There is an often-overlooked community of individuals in the crosshairs of online adversaries that are not only at tremendous personal risk, but also represent a degree of susceptibility for organizations they do business with. High net-worth and high-profile individuals avoid many of the security controls that organizations adopt to impede efforts of online adversaries, yet it is the same community of people that inadvertently feed an adversary's predatorial nature.
What makes high net-worth and high-profile individuals high-value targets?
Whether an individual from the community in question represents a celebrity, an actor, an artist, an athlete, or businessperson, there are three common traits (the three A’s) each possess in varying degrees that defines the vast potential of their exploitability: authority, access, and ability.
Authority
Adversaries impersonate individuals of authority to invoke an action that would otherwise not be authorized, such as authorizing the transfer of large sums of money. In cases involving impersonation of high net-worth and high-profile individuals, the process is made easier for an adversary based on the vast amount of publicly accessible information. Also, to the extent an adversary can hijack various technologies commonly used for purposes of authorization, their chance of a successful impersonation is increased exponentially.
Access
Traditionally, those individuals that find themselves at the top of the high net-worth and high-profile pyramid, are the same individuals entrusted with the keys to the kingdom. Although best practices suggest separation of duties and principle of least privilege to avoid abuse of access privileges, in practice this is commonly not the case. Adversaries who spend time evaluating their targets understand more than anyone where the crown jewels reside and who has the keys.
Ability
Ability is simply defined as that attribute which elevates an individual; whether it’s the intellectual property they have developed, the talent they exude, or skill they exhibit, it’s the differentiating factor that sets an individual apart from the common person. The greater the degree of separation, the greater the opportunity of an online adversary to extract incremental value through leveraging the ability of their victim to amplify their political message and maximize its social reach. To the extent an individual’s ability has been elevated to the status of a brand, that too incentivizes an adversary.
Why do high net-worth and high-profile individuals fall through the cracks of traditional protection?
Work Relationship
In many cases involving high net-worth and high-profile individuals, the nature of their working relationship with third parties is typically on a contract, consultancy, or freelance basis and not that of an employee. At the pinnacle of their career path and as an expert in their chosen profession, a contractual arrangement in business allows them to engage with multiple clients and maximize their value as opposed to limiting themselves to a single client.
An artist tends towards freelance, but also may be bound by contract based on a collector or gallery commissioning a work or series of work product. Those individuals operating in the sports & entertainment industry define their working relationship based on their participation and delivery of a final production as with actors, or who negotiate their contract with their respective club as with athletes.
As a community of people distance themselves from the traditional employer-employee relationship in favor of independent contracting, they too forfeit in many cases the protective security measures and pro-security culture born of an organization. In effect, their independence as a contractor orphans them as a beneficiary of employee protection.
Governance
In many cases an organization that employs or is in contract with a high net-worth individual is not in a situation to legally extend their protective services to include the high net-worth and high-profile individual.
Marketplace
The marketplace of cybersecurity (like any other market) caters to those clients that generate the most sales revenue. In the case of high net-worth individuals, the revenue generated based on sales is comparatively low to that of organizations comprised of thousands of employees. In some cases high net-worth individuals are denied access to purchase enterprise-class security technologies based on their low purchase volume.
Talisman Security Inc. is most commonly approached to assist in the three following scenarios:
high net-worth individual makes direct contact out of concern for their own protection, whether the perceived threat is imminent or a simply preemptive planning,
parent organization makes contact on behalf of high net-worth client in order to extend protectionary measures beyond their organization to include the high net-worth client, but want to employ a third party due to maintaining an arms-length relationship with the high net-worth client.
agent or representative of high net-worth individual makes contact out of fiduciary duty based on the perceived need to protect assets of their client but lack the professional expertise to address and remedy their concern.
If you would like to find out additional information about the content referenced in this article, please send an email to Talisman Security Inc. at info@talismansecurity.com.
ABOUT THE AUTHOR
Stephen Frank : CEO, Talisman Security Inc., Toronto, Ontario, Canada. Recognized advocate within the cybersecurity industry, presenting to c-level executives at Sector, RSA, and BlackHat (USA), and additional public speaking engagements that contribute back to the security community, as well as nearly two decades experience protecting the interests, personal data, and online presence of professional athletes.