A key element involved in understanding the threats, vulnerabilities, and associated risk to an executive is the assessment of their digital footprint. The ultimate goal is to surface what information is available online for a savvy adversary to exploit. This information could range from details about the executive’s travel movements, satellite imagery of their home(s) on Google, or even online material of one of their family members or associates that could embarrass the executive.
It can be overwhelming to know where to start when assessing what is available information on an executive. One way to think about assessing their digital footprint is to categorize findings in one of three areas:.
- Attack Cycle Planning — There are critical details that can be used by an adversary to conduct an attack which point to the theme of “time and place predictable,” giving an adversary advanced information to use in their attack cycle planning. (e.g. an executive’s assistant posting publicly about the executive’s schedule)
- Low Urgency Information — While not to be overlooked, there are less-critical details about an executive such as their phone number, email, or family office address being leaked publicly that could still facilitate an adversary’s planning phases of an attack.
- Reputational Information — Reputational damage is extremely difficult to repair. A frequent example of this category includes a family member’s behavior on social media or an executive’s participation in online communities.
Sourcing and Research
There are limitless sources that can be used to conduct this type of assessment — this is certainly not an exhaustive list. Here are some examples of the types of sources that could be included:
- Data Brokers — Credentialed and non-credentialed data brokers should be considered, as there is nothing that prevents an adversary from accessing non-credentialed sources. (e.g. BeenVerified)
- Social Media — It’s critical to know what social media profiles associated with an executive (including family members and associates) are online and whether they are being actively used. It’s also necessary to know how the content of those social profiles can impact the executive’s safety and reputation (e.g. “time and place predictability”).
- Business Related Documentation — Public business registrations or licensing documents that reveal sensitive information such as addresses, associates, contact information, and more should also be considered.
- Political Contributions — Many political contributions are made public via online sources.
- News Media — It’s important to stay on top of any adverse or sensitive information that can be discovered via online and print media.
- Asset Related — Sensitive information that can be discovered via public sources related to asset ownership should be identified (e.g. property deeds, vehicle records, etc.).
An important principle to use as a guide when conducting this type of assessment is: How do the people around the executive influence the executive’s safety and reputation? This is sometimes referred to as “threat by proxy” or “targeting by proxy.”
First, if those around the executive are the target of threats, that puts the executive at risk because of their proximity and association with the person being targeted. Second, even if the executive at the center of the assessment is diligent and they do everything to prevent sensitive information from being easily accessible to an adversary, safety is not guaranteed. Individuals surrounding the executive could have poor safety and security practices, which can be exploited by an adversary to harm the executive.
Steps to Mitigate Risk
Thinking both short term — to address immediate issues facing the executive — and long term — identifying proactive steps to fix the processes in place that likely create vulnerabilities — are a valuable combination of activities. Our recommendations include:
- Reduce online activity and limit information that can be exploited by potential adversaries.
- Educate close associates about how to safely use social media, using social media threat intelligence and digital privacy tools to prevent the leaking of sensitive information including contact information (e.g. email forwarding, burner phone numbers, etc.).
- Remove old social media accounts no longer in use, as well as business entities, trusts, etc. to protect personal information relating to assets.
If you’re inspired to learn more, listen to our webinar on How to Assess Your Executive’s Digital Footprint to Identify Threats and download our checklist for more guidance on how to take proactive measures.