Get All Access for $5/mo

A Secret Service Agent's Guide to Protecting the C-Suite from Hackers Follow these six steps to keep your company's secrets safe when executives are outside the office.

By Larry Johnson Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Christian Science Monitor | Getty Images

Cybersecurity is on the minds of most businesses today, but there's one area where companies often screw up: failing to protect their key executives when they're on the move.

In today's environment, there are an abundance of well-funded and sophisticated hacking groups out there, many with nation-state or organized crime affiliations and interests, who are looking for any way possible to defraud or steal information from American business interests. Like any other criminal, hackers look for weaknesses in the security perimeter before they attack -- and often, that sweet spot is to be found in the personal security of key company figures. One example is "Darkhotel," the Korean-speaking hacking group that targeted countless business executives via hotel Wi-Fi from 2010 to 2015.

As a former Secret Service agent, it was my job to protect the President from both physical and digital attacks. (Few realize this, but the USSS was one of the first federal agencies to develop a strong cyber defense and intelligence unit.) From a cyber standpoint, this meant implementing a robust security perimeter around the President's personal devices and communications (e.g. stripping down the phone, limiting access, multiple layers of encryption, constant monitoring and defense), particularly when the President was outside of the White House.

Businesses, from startups to Fortune 500s, need to adopt a similar mindset when it comes to their own commanders-in-chief, because cyber attacks are a low-cost, low-risk way to steal intellectual property, business intelligence and ultimately the company's money -- and the C-suite (along with other key figures, like a head engineer or programmer) is definitely a focal point for criminals.

Related: 7 Habits of Highly Hackable Employees

Consider these statistics:

  • Business email compromise (BEC) scams on executives have grown steadily since 2010. According to the FBI's Internet Crime Complaint Center, this type of attack increased by 1,300 percent from January 2015 to June 2016. More than 14,000 U.S. companies fell victim, with total losses estimated at over $960 million, between 2013 and 2016.
  • Spear-phishing criminals are honing in on smaller companies. In 2015, 43 percent of targeted attacks focused on small businesses, as opposed to 35 percent for large enterprises, according to Symantec's Internet Security Threat Report.
  • American businesses lose $300 billion annually due to intellectual property theft, according to the Commission on the Theft of American Intellectual Property.
  • Cybercrime is on the verge of becoming the number one economic crime for U.S. businesses, reaching 54 percent of organizations reporting such a crime in 2016, according to PwC's Global Economic Crime Survey.

No business can be fully secure unless it is taking ample steps to protect the digital assets of its leadership. Here are six steps to take:

1. Whitelist the email.

Only a small, select group of people should be allowed to email key executives; all other addresses should be blocked. Known as email "whitelisting," this greatly reduces the risk of phishing attacks on the executive.

Additionally, use strong anti-malware and anti-phishing solutions to boost the executive's email security.

2. Use multiple layers of encryption.

Every VIP should be protected by multiple layers of encryption. This acts as a fail-safe in the event that an attacker breaks through the other defenses.

Every device that connects to Wi-Fi (phone, tablet, laptop, desktop) must have a VPN, or virtual private network, which will encrypt all data in transit. Next, a full-disk or file encryption program should be used to secure data that is stored on these devices. Limit the executive's communications to encrypted channels only, like PGP for email, or encrypted communications like Wickr Pro. All web sessions need to be done over HTTPS (SSL/TLS encryption); there are browser plugins like EFF's HTTPS Everywhere that will force a secure connection on every website.

Related: The Biggest Bounties Facebook, Microsoft and More Have Paid Hackers

3. Strip down the phone.

Just as the U.S. President uses a smartphone with very limited functionality, a business executive's phone should also be stripped down as much as possible, with only essential functionality as needed. The more boring it is, the better.

