When exposure becomes a threat
- Investigations, Litigation and Forensics
- Organisational Resilience
- Security Risk Management
When exposure becomes a threat: your digital life in the wrong hands
Whatever the amount of information you think there is about you online, you’re wrong (spoiler alert: there’s more). Even if you’ve never so much as logged onto Facebook or Instagram, chances are there is a vast amount of personal data regarding you and your family online, all of which is easily accessible by anyone with a computer, an internet connection, and a desire to find it.
This is all but unavoidable in today’s world. We live our lives online, entrusting an ever-growing amount of information about ourselves to social media platforms and the companies that maintain them. On top of this, in an effort to increase transparency and efficiency, government authorities have made increasing amounts of property, business, legal, and campaign finance records available to the general public online. In most cases, anyone can log onto a government website and get details regarding your home, political donations and past legal disputes within minutes. Different people will naturally have different levels of comfort with this reality. For some high-profile individuals, a certain amount of exposure may even be desirable. Whatever the case, it is crucial that executives are aware of the volume of information that is available about them and their families online.
It is equally important for executives to know whether there are people who might want to use that same information to harm them. This could be anyone from an opportunistic criminal to a disgruntled former employee to an activist opposed to the practices of the executive’s company. Hostile actions taken by these individuals might range from making statements on social media calling for the physical harming of the executive or their family to the misuse of an executive’s identity online for the purposes of a scam. In other words, it’s not enough to know if there is capability; we also need to know if there is intent.
Executive exposure and threat assessments (or what Control Risks refers to as "EETAs") are designed to tackle both of these issues, not only answering the question “Are there people out there who want to cause me or my family harm?” but also “What information could those individuals use to harm us?” By looking at these issues together, it is possible to develop a comprehensive view of an executive’s online exposure and threat profile. To do this, we review a wide variety of available information, from traditional public record sources such as print media and county property records to online blogs, forums and social media websites.
Crucially, it is not just a question of what information we choose to share about ourselves, but what information others are sharing about us. An executive may believe that he or she is being responsible by refraining from posting information on social media or using home addresses on political donations and business filings. They may also believe that, by not signing up for services such as Facebook, Twitter or Instagram to begin with, they are ensuring that their private lives remain private. More often than not, however, their children, spouses, friends and coworkers are doing the damage for them, rendering the executive’s own efforts futile.
The types of information that an EETA can identify are as varied as the executives who commission them. Everything from details of upcoming wedding plans - complete with times, locations and descriptions of events - to the location of vacation homes and upcoming family trips is find-able by a skilled investigator. With a bit of digging into old property listings it’s often possible to find detailed diagrams of floor plans and entry points.
Teenage and young adult children of executives frequently have much higher online profiles than their parents would expect. Children often have social networking profiles that reveal photos and information about their friends, families and social habits. This information can identify the likely route a child and their parents take between home and school each day, as well as the times and locations of after-school sports practices at which the child would likely be in attendance. In one case, an executive’s daughter attended a large university at which protests had been held against the policies of the executive’s company. It was possible to identify the location and floor plan of the apartment in which the daughter lived, and also the number of the parking space she used each day.
Some of this online exposure is unavoidable. However, there are numerous steps that can be taken in order for executives to improve their information security. The final component of a well-conducted EETA is mitigation consultation, when the consultant highlights vulnerabilities that can be resolved and provides bespoke, actionable advice around tactics and strategies to mitigate the risks posed by the executive’s online exposure and threat profile. Frequently, this is focused on consulting with the executive around “best practices” to mitigate the risks stemming from social media activity. These changes allow the executive to limit public access to information that, though innocuous on its own, could be used alongside additional findings to reveal more than originally intended.
You can’t reduce your online exposure to zero. That may not even be the goal. What you can and should do, is be aware of what information is available about you and your family online and incorporate that information into your personal security plans.
- Ryan Murphy, Associate Director
- Tom Burns, Director