“Executive protection” is a catchall term used to describe strategies and methodologies for keeping all types of VIPs — CEOs and other executives, lawmakers, professional athletes, and celebrities among them — safe from both physical and cyber threats. These VIPs are often the direct target of physical threats. When it comes to cyber threats, executives and others often act as a conduit for wrongdoing since criminals use their personal information and credentials to gain access to sensitive or proprietary data.
Because of this, executive protection has evolved into a specialized field with significant information needs. Any smart executive protection strategy must encompass both physical and cyber threats. Open source intelligence (OSINT) — or intelligence gleaned from publicly available and commercially available information (PAI/CAI) — is needed for both.
In the realm of physical security, OSINT is needed for optimal threat assessment, and for gleaning information on a VIP’s adversaries. It helps improve operational security by giving protection teams improved insight into the local security conditions at venues being visited by the VIP (including crime rates, local law enforcement capabilities, and the likelihood of extreme weather events).
OSINT is also useful for cultural sensitivity: understanding the cultural norms and practices of different countries can help ensure the VIP doesn’t inadvertently offend his hosts and others. In the cyber arena, OSINT can help spot and stop social engineering scams, deepfakes, unfounded reputational attacks, and other ploys meant to hurt the VIP and the company he or she represents.
Protecting executives from physical threats
Direct physical threats against executives include those of assassination, other physical violence, and kidnapping of VIPs or their loved ones. Indirect physical threats are events that can affect anyone but may harm a company if the person affected is caught up in a dangerous situation, such as geopolitical upheaval or natural disaster.
These threats are realized far too frequently.
In 2022, the husband of the Speaker of the House was attacked in the couple’s San Francisco home.[1] The perpetrator was a far-right conspiracy theorist[2] who had planned to kidnap and interrogate the Speaker.[3] (The Speaker was not at home at the time of the attack.) The perpetrator beat the husband with a hammer, fracturing his skull[4] and has been convicted for this crime. He faces at least 30 years in prison.[5] In 2019, former employees kidnapped a tech executive-turned-cannabis entrepreneur from his home in Santa Cruz, Ca. They later murdered him.[6] Automakers, oil executives, and others have faced protests and violence from climate-change activists and other groups.
To manage both direct and indirect threats, security services must implement robust measures for VIP safety.
These should include:
Assessing risk
Security teams should identify potential physical threats, especially those that may arise from activists, disgruntled employees and those with ideologies directly opposed to those represented by the VIP. (The CEO of a family planning clinic may face threats from extremist religious groups; the president of a gun rights organization may face threats from extreme members of the gun-control movement.) Security teams must examine these threats within the context of an executive’s routine — including his home life, daily travel routes, and work and social habits — to spot and mitigate potential vulnerabilities.
Securing residences, transportation, and workplaces
Security teams should secure executive residences with gates, cameras, and motion sensors. Additional access control should include visitor identification-and-verification procedures. On-site security guards may be necessary. Executive homes should include safe rooms.
To ensure safety during transport, the executive should employ professional drivers trained in security and defensive driving. Vehicles should have armored plating, bulletproof glass, and run-flat tires — along with technology such as GPS tracking and emergency communication systems. Routes driven to and from work and other frequently visited locales should be changed regularly to avoid predictability.
Finally, workplace security cannot be discounted. Executive offices should contain surveillance cameras and alarm systems. Access to executive offices should be restricted. Security personnel should be stationed there, as well as at key areas within the workplace. Emergency protocols, including evacuation plans and escape routes for all employees, should be implemented.
Providing security for executive travel
Executive travel presents special challenges to security teams. To fully understand and prepare for the security risks presented by certain locales, advance reconnaissance may be needed.
Risks examined should include both geopolitical scenarios (terrorist activity, protests, demonstrations) and the potential for natural disaster. Extreme weather events are becoming increasingly common. And no one needs a CEO caught in the eye of a hurricane.
Crisis management
Security teams should develop emergency response plans for managing crises as they arise. Plans should include protocols that ensure reliable communications among members of the protection team and with outside agencies such as law enforcement and medical services. Clear procedures for coping with emergency situations — including natural disasters, medical emergencies, political unrest, and terrorist attacks — must also be developed.
Protecting against cyber threats
Protecting a VIP’s person is only half of a comprehensive executive protection program. Executives and the companies they represent must also be protected from cybercrime.
Cybercriminals typically target executives to gain access to proprietary and sensitive corporate data. These attacks can compromise corporate strategy, disrupt operations, tarnish reputations, and cost millions — even billions — to remediate.
