What is digital executive protection and how does it work?

Zealots, nation-states, terrorists, and disgruntled individuals are increasingly targeting corporate executives, government leaders, and other public figures and their families through their online activities and personal devices to get a toehold into their organizations.

In a 2023 Ponemon survey of 553 IT professionals, 42% of respondents reported that company executives or family members had been breached by cybercriminals. The attacks resulted in the loss of intellectual property (78% of those breached), loss of customer and business partners (66%), and loss of customer or employee data (27%).

The concept of providing digital protection for high-profile figures is not new, but demand for the service is rising, says Brad LaPorte, an advisor with Lionfish Tech Advisors, who established the Digital Executive Protection research category in 2019 while an analyst at Gartner.

As early as 2010, he was providing digital protection to high-value military, special agent, and diplomatic personnel as they traveled around the globe to embassies and hotspots. Later, in the private sector, he received numerous inquiries from executives and their companies looking for VIP-level digital protections that went beyond traditional identity-theft monitoring services such as those provided by companies such as LifeLock at the time.

What is digital executive protection?

“Think of this like identity protection on steroids with a private-investigator approach toward threat intelligence to identify and protect high-value targets,” LaPorte tells CSO. “This includes identifying risk exposures across their home networks, personal devices, and their online accounts for signs of threats.”

“Imagine the reactions if someone like Elon Musk tweeted that he was going to run for president, or if the president of ExxonMobil announced that the company was getting out of the oil business. Similarly, consider the impact on executives at companies like Monsanto, which significantly influence our food consumption and often have negative reputations in certain segments.”

Digital executive protection services are usually acquired through the office of the CISO or CSO, though executives themselves often acquire the services independently and then involve their CSOs, according to Chris Pierson, CEO of BlackCloak, which he founded in 2018 with the sole purpose of protecting executives from online threats that can lead to personal and business compromises.

Pierson recalls a particularly dicey job when he was chief privacy officer at Royal Bank of Scotland during the time its highly-controversial CEO, Fred Goodwin, came under fire for bad governance, resigned, and ultimately lost his knighthood. “It crossed my mind that this was an attack surface we need to do something about. After that, when I took new CISO jobs, I kept getting calls from executives, board members, even our VCs asking for help around their personal cybersecurity.”

The problem: there was no 24/7 monitoring capability that would watch over the executives’ private networks, personal devices, and online footprints, while scanning for external threats on the dark web –and provide response support while also protecting the executives’ personal privacy. He asked himself, “Who’s going to mitigate those risks so that they don’t come back to bite the company, cause reputational damage, leak intellectual property, or access sensitive corporate documents that may be sent to or from their personal email?”

How digital executive protection works

While he can’t name his clients, Pierson recalls a case in which a protected executive was ordered to leave his personal phone for inspection in a private room at an airport in the Middle East. He was separated from the device for 15 minutes, so to protect him and his organization, they replaced the phone with a new one.

In another case, an IT person at a retail organization set up an executive’s home network and family devices. But then the employee became disgruntled and started siphoning data and using it to try to extort the CEO, while also taking control of the family’s wireless devices.

He describes another instance in which an entire executive team at a Fortune 500 retail company received unemployment checks and approvals for low interest loans. It turned out that criminals had found all of the data they needed to conduct the scams through data brokers, social media posts, and on the dark web.

To describe a physical threat to an executive, he explains how the BlackCloak team identified an improperly installed security system at a banking CEO’s home that exposed the home’s video feeds and alarms to a public site. He has other stories of doxxing, swatting, and geopolitical risks that also impacted executive safety.

In all cases, the concierge team helped remedy the problems by working with the executive’s enterprise risk management and response teams under the support of their CISOs. Personal privacy is a big reason some executives may not opt into these services, so the BlackCloak platform ensures that the concierge team and the executive’s organization does not have access or visibility into the executive’s personal data or online activities.

Shrinking the executive attack surface

Not everyone can afford full-service, VIP-level protection services, says G. Mark Hardy, host of CISO Tradecraft and president of the National Security Corp., a cybersecurity consulting service based in Washington DC. “While everyone could probably use this protection, it’s the high-value targets for bad actors that have the greatest need. Usually, those executives and their organizations are in a better position to afford these protections.”

Based on client need, BlackCloak services can include everything from digital privacy protection, personal device protection, home network security, to incident response, a personal SOC, and a “white-glove” client service. The cost for the full concierge service is just under $10,000 per year per executive, family included.

If these costs are out of range, such services can at least shrink the external attack surface with threat intelligence and scanning and scraping tools. Many threat intelligence, exposure management, and attack surface management vendors are tailoring offerings to also protect high-value executives, but they don’t include home network and device monitoring or human assistance, according to LaPorte.

ZeroFox, normally associated with brand protection, offers a customizable add-on for executive protection that starts at $300 a month and covers up to five executives or $500 per month if they want the executives’ families protected. The service, which protects over 40,000 executives, also removes sensitive data and disrupts threat actors where possible. But it does not monitor the executives’ home networks and personal devices.

London-based Aon, a $13.5-billion global business professional services firm, also offers digital executive protection to its business clients, which came about through its acquisition of specialized IT services firm, Stroz Friedberg, according to Aaron Cookstra, a threat intelligence director in the AON Cyber Solutions Group.

Basic elements include a vulnerability assessment across open sources and social media platforms to gauge the executive’s virtual footprint, combined with deep and dark web scanning for threats, and personal data removal from over 90 personal data aggregator sites

Protecting the executive means protecting the business

“One of the services I find very compelling is removing my personal data from the web,” says Troy Wilkinson, global CISO for the global holding and marketing company, Interpublic Group. “I don’t want my address and phone number out there, but it certainly is. There are services that go out and check the top 100 known data aggregator sites and take down what they can.”

His team recently examined the capabilities of Dataminr’s risk discovery platform, which started out as a crisis management and early detection platform. The team especially liked how Dataminr protects traveling executives by monitoring the physical security risks (such as protests and uprisings) in the regions they’re traveling to, along with “cyber risks” (such as threats made on social media). “Executives understand that risk is no longer just physical and that their digital footprint must also be protected,” Wilkinson adds. Even high-profile CISO’s could use additional digital protections, although they are not typically covered under these types of services, experts say. What’s important, they say, is to identify the high-value targets and potential threats against them, and by virtue, to the enterprise. Then research and apply safety measures around them based on their value and the potential for damage should they get breached.