Mitigating online exposure risks for an executive team

Written By fra juniper

Executive Summary

  • This brief provides an anonymised account of an engagement where we worked with a company to manage risks generated by its executives’ online activities.

  • For each executive we conducted a rapid non-invasive online exposure assessment followed by specific guidance and recommendations to address vulnerabilities.

  • The assessments identified significant variation of digital exposure across the team, primarily driven by individuals’ risk appetite and requirement for an online professional presence.

Case description

Executives face high levels of digital targeting by criminals and other threat actors due to their public visibility and their positions of authority. Criminals can exploit executives’ digital footprint to build detailed personal profiles, including personal information and patterns of life. These can be used for social engineering targeting the executives themselves or against employees, who will feel pressured to act on requests that appear to be from executives.

This case is based on our engagement with a medium-sized company in the services sector. A series of phishing attempts had increased the company’s concern about the online exposure of its executive team. The company also recognised risks to the physical security of its executives emerging from online exposure of information about the executives’ personal and family lives.

Methodology for digital exposure assessment

We conducted a rapid, non-invasive assessment of each executive’s digital exposure across the open, deep, and dark web. This covered social media exposure, personal and corporate addresses, physical addresses, and any information identified from breach data and data brokers.

The findings were presented to executives in personalised dossiers. These dossiers were accompanied by private briefings with each executive, during which findings were outlined and mitigations discussed. In some cases, pressing vulnerabilities were mitigated during these sessions. In other less urgent cases, detailed guidance and recommendations were provided subsequent to the interview. 

Exposure levels varied in line with executives' digital literacy and with the level of public exposure required for the role. Some of the team were required to have a greater professional social media presence, whereas others had a lower digital presence or actively sought to minimise their presence. 

Typical findings

The findings below are indicative. They are synthesised from the results of multiple similar investigations that we have conducted over the years. Typical findings in an executive digital footprint assessment might include:

  • Identification of multiple public social media accounts revealing sensitive family information and location data.

  • Public personal fitness accounts revealing residential addresses.

  • Configuration errors in productivity applications exposing information that the user assumed was private.

  • The presence of current account credentials in multiple data breaches.

  • Detailed contact information available for purchase on data broker sites. 

Our experience is that executives are generally aware that these kinds of exposure are common, often due to prior security briefings or familiarity with public reporting on executive-level phishing campaigns. Nonetheless, our experience is that executives are still surprised at the volume and depth of personal information that can be identified through a rapid, non-invasive assessment. Delivering these findings in a compassionate and emotionally sensitive fashion is therefore important.

Mitigation and guidance

As part of the engagement, each executive received a personalised guide tailored to their circumstances and desired online presence. These dossiers include step-by-step guidance that walks executives through the actions required to mitigate vulnerabilities, alongside threat reporting that provides context and justification for these actions. 

Each executive had different requirements for their online presence in line with their professional role. Working personally with each executive allowed us to fine tune the hardening suggestions so as not to hinder their work, while achieving the goal of heightened security posture.

We also emphasised the importance of ongoing awareness around the executives’ online presence. Changes in usage, configuration, or terms and conditions can all rapidly change the degree of exposure created by a person’s online activities. Maintaining good practices and awareness over time is crucial for ongoing control over an executive’s digital footprint. 

Recommendations

Companies should conduct digital exposure assessments for their executive team

  • Phishing attacks enabled by exploitation of executives’ online footprints enable some of the most consequential forms of online criminality targeting businesses.

  • Assessing the executive team’s level of exposure is critical for an accurate understanding of the company’s attack surface and risk posture. 


Security teams should involve executives throughout the process

  • We observed that one-to-one sessions with executives were highly effective in bringing home the importance of awareness around online activities;  these moments of realisation are a valuable driver for short-term behaviour change. 

  • Working with executives allows security teams to contextualise digital behaviours, understanding executives’ needs to provide a balanced outcome that improves online presence without compromising their personal and professional requirements. 


Companies should conduct ongoing monitoring rather than ad hoc reviews

  • Regular monitoring, integrated into the organisation’s overall security strategy, is more effective at identifying vulnerabilities and improving individuals’ security posture than ad hoc reviews. 

  • Regular monitoring and engagement, combined with regular engagement, can drive sustained improvements in security practices and culture. 

At Tyburn we conduct tailored exposure assessments, identifying areas of vulnerability, and providing personalised recommendations to improve personal and corporate online security posture.

To learn more, contact info@tyburn-str.com.

fra juniper
Next

Dependence on US technologies: a new geopolitical exposure