The amount of easily accessible personal information online has exploded in recent years. Malicious individuals are using these details to scam, hack, dox, and assault high-profile individuals—especially those in the C-suite.
To protect yourself, your family, and your business, you need a strategy to thoroughly lock down your online privacy. In this roadmap, we’ll go over the steps needed to construct an effective data privacy plan as well as what it takes to implement it effectively.
Step 1. Assess your attack surface
While seemingly innocuous details about you—like your name, address, work history, photographs of you, and so on—don’t pose much of a threat on their own, bad actors can combine these data points in such a way that they become something much more dangerous than the sum of the data itself.
For example:
- Location data from your fitness app paired with social media posts that reveal your morning routine make it easy for someone to track your movements and stage an ambush.
- Information about your family combined with your previous addresses on people-search sites can help cybercriminals guess your password reset questions.
- Mentions of you on the website of a charity you donate to, together with your businesses’ press page, can give social engineers enough information to phish you and your entire executive team.
“Executives tend to have more attack vectors – ways you can breach a person or a corporation – than the average employee.”—David Yaches, senior vice president at Aon Cyber Solutions
To identify your vulnerabilities, you’ll need to conduct in-depth audits of search engine results, social media, the dark web, and any other sites (e.g., charities, professional groups) that publish information about you and your family. This is perhaps the most important step in the executive privacy roadmap.
Common categories of information to watch out for include:
- Personal details—Family members’ names, your birthdate, your favorite color, your mother’s maiden name, photographs of you and your family, the names of your pets, and so on.
- Affiliations—Mentions of you on websites belonging to charitable, recreational, educational, political, or professional organizations.
- Hobbies and interests—Online posts that expose the things you are passionate about or what you do in your free time.
- Business-related news—News stories that describe where you work and what you do.
- Physical location data—Your home address, pictures of your house or your kids’ school, or social media posts about your daily schedule.
Malicious actors can use this information as bait to get you to trust a phishing email or as a data point to help triangulate where you’ll be at a specific date and time to physically confront you or a member of your family.
As you can imagine, discovering your vulnerabilities can be a labor and time-intensive process. In fact, our experience conducting ExecutivePrivacy scans shows that you often need to review hundreds of sites with thousands of data points to get the full picture of your attack surface.
Step 2. Determine your priorities and acceptable threat list
While the ideal solution is the eradication of virtually all threats to you and your family—which is what ExecutivePrivacy is designed to deliver—the reality is that some types of personal information pose more of a risk than others do, depending on your particular situation.
With this in mind, it makes sense to prioritize your vulnerabilities to neutralize the biggest risks first.
To determine the threat level of each item, you’ll need to consider these key factors:
- Absolute risk—When comparing two articles of personal information, which one is the most dangerous? For example, a list of your addresses on a people-search site carries a higher risk than the name of the high school you went to because someone can use your address to physically confront, rob, or harass you and your family. Given that physical threats against executives are on the rise, this type of data poses an imminent threat.
- Opportunity cost—Does the information about you serve a legitimate business purpose? If your personal data is vital to your business—for example, a brief work history on your business’s LinkedIn page or a glowing write-up of you in a business-related news story—then removing it might cause harm that’s not in proportion to the level of risk the data poses.
- Effort vs risk—You’ll need to weigh the effort involved in removing an instance of your personal information against the possible threat it might pose. For example, if you have posted thousands of pictures on social media, it might not be worth it to go through each one to look for the small percentage that might contain compromising location data.
Once you’ve identified your top threats, the next step in the roadmap is to create an online privacy plan tailored to mitigate the dangers these specific items pose.
Step 3. Create a plan to protect your online privacy
In our many years conducting privacy audits for ExecutivePrivacy clients, we have found that as you search for vulnerabilities, you (and the team you assign to this task) will uncover confidential information about you, your family members, and your fellow executives—if your privacy plan also covers them. How well you manage this data can affect the safety of those involved.
To protect this valuable information, you will need to document data privacy procedures that cover:
- Internal protocols for data security—You’ll need to specify what types of personal information your data privacy strategy covers, who has access to this data (if you are keeping it on your company’s systems), and when and how someone can access private data.
