Exposed executive: a specific threat model

I ran an OSINT surface audit on a FTSE 100 CEO. In 4 hours: his home address, his cars, his gym, his children’s schools, his personal investments, his PA’s name, and the hotels he regularly uses in London. All from public sources. This is not a hypothetical. It’s exactly what an investigative journalist, an opposing counsel, a competitor, a foreign state, or a disgruntled former employee would do.

The common trap

“I have corporate security.”

That’s the answer I get in nine out of ten cases when I raise the question of personal security with an executive. Corporate security protects the company. It secures the infrastructure, workstations, professional email, VPN access. It does not protect the executive as an individual — their privacy, their family, their personal assets, their reputation, their physical safety. These two perimeters barely overlap.

And that’s precisely the blind spot attackers exploit.

---

Why an executive is a distinct target

A standard employee represents limited access. An executive represents something fundamentally different across several simultaneous dimensions.

The value of access. A single compromised CEO email account gives access to communications about live M&A transactions, non-public strategic decisions, shareholder exchanges, sensitive contracts. For an attacker — whether a competitor, a state, or a criminal — this is an intelligence mine potentially worth tens of millions of dollars on the right markets.

Direct influence. A spoofed or compromised CEO email enables fraudulent wire transfers. Business Email Compromise (BEC) accounts for more than $28 billion in annual global losses according to the FBI. The mechanics are simple: a credible email from the CEO to the finance team, an “urgent and confidential” wire transfer request, a bank account controlled by the attacker. Documented, recurring, and massively underestimated in most organizations.

Identifiable personal wealth. Public registries — Companies House, land registries, beneficial ownership registers — allow an executive’s assets to be identified with disconcerting precision. This information forms the basis for blackmail attempts, targeted identity fraud, and in extreme cases, kidnapping or threats against family members.

Geopolitical exposure. For executives of companies operating in China, Russia, the Middle East, or any country with economic or political tensions, economic espionage is a reality, not a hypothesis. Economic intelligence services of several states actively target executives while traveling — hotels, phones, computers. The threat is not theoretical; it appears regularly in counterintelligence advisories.

Self-constructed media visibility. Every LinkedIn post reveals subjects currently being worked on, travel, contacts, ongoing projects. Every conference photo specifies geolocation and associations. Every interview details strategy. This visibility is built for business purposes, but it simultaneously and freely feeds the OSINT of anyone interested in the executive.

---

Attack vectors specific to executives

BEC (Business Email Compromise)

The executive’s email account is compromised (phishing, credential stuffing, physical device access) or simply spoofed (domain spoofing). The attacker then uses that position to order wire transfers, exfiltrate confidential information, or prepare a broader attack against the organization.

The central protection: a systematic phone verification procedure for any wire transfer above a set threshold, regardless of the apparent origin of the request. This procedure must apply even — especially — when the request appears to come from the CEO themselves.

Targeted spear phishing

Unlike mass phishing, spear phishing against an executive is built from deep reconnaissance: recent schedule (conference mentioned on LinkedIn), current projects (press release), direct contacts (list of event speakers). The message is credible because it’s personalized with real information.

The defense is not technical — it’s behavioral. A link clicked in an email, regardless of how credible it appears, should trigger an out-of-band verification before any sensitive action.

Deepfake audio and video

Voice synthesis technology from a few minutes of audio is accessible and inexpensive. Documented cases exist of phone calls made using a synthesized executive voice, ordering wire transfers or sensitive actions. The adoption curve for these attacks is ascending — expect frequency to increase significantly over the next two to three years.

The protection: verification protocols that do not rely solely on voice or video recognition.

Attacks through the close circle

The PA, the spouse, adult children, regular contractors — each represents an indirect access vector. Compromising a PA’s phone gives access to the executive’s schedule, contacts, and travel habits. It’s often simpler than attacking the executive directly, and the PA is typically subject to far less security scrutiny.

