Executive protection (EP) professionals take a 360-degree approach to protecting their principals in physical space. As workforces, including many C-suites, evolve to hybrid or fully remote environments, IT and security teams have moved swiftly to secure workplace networks from cyber threats. However, executives may necessitate a higher level of cyber protection past traditional enterprise cybersecurity measures. Just as physical EP efforts support executive safety while traveling — and in their personal lives, in a number of cases — it’s important for executive cybersecurity protections to extend past enterprise networks.
“There are a wide variety of threats targeting executives not only at work, but at home and in their personal lives,” says Malcolm Harkins, Chief Security & Trust Officer at Epiphany Systems. Threats targeting executives range from nation-state actors to organized cybercrime, hacktivists and insider threats, according to Harkins. While information technology (IT) and cybersecurity teams have systems in place to protect enterprise networks, executives’ personal networks can also open up the enterprise to cyber risk and need to be secured.
“In their personal lives, executives have connected homes, a wide variety of devices, security cameras and a more porous environment with family and friends having access — or even contractors doing work around the home,” Harkins notes. “That expanded attack surface is a softer target that can be used to gain access to the executive. It can be utilized for a variety of attack scenarios directly against an organization, the executive or their family in a way that could still have organizational impact.”
To mitigate these impacts, those responsible for physical executive protection in the enterprise should work alongside the cybersecurity team. According to Harkins, there are a number of steps physical and cybersecurity teams should take in tandem when protecting their principals.
First, it’s important for physical and cyber EP teams to evaluate the risks targeting their executives. In a number of cases, these risks can overlap, presenting a mix of physical and cyber danger to the executive. “In many large organizations, the physical security team has taken precautions to protect an executive and their family at home or perhaps when traveling, but many have neglected the logical security for that same individual other than the specific corporate systems they provide. In some cases, even the security system installed/paid for by the corporation for physical security reasons has cyber vulnerabilities that are not mitigated and could present physical and cyber risks,” says Harkins. By assessing risks together, physical and cyber teams can identify where cybersecurity efforts can complement physical security measures put in place, such as security systems.
Cyber executive protection can present challenges to security teams. One issue, for example, surrounds the question of duty of care. Is it the responsibility of corporate security teams to protect the homes of their executives? If an organization has made the decision to secure executive homes from physical threats, does that extend to cybersecurity? These questions are important for security leaders to address before they embark on a protection plan that involves cyber EP.
A risk-based approach to answering these questions may help security leaders determine the organizational impact of threats facing executives. According to Harkins, physical executive protection teams and IT teams should start by “evaluating these risks, understanding how they are managed today, and determining a path to properly manage them.”
Another challenge for security leaders to keep in mind is “the implication of having internal resources provide personal protection,” Harkins says. In the security systems example, where an organization installs a system to protect the home of the executive, privacy and safety issues can arise. “From personal experience, that is difficult and fraught with other issues — imagine one of your employees having access to the home cameras, other devices and networks of your executives.”
Harkins suggests balancing internal and external resources to maintain executive privacy while protecting them from physical and cyber threats. “The CISO evaluates the risks, coordinates potential solutions, and then the organization contracts with a trusted outside party to do the rest — maintaining privacy for the execs, but also coordinating as needed on threats between their work life and their personal life to manage the crossover of attack vectors,” he says.
When considering extended cybersecurity protections for executives, collaboration between the physical and cybersecurity teams can help bolster security on both fronts, according to Harkins. In an increasingly connected world, enterprise security teams must evaluate and respond to cyber risks faced by executives. “When both teams objectively evaluate the risks and partner as needed to address them, that should lead to the right level of management and mitigation for these risks,” Harkins says.