6 best practices for digital executive protection

This post has been modified to reflect new information since its original publication.

Today’s corporate executives must navigate an online environment that is more hostile than ever before. In response, the field of executive protection has evolved beyond merely keeping individuals and locations physically safe to include securing people’s online reputations and identities.

Those looking to harm your leadership team or your business can comb readily available information from a variety of sources, including people-search sites, the dark web, social media, and other websites. These sites make it easy for bad actors to find sensitive details ranging from password reset questions to home addresses and the names of family members—all of which they can use for social engineering attacks or to dox, impersonate, scam, or stalk your executives.

Leveraging online personal information, cybercriminals extract over $2.3 billion a year in losses from businesses. Not only that, web-savvy antagonists increasingly transform this information into a bully pulpit, physically threatening members of executive teams or their families—a trend that has seen a sharp increase over the last year.

Given this context, the need for a digital approach to executive protection is clear. The question is, how best to protect the executive team at the organizational level? Below, we’ll go over the key questions you need to ask as you develop a strategy that works for your business.

1. What are your team’s vulnerabilities?

Criminals target C-level executives because these individuals have access to valuable information, like intellectual property and business strategy, as well as financial, customer, employee, and partner data. They also have the decision-making power and symbolic status to make them appealing targets for someone wanting to damage a company’s reputation or force its hand on an issue of public concern. Consequently, executives are 12 times more likely than other employees to be victims of cybercrime according to Verizon’s 2019 Data Breach Investigations Report.

However, someone looking to harm one of your executives needs to know his or her vital personal details to be successful. The easier it is to find personal information, the bigger a target an individual becomes.

Your goal, therefore, is to make your leadership team less of a target. This means tracing each individual’s entire digital footprint to look for personal data that might put him or her—and your business—at risk. This can be a huge undertaking, depending on the size of your team and how much of their personal information is online.

To accomplish this task and fully protect your C-suite, you need to devise a system to identify what potential threats exist.

Ideally, your plan should make it easy to:

• Define vulnerabilities—When you are searching for your executives’ information, looking for these basic things will help you quickly identify the data that puts them in jeopardy:

—Intimate details such as the names of family members and pets, their mother’s maiden name, or their favorite color or hobby.

—Highly confidential, identifying information, including credit card numbers, bank account numbers, Social Security number, passport number, or driver’s license number.

—Home address or insights into daily movements, such as satellite pictures of their house, photos of their kids in front of their school, check-ins at a coffee shop on the way to work, maps of their favorite trail run, travel itineraries, or pictures of their weekly brunch with friends.

• Catalog the sites that could cause vulnerabilities—Gathering more information about your executives (such as which charities, groups, or clubs they are members of) will help you focus your search for their online data. However, you’ll need to collect query/seed data in order to perform these searches, which causes its own vulnerabilities. Therefore, you’ll need to develop a framework that allows you to question them in a way that balances privacy, security, and comprehensiveness.

• Locate where your team’s information is posted—It’s not unusual to find over 300 data records for each executive on your team. To minimize the chances of a physical or cyber attack, you need a way to regularly and effectively search the web for each team member’s private data. Your searches should include scans of the internet, the dark web, social media, and any other locations that might be exposing information someone could use against your executives.

• Prioritize the biggest threats in collaboration with the executives affected—Some types of information are more dangerous than others, depending on each executive’s unique circumstances. For example, a publicized home address poses more of a risk to those who are under intense public scrutiny or who have received threats. Because determining the threat level can be a life-or-death situation, it’s vital to have someone with expertise in online privacy and security issues, such as your head of security, work with your executives to analyze their data.

Once you have analyzed your team’s vulnerabilities and prioritized the potential threats, you can use this information as the basis for a plan of action to reduce or eliminate those threats.

2. What is your plan to mitigate threats?

Your goal in creating an executive privacy plan is to remove as much of your team’s personal information from the internet as possible.

While the tactics of your plan will vary depending on what types of data are exposed and what sites are hosting the information, all digital privacy plans should focus on five main tasks:

• Taking down the information that already exists online—Wherever possible, delete your executives’ information, whether it is coming from a people-search site, an individual’s own social media posts, or another editable source.

• Watching to see if personal data reappears—People-search sites don’t always honor take-down requests immediately. Even when they do, there’s no guarantee they won’t repost your executives’ information at a later date. To ensure that these companies follow your instructions, you need to carefully monitor the web for instances of your team members’ personal data.

• Responding to new personal information online—Create a procedure that explains how to proactively remove records whenever a scan reveals new instances of an executive’s personal information appearing online—and make sure your employees are familiar with it. This will reduce the chances of other sites finding and sharing this information, thereby spreading it across the internet.

• Preventing sensitive information from being posted in the first place—The best way to secure your executives’ personal information is to educate your executives (and their family members) about the risks of oversharing on social media (or other online venues). Make sure any training you provide includes instruction on how to lock down social media privacy settings, what types of things they should avoid posting, and what can happen if an executive’s private data is exposed.

• Flagging sensitive information that can’t be removed—You may come across websites that don’t provide any opt-out options or whose owners ignore your requests to remove your executives’ private data. These sites may require alternate strategies to obscure the data you are trying to delete.

3. Do you need an access policy specific to executive data protection?

To mitigate the privacy issues surrounding access to sensitive leadership team data from within your organization, you need to establish a policy that protects the following:

• Seed data—The answers to the questions you ask your leadership team to identify additional vulnerabilities.

• Scan results data—The personal information you discover online about your executives and its location.

