Even if your senior executives are careful about sharing personal information online, a determined hostile actor may be able to build a picture of their movements, families and homes. Head of Protective Intelligence, Michael Lubieszko, explains how you can protect your senior executives by uncovering the vulnerabilities in their online presence
Arguably, we’re all more cyber security aware than ever before. We have adjusted to working more days from home and follow IT security guidance and requirements to back up data more regularly, use stronger passwords and make sure that our Wi-Fi connection is secure. And for the most part, these security measures are proving effective against malicious tactics, techniques and procedures.
But often, the same cannot be said for our approach to social media security, or that of our closest family and friends. Sharing key moments and personal celebrations on social platforms has become a way of life.
When the people doing the sharing are your chief executive or leadership team, this can prove a serious challenge for corporate security. The plethora of information provides bad actors with the opportunity and means to sneak past all of the IT security measures that we’ve erected to keep our senior people, and indeed the organisations that we work for, safe.
Weaponising personal information
There is no point in pretending that people will stop using social media for either personal or professional reasons. The draw to share our successes, opinions and photos online and receive validation back is often too alluring.
But even if our senior executives can resist the urge to share even a curated version of their lives, they will never have complete control over what gets shared about them. The odd stolen glance captured in a tagged photo, shared celebrations with friends through posts or blogs, and public records made available online can compromise even the most social media savvy senior executives, who intend to draw a solid line between their personal and professional lives.
Of course, it would be difficult to argue that every post that we engage with or that every emoticon we append to a photograph is going to lead to a scam or to us being hacked.
But what about the entirety of that information? If a bad actor were to place every disparate interaction your leadership team has online into a single bucket, what would they be able to uncover?
Perhaps nothing more than a cursory link between a locked-down social media profile and a position on the board of your directors. But equally likely, with a sufficient degree of determination and OSINT skill, a fuller and more holistic picture of your senior executive’s life can be pulled together. This could include familial relationships, personal likes and dislikes, favourite locations, homes owned, routes driven to work, attendance at corporate events… the list can be endless. And thanks to ever more sophisticated technology, it can all be discovered with relatively little technical expertise if the information is there to capture.
And what if we flip our understanding of threat vectors from now and project into the future? How could this volume of information be used by bad actors in a few years’ time? As with our own use of technology, the technology used and exploited by bad actors is also continuously evolving.
It’s clear that your executives’ personal information can be weaponised against them.
So how can your security team best protect against the information shared about your leadership team online, willingly or otherwise, being leveraged by bad actors and threatening our professional realm?
The solution: Counter Intelligence
Again, it is unrealistic to expect your people to disconnect from the online world. Although we have all heard horror stories of ransomware attacks and personal information being used to defraud others, we still take the risk of oversharing our lives.
Here at Dragonfly, we take a pragmatic approach to this problem that we call Counter Intelligence.
In our view, before you can consider how to protect against leakage from the personal lives of your senior executives in the future, you need to understand what information is already out there.
Essentially you need to be aware of the breadth of material that a suitably determined bad actor or hostile party would be able to collect. And this is where we begin.
Our first step in this completely bespoke process is to conduct an in-depth collection exercise to gather the breadth and depth of open-source material related to your senior executives.
We always ensure that the executives we are protecting understand the process before we begin, in order to reduce possible anxiety about what might be uncovered and to build trust. We also ensure they know that the Protective Intelligence team responsible for Counter Intelligence is a closed unit within Dragonfly, with layers of internal protection to safeguard against any details being leaked (although anything collected is publicly available anyway – which is the point).
To do this, we simulate hostile intelligence gathering against you. We replicate the efforts of a determined hostile party intent on targeting you to collect information conducive to physical and virtual surveillance, reconnaissance, targeting, attack or direct action planning, and social engineering.
The sources we examine include social media, news sources and websites, and higher profile dark and deep web sites, while examples of information we aim to collect include:
- Personal information available online
- Information that may indicate a breach in personal security
- Family, professional and personal relationships
- Patterns of behaviour and movements
- Interests, affiliations and private or professional activities
Our next step is to collate this information together, building as complete a targeting picture as possible of your executives. Our team of experienced intelligence analysts, with extensive OSINT skills, set about pulling all of the disparate strands of information together, identifying whether and where there are any immediately detectable or obvious vulnerabilities. Crucially, we consider these strands as a whole, determining where, how and why this information could be used to inform a hostile targeting plan.
Case study: The revealing findings for one chief executive
Executives are often surprised to see the amount of information available about them publicly, especially if they believed they were being careful and discreet.
One client, for example, asked us to review the online vulnerabilities of their chief executive, who had no personal social media presence.
We were still easily able to find social media profiles belonging to immediate family members, several phone numbers linked to him, photos of the inside of his home, details of events he had attended, information about his hobbies and interests, and more. All this information was posted by others but linked directly back to him, providing potentially compromising details to bad actors.
As always, knowledge is power. Our findings have been used by our clients to reduce immediate vulnerabilities, for example removing house floor plans and security details from real estate agents’ websites. They inform conversations with your executives about what information they want to keep out of the public domain in future, and allow you to advise them on personal countermeasures and online behaviour that may reduce risk. Finally, they form the basis of physical and cyber security advice and mitigation planning.
By approaching the use of online tools in a more considered manner, your senior team can make it harder for the information they share to be weaponised against them.
And we can help you understand how they are sharing information and give you a holistic view of the information freely available about your executives across multiple platforms. Not only will you be in a more robust position to mitigate against contemporary threats, but it will be easier to stop that free flow of information from becoming a data sink that is mined by multiple hostile actors in future.
Book your Executive Protection Discovery Session
Do you need to understand more about the contemporary and emerging threats facing your executives, but are not sure where to start? If so, we’re delighted to offer you an Executive Protection Discovery Session with our Head of Protective Intelligence, Michael Lubieszko.
During this one-to-one exploratory session, which is complimentary to SIAS subscribers, Michael will work with you to identify essential steps you can take to improve your executive protection process.
Together, we will:
- Review your current approach to executive protection to identify key gaps and suggest potential solutions
- Map out what a robust executive protection intelligence cycle might look like for your organisation – sharing the most important lessons we’ve learned working with corporate intelligence teams just like yours
- Pinpoint the single most important intelligence product you need in place to protect your executives
- Identify concrete steps you can take immediately, to bolster your understanding of the threat faced by your key people
At the end of the session, we will also explain how we can help you monitor, identify, analyse and assess threats to your senior executives through our Protective Intelligence service. If this is of interest, we’ll discuss next steps. And if you prefer to manage your intelligence process yourself, we’ll still leave you with excellent advice on how to protect your people.
>>> Click here now to request an Executive Protection Discovery Session <<<
Image: Sunset on cracked ice. Image by Anton Petrusvia Getty Images.
