts. This is a problem concerning everyone from those involved in reputation management to security professionals in charge of executive protection.

How then to craft a digital strategy that gets the message out while also ensuring the principal remains safe?

Know What’s Out There

Executives are often surprised to learn how much information about them is available to the public and what pattern of life trends can be gleaned by even a surface-level review.

In today’s digital landscape, accessing basic data and personally identifiable information (PII) on an individual requires little more than a quick search on Google, Facebook, and LinkedIn. An outsider, for example, could search on social media accounts to find photos of an executive that identify his or her family and close network.

Additionally, these images may provide information about where an individual is located or areas he or she frequents. If these photos are geotagged, they’ll further refine exactly where the person is—or is likely to be.

Photos on personal social media sites are not the only source of information exposure. Real estate records on websites like Zillow, Realtor.com, or Trulia store property ownership and sale history, providing a public resource that potentially adverse actors can identify a person by name and their physical residence. For well-known CEOs in charge of sensitive or controversial industries—like energy or food production—the leak of a residential address could open the door to protest activity that quickly morphs into tangible security concerns.

Meanwhile data aggregation sites such as ZoomInfo and RocketReach, among others, specialize in accumulating data sets beyond just a physical address, some of which are designed for third-party purchase. Often, these sites publicize information like phone numbers and email addresses. These can serve as quick resources for a malicious actor to build out a personal dossier on a subject of interest. With basic contact or PII for their target, malicious actors can carry out a range of reputational or physical attacks with a direct impact on the target—and potentially their broader organization.

Bad Actor Capabilities

A recent analysis by Ontic’s Center for Protective Intelligence of 206 cyber and physical attacks targeting executives between 2003 and 2021 paints a broad picture as to just how malicious actors may carry out harm depending on means and intent.

Physical targeting with the goal of inflicting harm is a worst-case scenario, but there is a whole slate of other activities from protest to harassment to stalking to recent trends like “swatting” that make it essential that the general whereabouts and home residences of executives are not public knowledge. Swatting is the practice of making a prank call to emergency services to attempt to dispatch an armed police response to an address.

Additionally, malicious actors can inflict harm in a variety of ways in cyberspace. PII provides ammunition to carry out complex scams and social engineering attacks that can impact a company’s reputation, lead to hacking of corporate infrastructure, or cause financial loss. Impersonation of company executives, compromised credentials, and doxing are common attack methods spawned by poor digital hygiene. Each of these risks can be mitigated.

The Value of Digital Reviews

The simplest way to identify, remediate, and develop long-term strategies for executive use of social media starts with conducting a digital vulnerability assessment. These focus on categorizing the level of data exposure on the Web across a wide variety of sources, developing removal and hardening strategies to limit the availability of this kind of information, and creating protocols and best practices to ensure new content does not expose an executive in the future.

What are low hanging fruits that can be easily adjusted? To start, examining privacy settings, password complexity, geotagging behavior, and encrypted messaging platforms can go a long way in minimizing an executive’s digital footprint.

Likewise, commercial risk intelligence tools have made monitoring of an executive’s social media account simple for a reasonably informed practitioner—getting ahead of threat activity and online chatter.

Organizationally, ensuring those responsible for content creation on executive accounts are interacting regularly with physical and information security teams helps improve coordination and ensure that even if something must be revealed, appropriate countermeasures are in place and the risk has been assessed.

Ultimately, most threats that manifest in the physical space originate online. Given the public-facing nature of CEOs and other high-level executives, you would think digital vulnerability is routinely assessed at large companies, but we find it is still not common practice. No doubt the reasons for this vary, from digital illiteracy to an overall lack of awareness, all of which cross over between generations.

Companies must take a holistic approach that evaluates individual and corporate exposure and takes actions to minimize vulnerability as a part of an effective enterprise security and risk management program. A careful analysis of what’s out there is always a good place to start.

Brogan Ingstad is a vice president at Teneo Risk Advisory, where he advises Fortune 500 clients on risk management, corporate security, and business resiliency. Amelia Heisler is a senior associate at Teneo Risk Advisory, where she focuses on risk intelligence, OSINT, and investigations.