Kidnap plots and massive data breaches haunt the C-Suite

Sept. 18, 2019
High-profile executives are a company’s greatest asset and its most vulnerable target

Ironically, the person running a company can be one of its greatest strengths and one of its weakest links. Where employees and investors see a stalwart leader, a hacker may see a lucrative attack vector that’s an easy inroad to an organization.

These high-profile people—executives, the board of directors, and other leaders—are privy to sensitive information that cybercriminals lust after which makes them primary targets for bad guys online.

FBI statistics show that defrauding CEOs is a “$12 billion scam.” When private information about these high-net-worth individuals gets exposed, it carries a high degree of risk for that individual and their business alike. It might even include threats against the executive’s own physical security or that of their family.

News broke earlier this year that Mohammed Dewji, Africa’s youngest billionaire, was kidnapped outside of a luxury gym in Tanzania and held for ransom for 10 days. He was finally released to his family, though it’s unknown if they paid the ransom of one billion Tanzanian shillings. These incidents are no longer the stuff of Hollywood thrillers; the fact that high-profile individuals are a target of both digital and physical crime is a reality to be reckoned with.

When information is readily available about a wealthy person, bad actors have more leverage to compromise them. Consider that Facebook’s board of directors recently granted Mark Zuckerberg a $10 million yearly allowance to security. That money goes to personnel, equipment, and services needed to keep him and his family safe by maintaining vigilance across both physical and digital realms.

The C-Suite Risk Factor

A recent report found C-level executives are 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than they were previously. Jeff Bezos famously exposed his blackmailers when the National Inquirer threatened to publish his intimate text messages. But dozens of high-profile executives were had fewer options at their disposal. Bezos wrote, “If in my position I can’t stand up to this kind of extortion, how many people can?”

Taking the safety of their business, associates, and family seriously means getting serious about their own safety. It’s crucial for executives to work with their physical and cybersecurity teams simultaneously to understand risks in the physical and digital landscapes, developing a plan that protects against it all. 

Having worked with some of the world’s largest banks, technology firms, and government agencies, we quickly came to understand the elements of modern executive protection. Adding former CIA officers who have led the security initiatives of Fortune 500 executives to our team helped us realize why companies are making such significant investment in protecting these individuals.

How to Improve Security Leadership

Here are a few critical steps these companies take to improve security for their leadership.

  •  They deeply understand their executive team’s surroundings at home and abroad.

 Executive security teams need to know the criminal and geopolitical environment they’re operating in so that they can identify all possible threats. Traveling executives have been the target of kidnapping plots in certain parts of the world, and several foreign individuals were detained in China as possible retaliation to Huawei’s CEO being arrested in Canada. This context can make the difference between safe travel abroad or seeing the company compromised.

Economic espionage is a constant threat to executives, even when they’re at home. It can also include state-sponsored actors attempting to bolster a country’s economic position or its state-owned enterprises. Consider when PricewaterhouseCoopers reported in 2017 that the China-based cyber threat APT (known as KeyBoy) was shifting its focus to target Western organizations, most likely for corporate espionage purposes.

But domestic competitors can perform their own economic espionage. The Seattle-based Zillow Group recently filed two lawsuits against real estate rival Compass, alleging that it stole Zillow’s intellectual property (IP).

  • They have checks and balances to monitor employees.

 Global espionage and insider threats are nothing new on their own, but they’ve begun to overlap, which represents a burgeoning threat to companies and the executives behind them. Professional spies, usually employed by a nation's embassy, are plentiful near world capitals, but more covert operations happen in places of business, with undercover agents posing as private citizens to infiltrate an organization’s IP and steal its secrets. These spies become trusted employees while maintaining allegiance to a foreign government.

Not all insider threats are related to economic or state-sponsored espionage. Sometimes disgruntled employees have personal vendettas and simply want to inflict as much damage as possible. According to the Information Security Forum, insiders who may have access to sensitive information about an executive are responsible for 54 percent of data breaches.

Employees themselves could also be targets of competitors practicing economic espionage. In the previously mentioned Compass lawsuit, Zillow alleges the company poached employees who went on to divulge company secrets, violating their non-compete agreements.

  • They train executives to know who they are and who they aren’t.

Spearphishing attacks are lately a preferred method for hackers to infiltrate a business. Hackers will pose as an executive or another high-ranking employee, performing months of surveillance to learn the company’s language, habits, and schedules, and gain the trust of their targets. These malicious emails are often sent when the executive is traveling, so they cannot be verified quickly. All the same, they try to convince employees to transfer money or provide other sensitive information.

The Crelan Bank in Belgium lost $75 million as the result of an email scheme. The hackers who compromised the CEO’s email account managed to impersonate him by creating a convincingly similar email, then ordering payment be made to a bank account the criminals owned.

Cyber attackers will also impersonate high-profile executives on social media, which can confuse customers and tarnish reputations. In its 2017 Global Risk Management survey of 1,843 organizations around the world, Aon found that the top-rated business risk was damage to reputations or brands.

  • They make sure the executive’s physical and security teams communicate with each other.

Physical security teams are rarely technical enough to detect a cyber threat, and cybersecurity teams usually don’t understand how a cyber threat can manifest itself into a physical situation. While many companies have both types of teams, they each use different terminology and tactics to be effective. It is critical to introduce physical and digital security teams to each other, establishing standardized language and processes for communicating and collaborating effectively — especially during a crisis. The higher the degree of cooperation, the fewer threats come to fruition.

Knowing is half the battle but knowing what to do is the other half. Now that the line between cyber-attacks and physical attacks have blurred, security teams need to work together more than ever before to detect risks online and develop clear plans of action.

About the author: Dan Schoenbaum has 23 years of leadership with high-growth software companies. As the President and COO, Dan leads Sales, Marketing and Customer Success functions for RiskIQ. Formerly, he was the CEO of Cooladata, a leader in Cloud data warehousing and machine learning. Dan was also the CEO of Redbooth, where he grew the company from startup to Gartner “cool vendor” with over a million paying users worldwide. Redbooth was acquired by AeroFS. Dan was the COO and Chief Business Development Officer for Tripwire, a leader in datacenter security, where he helped triple revenues, file an S1 on the NASDAQ and sell the company. Dan was also the Chairman of Mergers & Acquisitions and Strategy at Compuware – a billion dollar enterprise software company- and is credited with the creation of an $800M line of products at Mercury Interactive (acquired by HP for 4.6B). Dan was also a First Sergeant and a sniper in the paratroopers. https://www.linkedin.com/in/schoenbaum/