In an era of deep fakes and easy impersonation, it’s important for security officers to create an executive protection program.
The program should apply to all of the company’s major executives — anyone with the authority to sign checks or transfer large sums of money, or who can make public statements that might affect stock price. It should also include the board.
A good executive protection program should have the following five components:
TRAINING: This is first and foremost. You should develop a training cadence for executives to teach them how to validate whether somebody is who they say they are. A lot of people are impersonating FBI agents, IRS agents, Homeland Security and the like, trying to pry information. Give your executives tips and tricks on how to know that the person who just called you is indeed a law enforcement officer or federal agent. (For Example: Take the person’s name and badge number, and call the FBI field office to verify — after looking up the number yourself.)
It is extremely important to let the executives know who to contact when they have to deal with certain issues. Give them an escalation tree of people they can reach out to, both internally and externally.
Developing an executive training program ensures that executives know these risks exist, and how best to manage them. It also raises the profile and visibility of your security organization. An executive protection service is considered a value-add to those executives. It’s something they didn’t have that they didn’t know they needed. And that helps them realize the importance of what your security organization does.
DARK WEB: I’m going to say this in bold letters to CISOs: If you don’t have a tool that allows you to examine the dark web for things related to your executives or your company in general, then you’ve made a mistake that you should fix as quickly as possible. These types of attacks originate in awareness of that individual’s existence on the web – say, a CEO who is older, or a board member who might be an easy social target. You need to pay attention to spikes or changes in conversations around executives or individuals so you can ask them to change their passwords or take other precautionary steps.
You also need to be able to know if their information ends up in some other supplemental technology breach, not necessarily related to the company. We have to remember that executives are people who have credit cards and buy things and shop places and do things that create exposure that could harm the company. So you have to make sure that those folks are as well protected as possible on the dark web.
You don’t have to watch these scanning tools all day. Creating smart alerts, and creating awareness around telemetry is pretty much the MVP product that you have to build from that type of technical source.
CONFIDENTIAL CHANNELS: Boards should be given communications technology – email and chats — that can’t be seen by people inside the company. Board members are supposed to be independent, and their communications are supposed to be closely held. If you create technology that allows board members to communicate with each other, then it should be separated from the rest of the organization’s communications technology. In this day and age, it is too dangerous for public board members to use personal email and services like Gmail and Yahoo! to conduct board business. You need to put the proper protections in place around these conversations so they can communicate with each other in confidence.
TRAVEL: Not enough security organizations pay attention to where their top executives go. If you have a top executive who’s decided to vacation in a dangerous country, your security team should be aware that they may see logins from that place. You should know where the chief executive officer and chief financial officer are when they are away, because if something happens, you want to be prepared. That should be part of any sort of business continuity process.
Security teams should also be able to outfit traveling executives with tools that make it safer for them to transact business, if necessary, like an automatically provisioned secured VPN that meets the export restrictions of the country they’re visiting. You need to make sure that when they’re on a hotel or restaurant Wi-Fi that their communication channel remains secured.
Your executives should be trained to confidentially notify the SOC or security help desk that they are going on vacation and where. Your security team should be aware of any State Department advisories for that destination so they can inform the executive. And your security organization should develop a protocol for what to do when people are in certain dangerous places.
Most companies maintain ransom and kidnap insurance for executives who travel abroad. Security teams should be aware of that, and it should be part of the continuity plan. This sort of incident might be rare, but being prepared for rare things is a staple of a good security executive, in my opinion.
ON CALL: Smaller organizations might struggle with being able to put the resources together for this, but there should be a specific on-call person for your executive team when there are serious issues. Part of providing executive protection is ensuring discretion. You want incidents to be handled as discreetly as possible without causing any sort of public or internal angst, or feeding the gossip mill. Additionally, consistency is helpful to ensure executives can feel comfortable calling, even if what they thought was an issue turned out to be a false-positive.
It is extremely important that security departments step up and pay very close attention to their executive tier in order to protect the business. A couple of years ago, people probably would have asked, what’s the value of doing something like that? But risks continue to evolve, and so must we.