• Reports—Your analysis of your executive team’s vulnerabilities and suggestions to improve their online privacy.

Your policy should cover these basic areas:

• Who needs access to the data and why—You need to name the individuals or teams who have a legitimate business reason to view and edit the data you’ve gathered about your leadership team. You should also specify the approved reasons for doing so. For example, an employee on your company’s online privacy task force may access an executive’s file only if a supervisor has assigned the file to that individual.

• How to prevent unauthorized sharing of data between leadership team members—To ensure your executives’ privacy, you should ensure that anyone wanting to share an executive’s private information needs to first obtain written consent from the individual(s) involved.

• Device and location-level permissions—Do you want employees to be able to access your C-suite’s sensitive information only while onsite or only via a company-owned device? Or are you comfortable letting employees work with this data while away from the office or on their personal devices? When making this decision, take into account the level of network security available at each location and the security controls installed on each type of device.

• How to handle vendors/outsourced work—If you will be outsourcing any of your executive privacy tasks, ensure that these businesses understand and agree to follow your access policy and audit their own internal security policies.

• Training and compliance—Regardless of how comprehensive your access policy is, it’s useless if people don’t follow it. As such, you need to train your employees on how to comply with your access policy. This training should be mandatory and ongoing.

4. What’s the best way to audit IT infrastructure for data security compliance?

As with any project that involves sensitive data, a robust IT security infrastructure needs to be incorporated from inception. Your organization likely already has data security policies in place, but if not, here are some of the key areas to cover:

• Data breach policy—The best policies will define what a breach entails, list those responsible for addressing it, and describe the steps these people need to take to secure your executives’ personal data, as well as any necessary follow-up procedures. Your policy should also follow your state’s laws about how and when to report a breach, as well as the guidelines set out in ISO/IEC 27035-2, which addresses how to prepare for and respond to these incidents.

• What kinds of information about your executives you will store—What if you discover highly confidential, identifying information while scanning for your team’s information? Will you store this data on your servers or only note that the information is accessible online? You’ll need to assess the security of your systems and the possible repercussions of someone breaching them and accessing this data.

• How will you control access to the information—Follow the guidelines in ISO/IEC 27002-A.9.1, which provides best practices for designating the networks people will need to access; developing the authorization procedures for who can access what and when, and deciding what controls you should employ to monitor access and prevent unauthorized people from accessing the data.

• How you will store and encrypt this data—You’ll need to ensure your plan aligns with ISO/IEC 27040, which provides guidelines for designing (as well as auditing) storage security controls. You should also follow the ISO/IEC 18033 series of standards, which describes best practices for data encryption.

5. What are some effective reporting and measurement guidelines?

Effective privacy protection reporting at the organizational level involves at a minimum two types of documents: individual progress reports for you and your executives and vulnerability reports for your security team.

• Progress reports—These should include the actions you’ve taken to remove your executives’ data, statistics on the types of information that remain exposed, and the personal details still visible on each site. The report should also include issues that require further research or assistance from the executive. For example, if someone else has tagged them in a picture on social media, you will need their assistance to remove the vulnerability. These reports should also include recommendations to help your executives avoid social engineering and cybercrime.

• Vulnerability reports—Your security team will want to know how much of your executives’ data is removable, what social media risks exist, if any data breaches have compromised your leadership team’s information, and any other vulnerabilities. These reports will naturally need to be sanitized to remove sensitive personal information that the security team doesn’t require, and you’ll need to notify the individuals whose data is being discussed about what information is being shared.

These reports will not only enable you to prioritize the most concerning vulnerabilities, but they will also help you see which of your strategies are working and which aren’t.

6. How will you implement and review your plan?

Now that you know what’s involved in protecting your C-level executives’ privacy, you’ll need to determine the best way to put your plan into action and ensure that it’s working.

To assess the feasibility and effectiveness of your plan, you’ll need to determine four things:

1. Program scope—How many people need protection and at what level of diligence will inform the scope of your program. You can use collaborative scenario modeling strategies to develop a set of inclusion criteria applicable to your organization.

1. Your KPIs—Common metrics include average time for data removal, vulnerabilities per individual covered, frequency and quantity of data repopulation, and time between repopulation and re-removal.

1. Headcount and resources necessary—Safeguarding your executives’ digital privacy is a labor-intensive task. Depending on the size of your team and the amount of personal information they have online, you might need to hire additional personnel or reassign your current employees to a dedicated privacy taskforce. You’ll also need to consider any added IT expenses required to deal with storing and managing access to your executive’s confidential information.

1. Whether it’s more cost-effective to do in-house or outsource—After reviewing your plan’s goals and what it will take to achieve them, you’ll need to judge whether it makes more sense to go it alone or hire someone to do the work for you. There are pros and cons to each approach. The answer will depend on how much time and resources you are willing to allocate to this effort.

As you can see, implementing an effective executive digital protection strategy is an involved task with many moving parts.

Since hundreds of unrelated sites are continuously publishing new information or altering existing data about your executives, identifying your team’s online vulnerabilities is not a “one-and-done” task. Rather, it is an ongoing process that requires constant vigilance. There are also numerous considerations when it comes to determining appropriate access and data security policies, effective reporting and measurement protocols, and adjustments to the program to respond to new threats and changing business circumstances.

Finally, you’ll need to decide which aspects of your strategy can be done in-house and which are more effectively handled by specialized vendors. Here at ReputationDefender, we have extensive experience in providing comprehensive privacy solutions for entire executive teams, covering all aspects of digital executive protection. For assistance in determining the right solution for your organization, contact us for a complimentary consultation.