Traditionally, Executive protection has focused solely on the physical aspect of security.
With the proliferation of Executives and their families utilizing IoT, Social Media and other avenues that put their information at risk, cybersecurity is an often-overlooked component of Executive protection, cybersecurity programs and protection of an organization’s brand.
In this video, Chris Bullock, Secureworks Managing Principal and Ashely Ferguson, Global Director of Secureworks Executive Advisory Services cover a new approach to mitigating risk to this emerging threat that encompasses:
- Analyzing ten domains of risk to a Principal, Principal’s family and Principal’s close staff
- Assessing the risk and exposure to the brand or reputational damage
- Providing guidance on which specific risk factors to monitor regularly to ensure preparedness through optional courses of action
- Implementing the most effective and appropriate safeguards
We created the Cyber Executive Protection Program to address a missing piece in traditional executive protection. Traditional Executive Protection has constantly focused on the physical piece. As we know, people of high notoriety are under threat consistently. If they’re executives of companies, if they’re celebrities, they’re going to be under threat – physical threat, they have a protection team that deals with that. However, that protection team typically doesn’t know how to deal with the cyber piece. Or if they do it’s very limited.
So what better organization than SecureWorks to be able to come in and give the backing of our intelligence and all of our expertise to actually enhance the executive protection piece. So we created it to be able to do that so that the executive would be protected both on the physical front and the cyber front.
Slide Title: What is the framework?
So the Cyber Executive Protection analysis that we do is basically a framework we’ve developed that’s unique. It’s more unique in any other industry framework out there. I’m not even certain there are any specific industry frameworks out there.
So we go through 10 domains. Parts of those domains include looking at the executive’s cyber habits, and being able to look at that, as well as their family, and the specific ways that an attacker may be able to leverage things to gain access to their data, and, inevitably, do brand damage to them. A lot of times when companies think about brand damage, they think about a breach. That’s the first thing that comes to mind. But an executive attack, or an attack on an executive, can cause a sufficient amount of brand damage. And being able to protect them on the cyber front is very important.
One of domains we do look at is devices. There are instances where we’ve seen the internet of things being able to be utilized to cross over from the cyber realm into the physical realm. Meaning that, the cyber suddenly gets dangerous because those devices, such as potentially door locks that are exposed through some home security system, or camera systems that are exposed, or could be accessed to look at the executives, surveil them from a distance or potentially unlock their doors. Because those internet of thing devices are now online and they’re physical locks in some cases. They’re things that can really cross over into a really dangerous situation. So, if somebody really wanted to do something bad, they could unlock the home by breaching the internet of things connection to that locking device, and then gain physical access to the home.
Slide Title: How is the sensitive information shared?
One critical point to note, too, on the Executive Protection Program is that you really have to be careful. A lot of information that is being gathered is very sensitive and we’re very keenly aware of that. And so there are things that could be uncovered as part of an engagement that we don’t share with the organization. We very specifically share it with the executive themselves because there’s obviously the risk of information being uncovered that is probably pertinent only to them. And something that they may need to adjust, but that we would only want them to be aware of. And so there are elements of the engagement, you’ll have certain deliverables that are shared with the team, but all of those deliverables are cleared with the executive or celebrity that we are working with prior to sharing that information. And if things are uncovered as a part of that, that don’t need to be shared with the organization itself, we share that information separately with the executive. The whole purpose of it is to try to improve and make them feel more secure and able to be in control of their lives. It can sometimes be a little bit outside of the realm. And as we want to make sure that they feel comfortable with what’s being done, and that what is being shared with their team is not something that they didn’t want to be shared.