Consider the 2020 attack on an Oklahoma software company that provides system management tools to more than 30,000 public and private companies — including United States federal agencies. Attackers, believed to be associated with Russian espionage operations, inserted malicious code into the provider’s system. This code targeted the program updates that the company regularly sends its customers. Therefore, the attackers accessed not just company information, but information stored in client organizations. More than 18,000 clients installed the malicious updates.[7]
Among organizations affected were the United States departments of Homeland Security, State, and Commerce. Credential theft — caused by phishing, malware, or other attacks that enable criminals to obtain an executive’s login — is believed to have been a key component of the attack.[8] Remediation costs for the software company and its clients are estimated to be more than $100 billion.[9]
Or look at one of the world’s largest aluminum companies, with more than 35,000 employees and operations in 40 countries. In 2019, an employee opened an infected email he believed to have been sent by a trusted customer. (Anyone can make this type of mistake. A wealthy executive had his phone hacked after he opened a WhatsApp video file that he thought was sent to him by the crown prince of Saudi Arabia.[10]) The email enabled hackers to plant a computer virus in company systems, locking files on corporate servers and PCs. Hackers demanded ransom to unlock these files. The company decided against paying the ransom and worked with a major technology provider to remediate the situation. Estimated cost? Seventy-one million.[11]
Social engineering attacks
These ploys exploit social mores and the workplace hierarchy to induce employees to hand over sensitive information or inadvertently grant access to corporate systems.
A social engineering deception can be run via text, instant messages, or email. Email deceptions are called “business email compromise” (BEC) attacks. They are a type of phishing, spear phishing, or whaling attack. (“Spear phishing” and “whaling” are specific types of phishing attacks that target the accounts of high-profile individuals, often using very specific information about the VIP to convince email recipients of the sender’s authenticity.)
BEC attacks typically work something like this.
Criminals send emails to the CEO’s subordinates. These emails have been engineered to look as if they come from the executive herself. Sometimes, criminals gain access to the executive’s actual email address via credential theft.
As often, though, cybercriminals don’t have access to the executive’s actual email. They may use spoofed email addresses: or an email coming from a domain that looks very much like the organization’s actual domain, often just off by a letter or two: ceo@ourcoompany.com rather than ceo@ourcompany.com. (Note the extra “o” in the domain of the first address.) Or they may not bother to use a spoofed domain at all, instead simply writing the display name appearing atop the email to mimic the executive’s. Anyone can write a display name that reads Jane Smith, CEO. Employees must look at the actual domain to see if the email is originating from corporate systems. Many employees fail to do so. They see the display name, and assume the email is legitimate.
Once employees open a deceptive email, they’re often hooked. The criminal, posing as an executive, may write to an employee in accounting to say the company is very late paying a specific vendor, and to please transfer money to a certain account ASAP. (Of course, the account is one controlled by the criminal.) The criminal may write to a business unit head claiming he’s about to walk into an important investor meeting but forgot to save the company’s strategic plan to the PC he’s using for the event. He needs the employee to send him that plan immediately. Or he may write to someone in IT saying that he’s experiencing computer issues, and that his system is telling him to click on a certain link. The IT worker clicks on the link, and unknowingly downloads malware. Through that malware, the cybercriminal gains access to corporate systems.
In BEC attacks, criminals rely on an employee’s willingness to do what their bosses ask. Adding time pressure to the requests all but ensures that the employee won’t spend much time questioning the legitimacy of the email.
You may wonder how the cybercriminal knows who cuts the checks at a given corporation, who can access strategic plans, or whom to contact in IT. Savvy attackers plan their crimes well ahead of time, building a deceptive online presence in order to connect with potential victims. For example, a cybercriminal might develop a fake executive profile (called a “sock puppet” account) on LinkedIn or other professional networking site. The criminal then invites employees of the executive’s company to join this network. Employees almost inevitably accept a networking request from the boss.
Once connected, it is easy for the attacker to glean a more in-depth view of each employee and his or her responsibilities. All the cybercriminal must do is visit the profile page of each employee in his network. From there, it is easy to say, “Jane, are you still in the office? Or are you driving back to Rockville? I see you’re reading LinkedIn messages. I need that strategic plan STAT!” In this example, the attacker bolsters his credentials by mentioning the name of the employee’s hometown — information easily accessible from the employee’s profile.
Other attack methods include:
Ransomware attacks
Because they have access to sensitive and proprietary information, executives are often subject to ransomware attacks. As noted earlier, ransomware is a type of malware that prevents companies from accessing their computer files, systems, or networks. Attackers demand ransom for unlocking these files and systems.
Man-in-the-middle attacks
In these attacks, a cybercriminal intercepts communications between executives and other parties for the purpose of stealing information.
Doxxing
Those who dislike a corporation’s behavior may scour the internet to find private or personal information about corporate executives, then publish that information on an easily accessible site. With information such as the executive’s home address, email, and cell phone number on hand, corporate adversaries may plan an attack on the executive. At the very least, they can make an executive’s life very unpleasant.
