Executives are often surprised to see the amount of information available about them publicly, especially if they believe they are being discreet. A lack of online privacy can leave them vulnerable to fraud, abuse and physical danger—but it isn’t just your top brass that’s at risk, it’s your company too, warns advisory head Cvete Koneska.
For senior leaders, visibility is generally considered a good thing. Being seen in the right places and heard saying the right things is the root of brand building and engagement, demonstrating that your business walks the walk on important issues.
But there is also a dark side to visibility. The internet, like an elephant, never forgets. Each digital interaction, whether it’s a social update, an unassuming newsletter mention, or a tagged photo of your CEO at her local tennis club, is information. And that information can reveal far more than you think it does in the hands of people who may not use it for good purposes.
Executives know they need to be smart when posting information online. Clearly, they’re not going to tell the world their address or that they’re off on holiday for two weeks. But even if they think they have their internet privacy ducks in a row, a determined bad actor may only need time and tenacity to cobble together a digital dossier that can make your executives — and your company — vulnerable.
The truth is out there
Social media, often viewed as a harmless platform for sharing snippets of everyday life, can leave a trail of breadcrumbs about your executives. These platforms have been around for nearly two decades now (can you recall your posts from 20 years ago?) and people have become blasé about sharing their personal lives online. It’s easy in this digital age to track someone’s employment history, connections, families, interests, clubs, hobbies and routines — even what school their children go to — simply by looking through their public social accounts.
Privacy on these platforms is still the Wild West. Privacy policies are updated so frequently that most of us mindlessly click “I agree” without understanding what we’ve just consented to. Your executives may think they have activated the highest levels of data security, but there’s a fair chance their accounts are not as locked down as tightly as they think they are.
The other, and bigger, concern is that even “hiding” yourself from the internet doesn’t stop others from sharing information about you. The estate agent who advertised your property. The cute photo of you walking your dog that your friend shared on Instagram. The sports club that announced the hat trick you scored on Saturday. Armed with these tasty morsels of intel, a hostile actor can piece together what you own, where you’ve been and what you’re into — even if you’ve entirely sanitised your own online presence.
Case study: Three days to build a life story
To give this context, consider a Counter-Intelligence exercise we recently ran. Counter-intelligence is a service offered by our Protective Intelligence division that helps organisations stop hostile actors from discovering sensitive information about the company. One part of this service is red teaming: that is, ethically scouring an executive’s open-source information (search engines, social media profiles etc) to check for vulnerabilities.
For this assignment, the client gave us two pieces of information: the executive’s name, their job role within the organisation — and nothing else. Here’s a flavour of what our team easily uncovered in just three days:
Addresses of homes owned (including their value and floor plans), names and social media profiles of the executive’s spouse, family members and other personal relationships (providing plenty of scope for deeper snooping across accounts and platforms), several phone numbers and email addresses, details of events the executive had attended, information about hobbies and club memberships, highly revealing patterns of movement (for example, where they were likely to be each Thursday evening) and even Amazon wish lists.
In short, we were able to construct a life story without much difficulty — an eye-opener for the executive whose footprint we had just revealed.
By the way, there’s no magic to the three-day time limit. This simulation was all about placing ourselves in the shoes of a hostile actor, and three days is a realistic estimate of the amount of time an amateur sleuth might be willing to commit.
If they’re vulnerable, you’re vulnerable
For the executives themselves, the consequences of digital exposure can be alarming. Furnished with a home address or a favourite dog-walking route, a bad actor could turn up at their house, stalk them or even attack them.
They can also use that information in countless ways to exploit your organisation:
- They can use property information to figure out potential access points for home invasions, cyber attacks and social engineering attacks (e.g. tricking a service provider into revealing sensitive information).
- They may craft an email tailored to the executive’s interests (“Hello, fellow golfer!”) that gets them to click on a dubious link, inadvertently giving them access to a personal or company network.
- They may create a fake profile aligned with the executive’s interests and send a genuine-looking friend request, worming their way into the executive’s network to gain intel and trust or simply harm your public reputation or brand.
- They can pose as a high-school friend to trap others in a spear-phishing attack (“It’s Michael’s birthday next month, click this link for details of the party”).
- They could exploit the executive’s routines and hobbies to facilitate an unplanned encounter, building a relationship based on shared interests. Over time, they may manipulate this relationship to extract sensitive company information or influence business decisions.
- They could expose a scandal or ‘problematic’ opinion from years ago, causing huge embarrassment and harm to the company’s reputation. And so on.
Our findings enable clients to swiftly reduce these immediate vulnerabilities, for instance, by taking tags off images and deleting old estate agency particulars. They also inform conversations around a more considered use of online tools, ensuring your people can maintain their visibility in a positive way, without the information they share being weaponised against them.
Is it ethical to invade someone’s personal space?
By definition, delving into someone’s personal life is an invasion of privacy. So, you may ask if this type of exercise, in which we examine all open-source information available about them, is an ethical approach.
The simple answer is: we are not interested in snooping on your executives’ private lives for our own curiosity’s sake. This is done to stop this information from falling into the wrong hands, potentially protecting them, their families and your organisation from serious harm.
We proceed only with the executive’s explicit consent and operate within a robust policy framework that respects the privacy and integrity of the individual.
First and foremost, our Counter-Intelligence service isn’t a blanket operation; it is completely adaptable to the comfort level of the person involved. If there are spheres of their life an executive does not want us to examine, we will respect their wishes. We think like a threat actor with their motivations and goals, and that naturally puts limits on our work.
We don’t send friend requests or engage with people online for the purpose of getting information about the subject. We’re not hackers; our activity is limited to non-intrusive, passive intelligence gathering. Everything’s done from a closed unit within Dragonfly with layers of internal protection to ensure nothing we uncover is leaked — although everything we collect is publicly available anyway, which is the entire point of the exercise.
Ultimately, the trails we follow, the intel we find and the picture we build are no different to what a bad actor would be able to construct. It’s better that we find the vulnerabilities before they do, following strict protocols to reassure the subject that they are in safe hands.
To find out more about our Protective Intelligence service and how it can help your organisation, please contact our specialists today.