Senior leaders can become targets for being public face of company
John Smedley was on a routine flight between Dallas and San Diego when the plane was diverted because of a bomb threat.
Smedley, the president of Playstation Online Entertainment, quickly realized it was no ordinary delay — it was a personal threat from a hacker group.
A hacker collective known as "Lizard Squad" had been targeting Playstation’s online gaming services that day, but the group took its harassment a step further, taking to Twitter to make the threat against Smedley’s plane. The tweet targeted Smedley by name.
Though no one was hurt, the incident is an example of the risks executives face — simply for being the public face of a company.
Those risks can increase if a company is going through any sort of public controversy, said Kevin Calder, a Vancouver-based security expert and president of K Calder & Associates.
"The more sensitive the topic is… the more likely you’re going to get people who are very emotionally involved. And within that group, there’s always a sub-group of people that (could) potentially cause a problem," he said. "Particularly in an industry (where) there is a high degree of anxiety already — pipelines, environmental issues, animal rights issues."
Fortunately, that sub-group of people is very small. But organizations, and executives themselves, should still be aware of potential risks — and know how to stay safe.
What are the potential threats?
Even when upset or angry at an organization, the vast majority of people will not resort to threats or harassment against an individual executive, said Calder.
"Unfortunately, there’s a smaller segment of individuals who may have mental health or other types of personality disorder issues that can become focused on those executives," he said.
With the proliferation of social media, it’s easier than ever before to get information about a company and its executives, said David Hyde, senior security consultant at David Hyde & Associates in Toronto.
"The facilitator or the amplifier of the threats, if you will, is just the proliferation of social media and mass forms of social interaction, mass communication," he said.
"All of the risk factors are multiplying, to a certain extent, because in the old days, the public really wouldn’t find out about a lot of the things going on. They may not know that a particular executive’s (company) is doing work in an area or behaving in a way that they might deem corporately irresponsible… (now), the threats are amplifying in many ways, because more people are finding out — and a slight negative spin can be latched onto by issue-motivated groups who can make it a lot worse, in some cases, than it actually is."
Threats and harassment from members of the public can take many different forms, said Calder.
"They can be the chronic emailers, the person who shows up uninvited at times to the executive’s offices, demanding to see the individual in question, they can be harassing in nature, repetitive… they may or may not be violent, but they certainly cause concern — especially for the front-line staff that may be coming in contact with them," he said, adding that front-line staff are forced into a sort of "gatekeeper" role.
"They also may, at that point, begin making direct or veiled threats towards either the executive or the organization as a whole."
Crossing into physical violence is relatively rare, he said.
"But the concern is that they’re escalating in that direction, and with some of these individuals, it’s a very thin line."
But physical threats aren’t the only ones organizations should worry about, said Hyde.
"The range of threats can obviously be fairly broad — there’s the physical threat in terms of the safety of the actual executive… (but) secondly, it could be psychological. It could be a social media campaign or disruption."
It could even be a technological attack on the executive’s personal data or accounts, said Vladimir Zagribelin, cyber-security expert and executive director of Group-IB in Moscow. This could include an attack on personal data searching for any intimate details of their life that can be used to discredit or blackmail the executive.
It could also include an attack on their credentials from corporate information systems, such as logins and passwords from corporate mail, intranet, VPN, et cetera, which can be used to steal classified information, he said.
The information hackers are looking for generally differs depending on the individuals or business they are targeting.
"Top managers of worldwide famous brands often become victims of Hacktivivsts, who want to draw attention to their activities and ideas," he said. "Managers working in critical infrastructure — power electricity stations, road traffic systems — possibly can be targeted by cyberterrorists to draw public attention to their political ideas, to scare people."
There have even been situations where executives have been approached at their homes, which widens the potential "victim pool," said Calder.
"We’ve had situations where executives have been approached at their homes, or while they’re travelling, so now you’ve got a different victim pool. You’ve got the individual executive, you’ve got their office staff who may be at risk of violence, and then — if that follows them to their personal life — now we’re talking about the potential that it blows over to their family."
Proactive measures
So what can organizations do to protect their executives — and what can executives do to protect themselves?
The first thing to do is a thorough risk assessment, to understand the level and type of threats that might arise, said Hyde.
"When you look at any type of a threat to a human asset, which an executive is, or a physical asset like a building, or a property, or reputationally for that organization (it’s crucial to) do a risk assessment. This is the absolutely critical first step," he said.
Social media monitoring is an important piece of that, because it can help you understand how members of the public view your organization, he said.
Organizations need to sit down and take a good look at their current safety practices, said Calder.
"The first thing is just to have that discussion, because a lot of organizations have a discomfort around even talking about it," he said. "I think it’s a multidisciplinary approach that involves safety, security if it exists, human resources, senior executives of the appropriate level to sit down and say, ‘How are we going to manage this as a group?’"
There also needs to be training in place so employees can recognize behaviours of concern and report them.
"As they do that, they’re in a better position to manage the situation and not over- or under-react to it," he said.
And security measures and strategies should be preventative, he said.
"A lot of people get obsessed with (CCTV) cameras. Well, in a real threatening situation, it’s going to be much more dynamic than that, because the camera’s only going to capture the result. It’s not going to be preventative if you’ve got somebody that’s being homicidal or suicidal."
Antivirus programs, firewalls, intrusion detection systems and immediate and qualified incident response are the keys for protecting data, said Zagribelin. There should also be information security and awareness for employees — and for high-level executives, no matter how busy they are.
In terms of physical security, organizations shouldn’t limit their strategies to protecting the executive while she’s in the office — they should also consider her safety in transit, while travelling and while she’s at home, said Hyde.
"(Recently) we saw that somebody waltzed into Justin Trudeau’s house through the back door (at night). Too many executives are far too cavalier and casual with their personal safety and security and that of their families. Yet some executives are at heightened risk, and they do need to take those baseline security measures," he said. "There needs to be some thought put into… where the executive parks, if they’re at higher risk, how they’re getting to the workplace, how they travel — putting some security around that, but also at home.