---

What changes in the security posture

An executive’s threat model is broader than a standard employee’s — not just in intensity, but in nature. Attackers are not only hackers. They are also investigative journalists conducting due diligence, law firms in adverse litigation, competitors in an M&A process, states practicing economic espionage.

Dedicated devices for sensitive subjects. An executive who handles M&A matters, active litigation, or sensitive personal data on the same laptop they use for general browsing undermines information compartmentation. Dedicated devices are not a luxury — they are elementary compartmentation hygiene.

Regular briefings with the IT security team. Not just in case of incident. A highly exposed executive should have a monthly or quarterly exchange with the CISO covering their specific risk profile, recent threats against similar profiles, and the status of their protection measures.

The same standards for the close PA. A personal assistant is an extension of the executive from a security standpoint. They have access to the schedule, travel plans, contacts, sometimes systems. Failing to include them in security training and procedures creates an obvious gap.

---

The personal surface: what you’ve stopped seeing

Most executives have lost awareness of their personal information surface because it built up gradually, without conscious decisions.

LinkedIn: every post compiles a picture of the executive in action — location, date, subjects being worked on, people present. In two hours of research on an executive’s LinkedIn profile, a competent attacker knows their recent travel, current areas of interest, direct contacts, and ongoing projects.

Public registries: shares held in companies (Companies House, SEC filings), current directorships, real estate (land registries in many countries). This data is legal, accessible, and forms the base of patrimonial targeting operations.

Children: social media profiles of minor children or adult children are often information mines about the family — usual location, school, activities, friend group. A child who posts their daily routine provides data that allows predicting the parent’s movements and habits.

---

The security Chief of Staff: what it actually means

For highly exposed profiles, a Chief of Staff dedicated to coordinating the executive’s personal security is often worth more than most technical tools combined.

What it is: a trusted person who keeps the executive’s security measures in operational condition — devices updated, procedures applied, briefings before trips, coordination with IT security, incident management. They ensure coherence between personal security and corporate security.

What it is not: a bodyguard, a technical security manager, an external contractor. It’s a person integrated into the executive’s team, with established trust and a detailed understanding of the context.

Why it works: a highly exposed executive doesn’t have the bandwidth to manage their own security hygiene. This is not a question of priority or competence — it’s a question of bandwidth. The security Chief of Staff handles what the executive doesn’t have time to do, without measures constantly being compromised by operational urgency.

For less exposed profiles or smaller structures, this role can be partially held by the PA, provided they are trained and willing to take it on. The model scales down; what matters is that someone owns the function continuously, not episodically.

---

Practical measures by exposure level

Level 1 — All executives:

• Hardware MFA (physical key such as YubiKey) on email and critical accounts — SMS codes are insufficient
• Vigilance about unusual wire transfer requests, even from apparently known sources
• Stop geotagging public social media posts

Level 2 — Executive with sector or media exposure:

• PA briefed on security procedures (phishing recognition, unusual requests, social engineering attempts)
• Separate device for M&A matters, litigation, and sensitive personal data
• Systematic phone verification procedure for wire transfers above a threshold
• Separation of personal and professional networks at home

Level 3 — Highly exposed executive (geopolitical, active M&A, major litigation):

• Security Chief of Staff or dedicated coordinator
• Annual OSINT audit on themselves by an external provider
• Active media monitoring on their name and the company’s
• Communication crisis response procedure integrated into security management

---

• N1 Hardware MFA (physical key) on email and critical accounts
• N1 Stop geotagging public posts on social networks
• N2 Phone verification procedure for significant wire transfers
• N2 Separate device for M&A, litigation, and sensitive data
• N2 PA briefed on security procedures
• N2 Separation of personal and professional networks at home
• N3 Annual OSINT audit on yourself by an external specialist
• N3 Active media monitoring on your name and affiliations
• N3 Security Chief of Staff for highly exposed profiles
• N3 Communication crisis response protocol integrated with security management