Personal cyberattacks against executives are rising. Here's why - and how to stop them

Ten years ago, executive protection was a physical fortress built of armored cars, private jets, and bodyguards. As business grew online, so did threats against business leaders, and Google Threat Intelligence Group began observing a notable surge of digital targeting against company executives starting in 2024.

Today’s executives are living representations of their brands, making them high-value targets for ideologically, politically, and financially motivated actors. The convergence of digital harassment and physical violence has reached a critical point, with malicious actors increasingly carrying out high-profile targeted attacks on executives.

Executives and their high-level access are gateways to critical assets, sensitive information, and their organization’s extended supply chain. As we explain in our new Perspectives on Security for the Board report, organizations should adopt a unified strategy where digital signals directly inform physical security strategies to minimize modern risks to executives.

Boards of directors can play a crucial role in protecting executives by ensuring that security budgets are integrated into the organization’s overall risk management framework. They can further enhance executive protection by establishing clear policies that mandate regular threat assessments and monitoring for all highly-visible leaders. These measures help create a culture that prioritizes proactive intelligence over reactive ones, ensuring the organization and leaders remain resilient to both physical and reputational harm.

Threat actors are thorough, and they seek a wide range of personal information to target executives, including:

• Personal life, including contact information, hobbies, health status, political interests, family dynamics, and academic and professional backgrounds.
• Financial and corporate assets, including real estate portfolios, vehicle details, and business connections.
• Patterns and habits, including real-time or predictive movements, routines, and travel schedules, which can all be used to support harassment, kidnapping, extortion, and physical surveillance.

Attackers then use this data to craft highly-tailored cyber and physical campaigns against their targets. They also conduct broader reconnaissance by exploiting the online activity of entire executive networks, including family members, close friends, and professional associates, to establish a soft-entry point.

Organizations should be equally rigorous about defending the executive’s digital footprint, and take action to help executives secure their personal data and online activities against adversaries.

Attackers exploit personal trust and relationships to harvest sensitive information and steal privileged credentials, including abusing family members' names and pictures, compromised accounts of relatives and close associates, and spoofed accounts. While these highly-deceptive social engineering attacks are concerning, security teams can preempt threats by analyzing the key patterns and critical risk vectors from an executive’s digital ecosystem.

Ultimately, the goal is to transform the executive from a high-value target into a hardened asset, where digital invisibility becomes the most effective form of physical armor.

What boards should do next

In addition to standard security protocols, supporting executives through education and proactive risk mitigation should be a key priority for boards. At Google Cloud’s Office of the CISO, we take our responsibility to help the wider community seriously, and have provided our top three recommendations for executive cybersecurity below:

1. Social media hygiene: How are we supporting executives and their families in implementing social media settings to ensure their private lives are not being used as reconnaissance for a corporate breach?
2. Location privacy: How are we protecting the travel routes of executives to highly-visible events? Do we have a formalized policy regarding real-time geo-tagging and check-ins for executives and their families to prevent the broadcast of their precise physical locations?
3. MFA ubiquity: Are all personal and professional platforms for our leadership team enrolled in multi-factor authentication (MFA) to mitigate identity theft?

Clear insight into the evolving threat landscape can empower executives to secure their personal and professional lives. You can read our complete list of executive guidance and the full Perspectives on Security for the Board report here.