Executive Protection in the Digital World
In the past, executive protection was focused on mitigating physical threats to an executive in the real world, including blackmail, kidnap and ransom, assault, and more. In today’s world, however, executives have become prime targets not of physical attacks, but rather digital attacks by malicious hackers and bad actors. In part, this is because executives are more likely to hold valuable information electronically, or have access to such data. Executives are not usually targeted for their personal assets, but rather for the massive amounts of sensitive corporate data to which they have access. This includes emails, customer and supplier databases, contracts, and confidential inside information that can be exploited for competitive or financial gain.
Below are key issues that address social media security for executives, but these measures can be applied across all levels of an organization.
Implement Multi-factor Authentication
This requires anyone logging into your accounts to also verify that s/he is a valid user via a code sent to another account or device owned by the individual. Bad actors trying to hack into an account likely will not have the mentioned device with them, therefore preventing a brute force attack. In certain circumstances, take the extra step and make sure all work devices are separated from personal devices.
Disable Geo-enabled Social Media Posts
Enabling the public to know an executive’s location opens up an entirely different world of risks, including oversharing information with those who don’t need it and disclosing of private locations. Geo-enabled social media postings through location-based services (LBS) create physical risk, leaving the executive with little to no location privacy.
The best way to combat this risk is to remove it completely – turn off the geo-enabled feature for both executives and their family members. If an LBS is needed, keep it on ONLY for apps that do not disclose the location and update social profiles with location information. This ensures that those who can see their location are closed and trusted.
Monitor for Executive Account Imposters
There’s always a risk of imposters on any social platform. Fake executive accounts are used as part of social engineering and spear-phishing attacks to target customers and other key employees. To combat this threat, ensure the page or account an executive posts to is verified or official. That way, if a viewer sees an unverified page with postings by the executive, the viewer hopefully will be less likely to believe the content. Next, have a monitoring system with triggers in place that can recognize the difference between authorized and unauthorized social media accounts quickly, so take-downs can occur quickly. Continually monitor for fake pages and accounts being set up in the executive’s or company’s name.
Monitor for Brand Imposters
Brand impersonation similar to account impersonation but tends to be able to cause a larger scale of damage. Brand impersonation is done by a threat actor with ill intentions and pretends to be the brand or an employee of that brand. Bad actors can do this fairly easily, by creating a fake profile, page, or twitter handle with some variation of that company or brand name. The best way to mitigate this threat is this is to have intelligence analysts consistently monitoring for unique sources that are correlated to an approved inventory of social media assets.
Stop Oversharing “Pattern of Life” Content
When an executive is a public figure, the fans and the public enjoy knowing what they are up to. This helps to build the relationship between the public and the executive, creating a rapport that is the base of their brand. But, sometimes, too much sharing can have a dangerous impact on the safety and well-being of the executive. It is very important that a “pattern of life” is not be established through social media on the executive or his/her close friends and family members. Keep the public in the know about what an executive is doing by posting after the occurrences rather than before or even in real time. That way, the public still can be engaged, but the executive has moved on to another venue, reducing his/her physical risk.
Maintain Breaking Event Awareness
As executives travel to work, events, conferences, and vacation, situational awareness of the breaking events is a 24 x 7 issue. Executive protection teams need to quickly respond to emerging hazards and physical risk related to the exact geographies their executive(s) are present in. It is critical that executive protection teams understand the correlation between the physical event and what’s being said about it on social media. Understanding where travel, weather, and other physical hazards may be present will assist in determining the need for an exit strategy from the site. The best way to address this need is this is to have a location-based monitoring solution that can support advance and real-time analysis.
As such, the lines between infosec, executive protection, and personal privacy are blurring. That means the tactics you need to protect your executives are changing too. Digital privacy precautions have become a key component of any successful executive protection program. Routinely, the “digital footprint” of every executive must be assessed and identified gaps closed as a matter of practice. Social accounts must be registered, confirmed, and monitored.