Most executive protection programs do a solid job of locking down the principal. The email accounts are monitored. The home address has been scrubbed from data broker sites. Travel gets reviewed for risk. Then their teenager posts a pool party photo on Instagram, and within 90 seconds someone can pinpoint the family home, says Ben Skean, pictured, Director of Cyber Threat Intelligence at 360 Privacy.
I’ve run enough exposure assessments to know: the path of least resistance usually isn’t the executive. It’s a spouse’s open social media profile. A child tagging their location at school. A family member who simply doesn’t know what they’re giving away. That gap between the executive’s protections and the family’s exposure is exactly where adversaries start looking.
Where the trail begins
A threat actor looking to create a profile for a high-value target will typically begin by identifying the most easily accessible source of information. A spouse with an uncommon last name is easy to find on social media. Even when their accounts are set to private, friends and extended family tag photos, share locations and post check-ins.
One photo of a birthday celebration in someone’s back yard can then be reverse-searched and linked to a real-estate listing of that same house. The result is that, within minutes, someone can create a complete picture of where that family lives. The family connection is always the weakest link. The answer is not to tell families to stop using social media. The solution is to educate families on what they are posting, who is tagging them, and how these pieces get pieced together.
The platforms that catch people off guard
Instagram gets the most attention but LinkedIn can be equally problematic. Individuals post about accomplishments, tag family members and film themselves in front of their home on this platform as if it were a personal journal. This type of personal content is easily tied to an individualโs professional identity, which can make attributing the source of this data very easy.
Fitness apps are the other surprise. The well known example of this is Strava; however, this is just one example of a larger issue with many types of applications that track your locations. Although individuals believe their fitness applications have privacy settings enabled, when a user runs or bikes from and to their home, they create a “pattern-of-life” Knowing that you jog to a specific park every Tuesday at 6 a.m. would provide valuable information to the wrong people.
Layering sourcesย ย
No single data point is the problem. It’s how easily public records, real estate filings, social media posts, data broker profiles and dark web breach data can be stacked on top of each other. An address leads to a data broker profile that lists everyone at that location, along with phone numbers and email addresses. From a spouse’s email, it’s possible to trace back to the executive’s personal accounts. Each piece feeds the next.
AI is speeding this up. We’re already seeing models pull from public B2B databases and social platforms to assemble detailed dossiers on executives and their families in minutes. Deepfake voice cloning is another growing concern. Imagine getting a call that sounds exactly like your child, panicked, asking for money. It’s not widespread yet, but it’s not science fiction either.
Enrollment without the fight
Here’s where it gets tricky. Nobody wants to tell their spouse or teenage kid โyou can’t post that anymore.” A better approach frames it around peace of mind rather than restrictions. The small things you do create large differences. Moving away from SMS-based two factor authentication to authenticator apps. Using your VOIP number for online restaurant reservations and signups instead of using your personal cell phone. Removing your high school graduation year and address from online profiles are all very small changes to your daily life. But together they account for approximately 90% of your exposure to threats.
Threat Actors face the same limitations as everyone else (limited time and energy). If you make one family just a little harder to profile than another, most will be willing to move on to a family that is easier to profile.
Expanding who’s in scope
Families don’t need the same level of protection as the executive. But they need to be part of the same program. They need basic education on what gets shared and how it connects. They need their accounts reviewed. And security teams need to recognize that a spouse who uses the executive’s corporate email as a recovery contact has just created a direct path back into the organization.
The gap between executive protection and family exposure is one of the most persistent blind spots in this industry. Closing it doesn’t require a massive new budget or a separate program. It requires one thing: expanding the definition of who’s in scope.
