It is Time to Talk about Personal Cyber/Physical Protection with Your CEO
The emergence of online "hit lists" and "Luigi was right" postings targeting executives following the tragic 2024 murder of UnitedHealth CEO Brian Thompson underscores the disturbing reality that high-profile business leaders are increasingly targets of online and in-person threats, intimidation, and even physical attacks.
The personal impact on business leaders can have damaging ripple effects on their organizations. Being the victim of a major cyberattack, fraud, or scam can be a time-consuming, unnerving, and frustrating distraction for an executive. Reputational damage, even from false statements, often lingers in public perception, reducing confidence in both the leader and the company. Intimidation tactics such as doxing and swatting can disrupt lives.
Companies extensively plan and invest in the physical and cyber defense, privacy, and continuity of technology, data, and critical business processes; their key leaders should be protected as another key asset. Cybersecurity leaders can be the agents of this change.
Collaborating with physical security and legal teams, cybersecurity leaders should assess their company leaders' risk and proactively engage with their CEO and other high-profile leaders about protection strategies.
Threats to business leaders
Traditional cyberattacks - High-profile executives are prime targets for cyber attacks:
Phishing and targeted attacks (“whaling”) aim at gaining access to work, personal, and family accounts.
Online threats via social media and the dark web – Executives face "pig butchering,” fake romance, sextortion, and other traditional scams, plus a new wave of attacks:
Attempts to intimidate through online messages and actions like doxing—where personal information, addresses, and phone numbers are posted online to imply physical threats.
The use of social media and other online platforms to spread misinformation, disinformation, and other data aimed at smearing an individual's reputation. This now includes extremely convincing AI-generated voice and video deepfakes.
Physical threats – While less common, can have higher impact.
Disgruntled employees with internal building access or disgruntled customers may pose threats through letters, calls, or even attempting to confront leaders in public.
Doxing, as mentioned, is intended to imply and even encourage physical attack. It can also lead to swatting, where bogus 911 calls try to trigger a SWAT team response to an executive’s residence.
Assessing executive risk factors
To determine whether your executives might be targeted, consider the following factors:
Industry and corporate controversy level: Executives leading companies in contentious sectors such as healthcare, finance, energy, and technology face heightened risks. Does your organization face public anger over issues like insurance claim denials, high drug prices, data privacy, or environmental impact?
Personal visibility and media portrayal: A high public profile, while often beneficial for business, dramatically increases the risk level. Media coverage, public statements, and personal lifestyle may be scrutinized and twisted in online forums. The compensation of your key executives can also be a lightning rod for conflict.
Business decisions: Has your company made major decisions that are unpopular, such as layoffs, plant closures, significant price increases, or unionization controversies?
Obvious signs of threats include protests at facilities, annual shareholder meetings, or other public events, as well as complaints that cross the line into threats via mail, calls, emails, web postings, or social media. Do not overlook internal indicators either; employee surveys, language used in communications, and other signs may indicate disgruntled internal individuals. Leverage intelligence from Dark Web monitoring and collaborate with local and federal law enforcement.
Implementing a multi-layered approach to protect at-risk leaders:
Education and awareness for executives, their assistants, and their families on critical personal security topics:
Operational Security (OpSec): Develop personal operational security habits that reduce potential exposures from predictable routines and travel patterns, such as designated parking spaces.
De-escalation: Techniques for calming and avoiding escalation of emotional confrontations.
"Soft Target" exposure: Increased vulnerability during transit or at locations with less stringent security measures, such as hotels, restaurants, or public events.
Cybersecurity fundamentals: Best practices for protecting digital assets.
Online best practices: Secure online behavior and privacy.
Home security: Measures to secure residences.
Travel security: Strategies for safe travel, especially internationally.
Recognizing and reporting threats: How to identify and report suspicious activities. The security leader should be made aware of anything approaching a threat directed at the company or a leader through home or work mail, email, phone calls, website comments, social media scans, or dark web and law enforcement intelligence to correlate and identify persistent and specific threats or themes.
Cybersecurity measures
Protection of business and personal electronics and accounts: Secure devices and online accounts.
Lockdown of home networks and devices: Ensure personal networks and devices are secured.
Dark Web intelligence monitoring: Proactive monitoring for mentions and threats.
Online hygiene and footprint reduction
Strong and unique passwords: Use strong, unique passwords with multi-factor authentication for all online accounts.
Credit monitoring and identity theft prevention: Services to protect against financial fraud.
Regular monitoring and scrubbing personal information: Regularly monitor and remove personal information available online, including on social media and through data brokers.
Detection and takedowns: Identify and remove fake and slanderous information online.
Physical security considerations
Headquarters buildings and executive suites:
Public events such as annual shareholder meetings and other public gatherings.
Travel security: International travel introduces additional risks, including different legal landscapes, varying levels of security infrastructure, and potential targeting by foreign intelligence agencies or criminal organizations.
Working with law enforcement
Maintain awareness of threats and provide home address information to local law enforcement for extra patrols and in case of swatting attempts.
By proactively addressing these critical areas, cybersecurity leaders can play a vital role in protecting one of their organization's most valuable assets: its leaders.
Hold Fast
Stay True
PS: I am hosting a panel discussion on this topic focused on the role of board members, for the National Association of Corporate Directors. It is free to non-members, too. Feel free to share with your executives and board. Registration is here: https://www.nacdonline.org/nashville/nashville-events/enterprise-risk-management-protecting-key-leaders-from-personal-cyber-and-physical-threats/