Reputational attacks and deepfakes
In an attempt to harm an executive or smear corporate reputations, digital campaigns may be launched against a company. Often, these campaigns contain false, inflammatory, or defamatory information. Deepfakes — or AI-generated fake audio or video — may be used to discredit an executive or company.
Executive protection: A unified approach
Effective executive security depends on a comprehensive approach that covers both the physical and digital realms. Babel Street can help. The AI-powered Babel Street Insights OSINT platform rapidly and persistently searches petabytes of PAI and CAI published in more than 200 languages. This data originates from billions of top-level domains; the deep and dark web; and other sources. Among these sources are social media platforms, real-time interactions generated on millions of message boards, and online comments. The platform performs ongoing searches, and issues alerts according to user-determined thresholds.
How does this help in the physical protection of executives and other VIPs?
Our OSINT monitoring capabilities persistently search information sources for signs of threat and violent intent. These may include direct threats to the safety and wellbeing of a specific protectee (someone posting, for example, I’m going to get the Speaker of the House and her family, or Polluter exec to attend summit in Our Town. Environmentalists, show him what you think of him!). Security teams can also use Babel Street technology to search for more generalized threats, such as emerging political instabilities or natural disasters that may affect an executive at home or while traveling.
The process works like this
Security teams use Babel Street technology to search for specific “red flag” keywords that may indicate a threat to the protectee. In the case of direct, violent intent, Babel Street Insights can flag the post, note its author, then search the author’s other online identities/accounts and activities. Babel Street can even link the author’s screen name to a real-world person and provide his or her contact information. Our technology further pinpoints groups whose activities may interest security staffs (i.e., a splinter group associated with one political party, decrying what it perceives as the evils of another political party). With Babel Street, security analysts can map the relationship of individual social media accounts to the social media accounts belonging to that group; identify the most influential accounts; then closely monitor the posts from those accounts.
Security teams can also use Babel Street to monitor geopolitical and geographical situations worldwide, further heightening security for their protectees. Searches for kidnapping trends will quickly enable analysts to learn that Nigeria has a kidnapping crisis, spurred by poverty, political unrest, and religious extremism. Understanding this, security teams may discourage an executive from attending a conference in that country. Searches can also unveil political instabilities, natural disasters, and areas prone to riots or demonstrations. They can even uncover social media posts and online discussions in which someone threatens a VIP or company — potentially stopping an attack before it starts.
Similar capabilities help security teams spot and stop digital threats. Our search tools can scour the Internet — including the dark web — for signs of stolen credentials or mentions of the executive’s company. These mentions are possible signs of an emerging BEC attack, reputation attack, or man-in-the middle attack. Babel Street can monitor social media for signs of potential social engineering attacks, such as information gathering on key personnel. Our technology can monitor chatrooms and other forums for discussion of the company, which may signal potential threat activity.
Holistic executive protection is a two-pronged effort. It requires security teams to safeguard the physical health of VIPs and the security of the companies those VIPs represent. Babel Street can help with both.
End Notes
1. Rodriguez, Olga, “Man who attacked Nancy Pelosi’s husband also found guilty of kidnapping and faces life in prison,” AP News, June 2024, https://wreg.com/news/nation-and-world/ap-us-news/ap-attacker-of-nancy-pelosis-husband-also-found-guilty-of-kidnapping-and-could-face-more-prison-time/
2. Wikipedia, “Attack on Paul Pelosi,” accessed June 2024, https://en.wikipedia.org/wiki/Attack_on_Paul_Pelosi
3. Ibid
4. Ibid
5. Kopp, Jeffrey, “David DePape found guilty of five state charges in Paul Pelosi Attack,” CNN.com, June 2024, https://www.cnn.com/2024/06/21/politics/depape-verdict-guilty-state-charges/index.html
6. Fetzer, Richard, “Did push-ups and disrespect lead to murder?” CBS News/48 Hours, August 2023, https://www.cbsnews.com/news/tushar-atre-death-did-pushups-and-disrespect-lead-to-murder/
7. Oladimenji, Saheed and Kerner, Sea Michael, “SolarWinds hack explained: Everything you need to know,” TechTarget, November 2023, https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
8. Ibid
9. Ratnam, Gopal, “Cleaning up SolarWinds hack may cost as much as $100 billion,” Roll Call, January 2021, https://rollcall.com/2021/01/11/cleaning-up-solarwinds-hack-may-cost-as-much-as-100-billion/
10. Briggs, Bill, “Hackers hit Norsk Hydro with ransomware. The company responded with transparency,” Microsoft Source, December 2019, https://news.microsoft.com/source/features/digital-transformation/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/
11. Wikipedia, “Jeff Bezos phone hacking incident,” accessed June 2024, https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking_incident
