The senior or C-level executive protection forms a key component of an organization’s overall risk management strategy. Executive protection has developed as a mature professional service; however, at present its scope is limited to
Defense against cyber espionage
The senior or C-level executives of organizations operating in critical sectors like energy, nano-computing, semi conductor, oil and gas, next generation mobile technology, banking, and defense are easy targets of cyber espionage, as their log-in credentials provide immediate access to critical data. As a senior executive, you should be extra vigilant while travelling to adversary countries (engaging in cyber espionage to benefit their nation), which may wire your hotel room or bribe the cab or hotel room service provider to get access to any information possible. The WiFi network of a hotel can also be compromised to get access to your internet session. Thus, an executive protection plan must include defense against cyber espionage activities. Senior executives must be extra cautious while travelling to countries like China, Russia, Brazil, Iran and Middle-East, which are considered high risk areas.
Cyber security – a vital element
Every organization has an information security policy to ensure that the information technology infrastructure is updated with the latest antivirus, firewalls and other critical security controls. However, the security policy might not cover executive protection. Therefore, the organization must develop an exclusive executive protection plan to protect senior executives from cyber threats. Huge multinational companies with several chief executive officers, vice presidents, and directors, especially require executive protection plans, imbibing cyber security. However, designing an exclusive executive protection plan for cyber security requirements may not be feasible for the IT department due to constraints in budget and manpower. An organization could thus resort to specialized service providers (though rare) that offer cyber security for executive protection.
To start with, an organization could implement the following measures as part of its executive protection plan:
- Don’t allow senior executives to carry work laptops when they are travelling.
- Provide a second laptop to the executive that never connects to the home-office network (company network). This laptop should preferably carry as less work files and applications as possible.
- Avoid carrying highly vulnerable and targeted applications on such laptops, such as Adobe Acrobat Reader, which is being targeted by several blackhat hackers. Instead, use an alternative PDF reader.
- The executive should try and avoid keeping crucial information on the travel laptop. Important files, presentations, and critical information should be stored on flash drives, which should be carried at all times by the executive. Using encrypted flash drives which offer high security would be even better.
- Conduct a forensic analysis of the travel laptop once the executive is back.
Given the range of risks involved, a chief information security officer managing an executive protection plan must know that protecting an individual is different from securing a facility. A proper risk assessment exercise would help create a profound executive protection plan, involving cyber security.
About the author: Jeffrey Carr, Principal, GreyLogic is a cyber intelligence expert, columnist for Forbes Firewall blog, and cyber warfare author who specializes in the investigation of cyber attacks against governments and infrastructures by state and non-state hackers. Carr regularly consults with agencies of the United States and allied governments on Russian and Chinese cyber warfare strategy and tactics as well as new and emerging threats to critical infrastructure. He has authored a book called ‘Inside Cyber Warfare’ and has spoken on the issue of cyber warfare at various events.
(As told to Dhwani Pandya.)
This was first published in December 2010