Many executives focus their security efforts and budgets solely on physical threats, but attacks targeting an executive’s digital presence can be just as dangerous.
Criminals are looking to exploit the wealth of high-profile and high net-worth individuals—or cause them embarrassment or personal harm—at an unprecedented rate. And, as the most abundant source of company secrets and IP, they’re a primary attack vector of their businesses too.
Attacks on VIPs involve attempts at accessing their sensitive information and span both the real world and the web. Because of their digital and physical vulnerabilities, protecting them requires a 360-degree view of their attack surface, i.e., anything related to their physical or digital presence that can be used against them. But to defend an executive’s attack surface, you first have to define it.
Today, developing a plan to protect an executive, and in turn, their families and businesses, means understanding what information should be considered sensitive and having the tools to monitor the internet for it. References to names and addresses of the individual and their family and associates on forums, malicious rhetoric toward them, and the presence of leaked sensitive data are all crucial intel. This internet-wide visibility provides security teams with invaluable information and context not only about potential cyberattacks, but also attacks that may occur in the real world.
The top historic executive threats demonstrate how seemingly insignificant information has enabled completely preventable incidents. These top-five examples of threats to executives illustrate the overlap between the physical and the digital threat landscapes.
Bill Gates pied in the face
Arguably, the most famous example of executive embarrassment occurred in 1998. During a business trip to Brussels, Bill Gates was hit in the face with a cream pie while entering the meeting.
While the impact of this incident was minimal, it could have been much worse. Anyone getting close enough to an executive to hit them with a pie could cause much more damage with equal or less trouble.
This incident was also entirely preventable. The pie was thrown by a known internet prankster who made a habit of filming such events and then trying to sell the footage. It is likely that there was some indication on the internet that he intended to target Gates. A comprehensive search by security staff may have discovered this and been able to prevent the incident from occurring.
Tracking Elon Musk
Elon Musk and Tesla are a topic of intense interest to some parties. Tesla’s distribution model makes it difficult to validate its sales figures, leading to doubters taking extreme steps to disprove them, including renting planes to flyover lots of unsold cars.
However, this scrutiny is not limited to Musk’s company. One Tesla critic tracks the tail number of Elon Musk’s plane (which is public knowledge) and tweets about Musk’s travels in real-time. As a result, anyone could know Musk’s destination before he arrives, creating a serious potential security risk.
While concealing travel information is second nature for most world leaders’ security details, the same is not true for executive security teams. The ability to find information about an executive’s exposure on the Internet is only useful for a security team if they know what information to look for and how to interpret it.
Bank robbery by proxy
Robbing banks is a difficult and dangerous business. However, it becomes a lot easier if a would-be thief can get bank employees to do the robbing for them. This was the technique used by Michael Benanti.
Benanti kidnapped the families of employees at his target banks after performing extensive reconnaissance. Using the victims as leverage, Benanti and his co-conspirators forced the bank employees to perform the robberies for them. Of four attempts, one robbery was successful before the criminals were arrested.
This series of thefts demonstrates the potential danger of leaked personal data. The criminals were able to determine the home addresses of all of their targets, enabling them to kidnap the employees’ families and use them as leverage to convince employees to commit their crimes.
While a home address can be found for almost anyone on the Internet, executives’ digital exposure is much greater. Press releases and other public exposures can reveal patterns of life for executives that can be used for a variety of different purposes. To be effective, a security team needs to be capable of interpreting the same data used by criminals and identifying vulnerabilities that an attacker is most likely to exploit.
Kidnapping for ransom
The use of kidnapping to achieve criminal gains is not limited to Benanti. In 2017, Pavel Lerner, the CEO of a UK Bitcoin exchange, was kidnapped while traveling in Ukraine. The CEO was kidnapped by six armed individuals wearing balaclavas to conceal their identity. He was only released after the payment of a $1 million ransom in Bitcoin.
The details of this attack demonstrate the amount of data leaked about Lerner’s affairs. He was kidnapped while traveling by individuals who were obviously well-prepared to do so, as evidenced by the use of balaclavas, firearms, and a vehicle with stolen number plates. This indicates that the attack was premeditated and demonstrates the potential impacts of data leaks regarding an executive’s travel plans.
Another pie to the face
Bill Gates isn’t the only one to get a pie to the face during a public engagement. During a speech in Perth in 2017, Qantas chief Alan Joyce was also hit with a pie to the face. His attacker walked up to the stage and interrupted the speech that Joyce was giving at a business breakfast. Joyce took a brief break to clean up and then returned to the stage.
As the attack against Bill Gates, this attack was likely entirely preventable. The attacker was detained by security after the attack, implying that they were on-site and that the attacker passed them and entered an important meeting while carrying a pie. Like the Gates pie event, indications of this attack may also have been present on social media or the wider internet, making it possible to predict and prevent the incident.
What executives can do
Digital security and physical security are not mutually exclusive. In fact, they are intrinsic to one another. These attacks against top executives were enabled by a combination of failures in both digital and physical security. Online discourse and data leaks enabled the attackers to know where and when to stage their attacks, and physical security failures allowed them to happen.
If you want to prevent harm to executives, you need a security program that bridges the digital and physical worlds. It’s critical to have a team and intelligence capable of finding leaked personal data, tracking what potential attackers can find, and minimizing the likelihood of this information falling into the wrong hands.