Written by Paul Connelly

Companies plan and invest extensively in the protection and continuity of technology, data, and critical business operations – aren’t their key leaders also a critical asset to be protected?

The emergence of online “Luigi was right” postings, reported “hit lists” of executives, and hacktivism targeting corporations following the tragic 2024 murder of a UnitedHealth executive underscores the disturbing reality that high-profile business leaders are potential targets of threats. 

Fortunately, in-person physical threats are rare, but unfortunately, personal cyber-attacks are not. Online fraud, smearing, and physical threats can be unnerving, intimidating, time-consuming, and distracting for an executive. In addition to the personal toll, they can have damaging ripple effects on their organization. The disruption and reputational damage, even from fabricated stories, can linger in public perception, reducing confidence in both the leader and the company. 

The Internet Security Alliance (ISA) and National Association of Corporate Directors (NACD) collaborated to create the Director’s Handbook on Cyber-Risk Oversight, fifth edition (available to read here) to help guide corporate directors. It dives into the key principles boards should apply to oversee how their organizations understand cybersecurity threats, assess their risks, and manage resilience in their businesses. As one would expect, the impact of Artificial Intelligence, responding to incidents, managing third parties, regulatory compliance, and CISO communications are important threads in the guide.

What one might not expect, though, is a section on personal cybersecurity protection. The ISA/NACD Guide recognizes that executives need to be aware of threats and take appropriate countermeasures, and protection of executives should be part of a comprehensive corporate cybersecurity program.

As part of a series of monthly webinars on LinkedIn Live, I will join Matthew Noyes, Cyber Policy and Strategy Director, U.S. Secret Service Office of Investigations for an ISA/NACD hosted online discussion on this topic. The discussion will be moderated by Larry Clinton, President and CEO of the Internet Security Alliance (ISA). You can register here. 

Cyber threats to business executives can include:

  • “Traditional” cyberattacks such as phishing, and more targeted attacks (“whaling”) that aim at gaining access to work, personal, and family accounts.
  • Use of social media to spread misinformation, disinformation, and other data aimed at smearing an individual’s reputation.
  • Cyber-enabled physical threats such as doxing – attempts to intimidate by posting personal information like home address, phone numbers, and family member names online to imply physical threats and swatting – where bogus 911 calls try to trigger a SWAT team response to a target’s home.

 

AI is greatly enhancing attackers’ ability to gather data for targeting individuals and significantly improving the speed, volume, and sophistication of attacks.  Extremely convincing AI-generated voice, photo, and video deepfakes are easy to create and spread, and can be used to trick Help Desk staff into changing passwords and other scams. 

 

Cybersecurity leaders should collaborate with physical security, legal, Public Relations, and HR leaders to assess their company leaders’ risk and proactively engage with their CEO, board members, and other at-risk leaders about executive protection strategies.

To assess the risk that your board and company executives might be targeted, consider the following factors:

  • Level of company controversy: Executives leading companies in contentious sectors such as healthcare, insurance, finance, energy, and technology can have heightened risk. Does your organization face public anger over issues like insurance claim denials, layoffs, plant closures, price hikes, customer data breaches, or environmental impacts? For example, building new data centers has suddenly become a flashpoint for negative public reaction, putting executives for those companies in the spotlight.
  • Personal visibility and media portrayal: A high public profile increases the risk level. Media coverage, public statements, and personal lifestyle may be scrutinized and twisted in online forums. The compensation of your key executives can also be a source of public anger.
  • Obvious signs of threats include public protests and complaints via mail, phone calls, emails, web postings, or social media that cross the line into threats. 
 

Businesses need a multi-layered approach to protect potentially at-risk leaders, including measures such as: 

  • Monitoring intelligence sources for signs of threats – from detections by your cybersecurity team, social media and web site monitoring by Public Relations, dark web monitoring services, and collaboration with law enforcement.
  • Providing education and awareness for executives, their assistants (!), and their families:
    • Cybersecurity fundamentals: Common threats and best practices for protecting business and personal/home digital assets, and safe online behavior.
    • Travel security: Safe travel planning and protecting data and devices, especially during international travel.
    • Operational Security (OpSec): Practicing personal habits that reduce exposure, such as posting personal information on social media.
    • Recognizing and reporting threats: How to identify and report suspicious activity. 
 
Training of executive assistants and family members is critical, because they can be “soft” targets and the inadvertent entry point for attacks.
  • Cybersecurity protections –
    • Protection of business devices and accounts with latest, comprehensive security tools, strong authentication, and activity monitoring.
    • Lockdown of home networks and devices.
    • Protection of online accounts – have the executive step through:
      • Identify what accounts exist (bank, investments, credit cards, mortgages, insurance, payroll, 401k, Social Security, IRS, merchants)
      • Lock each one down –
        • Log on and ensure all contact data is accurate
        • Set strong and unique passwords – no reuse of passwords
        • Activate multi-factor authentication
        • Activate email or text notifications for key account change
    • Prevention of fraud – 
      • Enroll in credit/identity monitoring service
      • Freeze ability to access credit reports or open new accounts at Equifax, Experian, TransUnion, Innovis, LexisNexis, and ChexSystems
      • Create accounts with strong authentication and notifications at SSA.gov and IRS.gov
    • Proactive Dark Web monitoring for name or title mentions and threats, and identification of compromised accounts and passwords.
    • Limiting personal data online – 
      • Remove information such as birthdays, full names of people in photos, and current location on social media.
      • Remove personal information from major Internet data aggregators – Enroll in a digital risk protection service that removes and monitors personal information being traded on the Web.
      • Work with a service provider and your legal team to identify and remove fake and slanderous information online.
    • Use clean or loaner devices during travel, with minimal data and no stored credentials.

 

This is not a one-time effort. The threats are not static, and the risk assessment and protection program should be reviewed on a regular cadence –  

  • Event-triggered reassessment: Refresh the risk picture around earnings announcements, layoffs, litigation, activist campaigns, controversial decisions, or any public controversy – triggers that can make a leader a lightning rod.
  • Annual program review: Confirm coverage of named executives, currency of monitoring and privacy services, and completion of education and awareness training.
 

Corporate directors have a key role in this program:

  • Although they are not corporate employees, their profile and role at the company may warrant personally being included in the protection program.
  • Many executives feel this is not necessary, wastes money, and “it will never happen to me.”  If the executive is a critical asset for the success and resilience of the business, the board should make the need and expectation for protection clear.
  • Just as the board provides oversight of other management activities, it should require clear ownership of the program, appropriate handling of budget and tax implications, and periodic updates on threats and measures of effectiveness to ensure defenses align with risks.  
 
 

Following these steps and others in the ISA/NACD Guide can protect your organization and its shareholders and give top executives added peace of mind to perform at their best