The New Level of Executive Vulnerability

The global pandemic has impacted the economy in unprecedented ways. Now, foreign governments and multinational corporations are beginning to think more critically about the economic strength of their country and/or organization. These uncertain times are bringing with them a new era for offensive domestic and foreign competitive intelligence gathering. We already know some countries and businesses will be very slow to recover. How far these countries and businesses will go to sustain their viability is yet to be ascertained.

The first company to produce the COVID-19 vaccine could secure leadership, influence and even enduring dominance of an industry. Perhaps a shift in the Global Manufacturing Competitive Index may present some stark changes in 2020 from previous years’ reports. A 2016 study showed China, the United States and Germany leading the pack. Still, several Asia-Pacific countries including Japan, Taiwan, India and South Korea are expected to emerge in competitiveness in 2020. We have yet to see how the pandemic will impact global economic stability and associated desperation of businesses, how far will countries and business go to maintain and/or gain a competitive edge and will these countries resort to espionage or sabotage.

Let’s assume there is no increased risk of espionage against corporate entities and briefly glance at the protection of key persons in a company. Traditionally, executive protection security professionals are taught to avoid time and place predictability and control public and media interaction. An executive is less at risk when conducting business inside his/her company’s headquarters because of the many levels of available security. Furthermore, information technology security has evolved to ensure principals have secure devices during travel.

Now, consider the same executive working from home due to the pandemic. If working from home becomes a normal business accommodation, the executive will predictably be home every day and his or her address could be discovered online or through public records. The many layers of physical and technological security offered at the home are significantly less, and time and place predictability may not be avoidable. Executives could have a compromised cybersecurity, even with a virtual private network (VPN). Those without adequate residential security strategies are more vulnerable to home invasions, package bombs, theft or unauthorized access to their devices. The intrusion of American rapper, Eminem’s, Detroit home in April 2020 demonstrates the importance of properly layered physical and technological safety measures. Even when supplemented by security personnel, sole reliance on an intrusion detection system does not constitute a comprehensive approach to layering security on a residence.

Often, an executive’s devices are also at risk. An executive’s computer, for example, is likely provided by the corporate cybersecurity team and regularly updated. With an increased demand for telephone calls and video teleconferencing, the new stay-at-home work strategy of the executive should, in theory, have more robust security. But what about that ancillary device attached to the executive’s computer, the webcam or their personal gadgets they may keep nearby? Those are typically managed outside of their corporate cybersecurity team. We have known for years that webcams are vulnerable to compromise by a third-party. While many people put covers over their video camera, it’s easy to forget that the microphone can also be compromised. A 2018 report from Komando.com suggested that 9 million webcams were subject to attack. Many cameras produced by the Chinese technology company Xiongmai were identified as being highly vulnerable. We likely have no way of knowing if a camera is manufactured by Xiongmai since they are produced and rebranded for hundreds of other companies to sell.

This is only one of the many considerations relative to webcam vulnerabilities. Additionally, our residences are evolving into smart homes with everything from televisions, lights and temperature controls connected to the internet. The Internet of Things (IoT) is real and it is here. Between smart refrigerators, smart thermostats and the eavesdropping of smart speakers, the risk of conversations and day-to-day life being captured, cataloged and possibly compromised is also very real.

These vulnerabilities are currently more abundant due to the work-from-home conditions that many executives face. In reality though, they have always been there and the response to COVID-19 has only made them more obvious. Considering the myriad of failures currently contributing to executive vulnerabilities, now is the time for companies to re-evaluate their physical and industrial security practices for key personnel and identify additional susceptible personnel in the new workplace. At a minimum, security teams should engage with key employees to do the following:

Establish Protective Intelligence Programs

In today’s digital-centric world, there is no good excuse for not having an active protective intelligence team in place. We know predators use open source information to discover locations and collect lifestyle information. We’ve witnessed countless intrusions on residences, or trespassing at closed events, from determined individuals who did nothing more than patiently research their target. A sound protective intelligence program will assist with identifying what and where information vulnerabilities exist and allow proactive mitigation strategy application by the corporate protective program team. A protective intelligence program will also help connect the dots between the myriad of inquiries, engagements, outreaches and posts which suggest someone is beginning to isolate a target of choice.

Conduct Risk Assessments

With a number of executives at home, conducting risk assessments is more important than ever. Take the time to explore possible threats, evaluate their vulnerabilities, determine the probability of any number of potential incidents and apply appropriate mitigation. The strategies of an executive residence need to be more dynamic than a standard home alarm system. The integration of multiple elements must include barriers, lighting, access control, intrusion detection, surveillance, protection and safe spaces create the foundation of a complete protection strategy. Essentially, you need to bring the same model that the corporate security team built at headquarters to your executive’s home.

Perform Technical Surveillance Countermeasures (TSCM)

Limited mobility makes an executive’s movements more predictable, making electronic surveillance much easier. An executive could be inside his/her home office, talking on a Bluetooth enabled earpiece, potentially discussing proprietary company information during online meetings, etc. – these are all markers for compromise. Previously, many organizations would engage TSCM technicians to conduct sweeps of hotel conferences or office board rooms prior to a Board of Directors meeting. Now, several executives could be on a conference call in the comfort of their own homes. This means multiple different sites must be secured, an environment the security team has likely never seen. With people more reliant upon technology to sustain their daily lives, and employees working closer to their families, executives are likely to have more unsecured devices in the home than were present in the office. Many of these gadgets in the household are also used by their family members. Security TSCM can assess the Radio Frequency (RF) spectrum of the executive’s residence methodically through the process of interviewing, technical investigation and physical investigation. By questioning the executive, the TSCM Investigator can identify potential or known vulnerabilities. Then, through the use of technical tools, investigate the RF spectrum with a minimal invasion of private spaces. When anomalies emerge, the use of technical tools facilitates narrowing the scope necessary for a physical search – the most prying aspect during an investigation. This layered approach to conducting TSCM investigations minimizes privacy invasion by providing paramount security of the RF spectrum for an executive’s residence while maintaining a healthy balance between security and privacy. Security teams should look to establish regular sweeps of critical spaces within executive residences and determine a threshold and process for engaging other senior leadership individuals that may participate in Board or otherwise sensitive phone calls.

Engage in IT Cyber Consulting

Erase the barrier between the office and home office when it comes to cyber vulnerabilities. Many cybersecurity programs focus on the networks in the office and the devices utilized by their leadership team. Extend this border to the executive’s residence and mitigate known vulnerabilities for them to conduct day-to-day business at home. Remember, the laptop may be secure as well as the VPN or channel they connect to it, but the Wi-Fi network in their home that makes it all work likely still has the same password their cable and internet technician used during installation.

Educate & Train Executives

Provide adequate training for executives on the vulnerabilities of their devices in this new work-from-home environment. Provide them with a suitable overview of how eavesdropping can occur even without gaining access to the interior of their home.

Executives are at a new and modified level of risk from that of past years. Therefore, home engagement at multiple levels should become a new norm.  Improving the level of education and involvement in IT/cybersecurity, conducting TSCMs, performing risk assessments and expanding or establishing protective intel programs are a few steps that protective teams should take as they look to continue conducting business remotely.

By Chuck Tobin & Matt Speidel