In a recent interview, the chairwoman of Israel’s largest highway infrastructure company noted that when she heard the CEO of Mobileye, one of the country’s most successful tech companies, rode a motorcycle, she called the company to berate them. “That is $15B you have riding on those two wheels,” she reportedly said, urging them to do a better job of protecting arguably the company’s most valuable asset. 

The anecdote came to mind as I started thinking about the potential fallout and response from Russia in retaliation toward the multinational companies pulling out of Russia. While the threat is clearly different, both situations bring to mind the security of corporate executives. Russian prosecutors have warned that business executives at Western companies there are at risk of arrest and seizure of corporate assets in retaliation. At least one multinational company there has said it has reduced communications with its personnel in Russia, fearing government espionage of emails could aid in carrying out such threats, according to the Wall Street Journal

While companies have been extra vigilant to Russian-backed cyberattack threats since the weeks leading up to the ongoing war in Ukraine, this threat of physical action against executives may at first glance appear to be separate. But drawing such a conclusion would be a mistake. This threat shows how intertwined the digital and physical are when it comes to executive and corporate security.  Therefore, the security response and defense must, too, be hybrid. And that is not to simply say that security must be digital and physical - everyone knows that and probably operates like that - but rather these separate realms must become one. 

It is now clear that a potential enemy can use cyber espionage to plan for a physical action, like an arrest, or could engage in physical espionage to obtain information to carry out a cyberattack. Security efforts need to reflect this reality; and often they do not, despite the growing evidence that cyberattacks, especially, have hybrid elements. In fact, red flags should have been raised several years ago when four men, allegedly linked to Russian government-backed efforts, were arrested at the Hague in 2018, where they were accused of trying to gain access to a physical wifi installation  in order to carry out a cyberattack.

While that is scary, and most organizations remain woefully unprepared to protect their data and their employees, it is not too late to act, and there are a few lessons that will go a long way in changing the security mindset to deal more effectively with these emerging threats, significantly bolstering security.

Take a holistic and hybrid approach to security

Organizations should appoint one individual or unit to oversee executive security in general, including both cyber and physical aspects, and the links between them. The days when digital cyber and physical security departments or operations existed in their own separate silos are over.

Cyber attackers are increasingly relying on the physical to gain access to the digital to carry out attacks or corporate espionage. For example, a house cleaner for Israel’s defense minister was arrested last year on allegations that he was gathering information to share with an Iranian hacking group; the cleaner who spent time in the minister’s home was clearly not what most CISOs imagine when they think of a potential cyberattacker.

Attackers or those engaging in digital espionage can also take advantage of executives' physical locations when they travel; cameras or bug devices placed in hotel rooms could help obtain passwords or other clues about digital vulnerabilities; or attackers could intercept information sent over specific wifi networks, like those in airports, planes or restaurants, if they know when their target is using them.

On the flip side, when a threat has a physical component, like the arrests that Russian officials have warned about, digital tools and communications can be key vehicles for helping locate a target or victim, and figure out an opportune place or time to act. While a group of bodyguards can perhaps deflect a threat at the last minute, or a bug sweeping team can probably eliminate devices in a room before a key meeting, in order to reduce physical threats from even materializing, more comprehensive attention needs to be given to the digital footprints of executives.

Security teams need to know who can see an executives’ calendar, who has made their travel reservations, who has installed their newest television, and to make sure online information that offers clues about physical location is secured and protected.

Don’t forget about family, friends and personal connections

Just this week Iranian-backed hackers accessed and leaked photos and other information from a mobile phone belonging to the wife of Israel’s Mossad chief, reportedly in revenge for Israeli aerial attack in Iran last month, according to media reports. This is just the latest wake-up call that the people around business executives and their digital and physical routines also need to be considered in any comprehensive and effective security scheme. Those around them could not only be targeted, but used to get to the executives themselves.

For example, CEOs may be very careful not to reveal their locations on social media, but their children may post photos of them during vacation or sports events. Or, something my company increasingly sees when responding to cyber attacks is that attackers approach executives' family members online using techniques like phishing or sextortion – threatening to post nude photos or other embarrassing personal information – in order to get them to reveal passwords or other digital access information to ultimately help target the executive or the executives’ business. These malicious actors are not actually interested in the nude photos, and they may not even exist; but they are just using them as threats to get victims to turn over information that will help reach the ultimate target: the executive.

This comes with the increase in remote work, especially as more executives use home devices or share devices with their family members. With much of our day-to-day life playing out online, there are more avenues to data as well as more ways to gather intelligence to figure out how to get to that data.

Executives must invest, too, in order to stay secure

While those in charge of executive security need to think in a more hybrid way, this is not their job alone; executives should also undergo training in order to better understand the connected nature of the digital and the physical when it comes to threats, especially today, with many companies still operating remotely.  Incorporating basic skills and concepts from the world of security, espionage or the military will go a long way.

For example, knowing how to make sure that a room recently swept for bugs remains clean and secure (by taking steps like keeping it locked and installing a closed circuit camera to monitor it); will ensure that investment in security procedures has a long term and real effect. Effective security is always dependent on maintaining vigilance and constantly re-evaluating; it’s not a one-time thing.

But like any kind of security, it is important to realize that not every perceived threat against an executive is a real threat; efforts must be focused on specific threats, their source (i.e. who are the real enemies) and the assets they could affect. In addition extra vigilance is required around milestone events that may attract public attention and involve extra communications, like a business tender or acquisition. 

While the scenarios outlined above may sound like scenes out of a Hollywood action movie, 

potential attackers are using them in real life to carry out both physical and digital attacks.  Despite all of the billions of dollars of efforts at digital transformation and hybrid customer experiences in the corporate world, the thinking about business and executive security has not evolved at the same rate, presenting a huge risk. Meanwhile, potential attackers, including those backed by powerful states like Russia, are working hard to stay one - if not several -  steps ahead of the world’s largest corporations, making the leaders of those companies primary candidates for attack. 

Targeting executives, which could be referred to as “business terrorosm,” will only increase; and bad-actors will certainly use a combination of physical and digital means to plan and gather information, even if the ultimate goal is a cyber attack. I don’t think it is unreasonable at all to expect some sort of Russian-backed retaliation against American business leaders; after all Russia is likely looking for ways to respond to sanctions against their oligarchs, and compromising American or European companies – or their executives – via cyberattacks could be a way to do that. And going forward, other state-backed efforts could target business leaders as a way to quietly wage political battles: think about how China could disrupt Taiwan through such means.

Executives are a company’s most valuable asset, as the words of that Israeli highway company chairwoman, worried about the Mobileye CEO on a motorcycle, reflected. It is time security efforts reflected this, along with our new hybrid reality.

(Ariel Boso is the head of strategic projects and executive solutions at CYE)

Analysts see more cyberattacks coming without a concerted effort to improve security and prosecute hackers Analysts see more cyberattacks coming without a concerted effort to improve security and prosecute hackers Photo: AFP / Damien MEYER