- Monitoring for new information—Because new information is being posted all the time, it’s important to regularly monitor the web for new instances of your personal information appearing online.
- Determining the best removal methods—The process you use will depend on what kind of site is hosting your information. For example, to remove data from people-search sites, you have to go through an opt-out process, which will vary from site to site. To delete content from social media platforms, you could start by messaging the person posting your data and asking him or her to take it down. If they refuse, you might need to consider other options, such as reporting the post in question as a violation of the platform’s terms of service, if applicable.
- How you will conduct removals—Will you do this task yourself or will you delegate this task to an internal or external team?
- Verifying that removals are successful—Occasionally, websites will fail to act on your take-down requests. They might also remove your information, only to post it again at a later date. Therefore, the only way to know if your data is truly gone is to continuously monitor any site that has previously published your information online.
- Flagging data that can’t be removed or that requires cooperation from a third party—Because deleting this information might fall outside of your usual removal process, you’ll need to bring these items to the attention of the team assigned to manage these tasks.
- Frequency at which you do the work—How often will you conduct scans, attempt removals, or check your progress? Weekly? Monthly?
- What types of reporting you want and for whom—Do you want progress reports or vulnerability reports, or both? Should each individual the plan covers get a report, or do you want to combine everyone’s information into a single report that is sent to the CEO or your security team?
- Managing issues regarding data security if your plan involves more than one person—You’ll need to account for data discovery, storage, and access because the process of securing your online personal information exposes it to the people doing the work and to those receiving reports.
The next step in the executive privacy roadmap is figuring out what resources your plan will require.
Step 4. Allocate staff and budget
To give you a realistic sense of the scope of effort required to conduct various privacy protection tasks, here are some ballpark figures for staff hours required. Using these figures, you can determine whether you have the in-house resources to complete these tasks or if an outside vendor would be a better choice.
Resources per covered individual:
- People-search discovery, opt-out, and monitoring – 5 hours/week
- Social media scanning, removal, and reporting – 3 hours/week
- Personal and family web mentions searching – 1 hours/week
- Security reset question vulnerability monitoring – 2 hours/week
- Reporting and program review – 2 hours/week
- Privacy auditing of business communications – 1 hour/week
- Dark web/data breach monitoring – 1 hour/week
Naturally, it takes some specialized knowledge to successfully complete these tasks, so outsourcing is often more cost effective. Similarly, certain tasks (like checking the hundreds of people-search sites for new instances of your personal information) are time consuming and more appropriately handled by a dedicated staff member or an outside vendor.
When choosing which tasks to outsource, consider the following:
- Does your staff have the skills required to successfully complete this task?—For example, some tasks might require workers to understand online privacy strategy/tactics or have training in data privacy best practices. It’s better to trust these tasks to third-party solutions, like our ExecutivePrivacy service, which employs specialists with years of experience minimizing peoples’ online privacy risks.
- Is this task complex or time consuming?—Some online privacy tasks are so time consuming that handling them in-house would mean diverting a significant amount of your employees’ time away from other business functions. On the other hand, if a task is fairly simple and your employees can easily complete it alongside their other duties, then it makes more sense to assign it to an in-house team.
After completing this step in the roadmap, you might end up forgoing a hybrid approach to protecting your and your family’s personal information, and instead choosing to hire an outside expert to design and implement your privacy plan.
Step 5. Decide on KPIs and evaluation metrics
After creating your online privacy plan, the next step in the roadmap is to identify key metrics to track. These KPIs should not only measure how well your plan is working, but they should also reveal where to make changes if you aren’t seeing the results you had hoped for.
Some KPIs to consider include:
- Average time it takes to remove your personal information
- Percentage of people-search records removed
- Time to find repopulated information
- Total monthly cost per covered individual
- Number of password reset questions that can be deduced from online information
- Number of results that reveal personally identifiable information in the first five pages of search results
You’ll need to track, compile, and evaluate these metrics for you, your family members, and any other executives covered in your privacy plan.
*****
As you can see from this roadmap, creating and implementing a successful online privacy plan involves significant planning and effort. The need for an effective turnkey solution to this problem is why we created our ExecPrivacy product.
If you need assistance with any aspect of creating, implementing, or evaluating your online privacy plan, feel free to give us a call.