That means eliminating all non-essential apps, especially games, scaling back the phone's connectivity options by disabling Bluetooth, disabling Wi-Fi auto-connect and turning off geolocation sharing for all apps (with the exception of "Find My Phone"). Social media can also pose a risk, but if your business depends on using it, at the very least make sure geolocation data is turned off in the app (there are online tools that can track a user based on this data) and be careful about oversharing, as sensitive information can be used against executives and employees in social engineering attacks. Also, use public Wi-Fi sparingly, even when a VPN is utilized.

4. Use a burner device.

Executives are most at risk when traveling overseas, particularly to countries like China and Russia. When making these trips, it's important to be a little paranoid.

Burner devices, or "phones to go," are an effective way of reducing the risk from compromised devices. This isn't cheap, but it's worth the investment and inconvenience. Malware and man-in-the-middle (MiTM) attacks are more likely during foreign stays, so by putting aside the phone or laptop after a trip, the executive will prevent an infected device from getting "behind the firewall" after he or she returns.

It's also important to have a remote lock/erase feature installed on all devices in case they are lost or stolen.

Related: Before You Use Public Wi-Fi, Read This

5. Harden the home office network.

Home offices can be an easy target for hackers, since they are likely to have less security than the corporate office.

At a minimum, make sure a robust firewall and antivirus/anti-malware agents have been installed. Also, keep all devices (laptop, desktop, server, Wi-Fi router) fully updated on software/firmware settings, security patches, etc.

Next, reduce the attack surface on the laptop or desktop by disabling Java, JavaScript and ActiveX, or by adding script-blocking plugins. Set up application whitelisting so that only pre-approved applications and processes can run on these machines. Eliminate Wi-Fi as much as possible by using an ethernet cable instead. It's also wise to have two internet lines -- one for the family and one exclusively for the executive. Use an outbound firewall to block any malware or malicious programs that do sneak in from being able to connect to the internet. DNS security tools (such as OpenDNS) will further protect the internet connection and block malicious or suspect domains.

6. Contain the internet of things.

Most executives have -- or will have -- "smart" devices in their homes, in addition to connected cars, wearables and other internet of things products.

These complicate the security picture, as many IoT products have been found to be vulnerable to hackers. Limit IoT usage to only well established, trusted brands with a proven track record of security. Avoid installing IoT apps on the work phone. Also, keep these devices off the executive's home Wi-Fi network -- if you have two internet lines installed, relegate them to the all-purpose/family network.

An executive's personal security can be the Achilles' heel of any company, from startup to Fortune 500, so it's critical to implement a defense-in-depth approach that will keep their digital assets safe.

Larry Johnson

Chief Strategy Officer at CyberSponse

Larry Johnson is chief strategy officer of CyberSponse, a Washington, D.C.-based cyber incident response company serving Fortune 500s and government agencies. He is a 24-year veteran of the Secret Service, where he served as a high ranking supervisor at the Presidential Protection Division as well as special-agent-in-charge of its Criminal Investigative Division. He is also a former chief security officer (CSO) at a Fortune 250 company and a recipient of the International Association of Credit Card Investigators' Police Officer of the Year award and the 9-11 President's Distinguished Service Award.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Side Hustle

At 16, She Started a Side Hustle While 'Stuck at Home.' Now It's on Track to Earn Over $3.1 Million This Year.

Evangelina Petrakis, 21, was in high school when she posted on social media for fun — then realized a business opportunity.

Health & Wellness

I'm a CEO, Founder and Father of 2 — Here Are 3 Practices That Help Me Maintain My Sanity.

This is a combination of active practices that I've put together over a decade of my intense entrepreneurial journey.

Business News

Remote Work Enthusiast Kevin O'Leary Does TV Appearance Wearing Suit Jacket, Tie and Pajama Bottoms

"Shark Tank" star Kevin O'Leary looks all business—until you see the wide view.

Business News

Are Apple Smart Glasses in the Works? Apple Is Eyeing Meta's Ran-Ban Success Story, According to a New Report.

Meta has sold more than 700,000 pairs of smart glasses, with demand even ahead of supply at one point.

Money & Finance

The 'Richest' U.S. City Probably Isn't Where You Think It Is

It's not located in New York or California.

Business News

Hybrid Workers Were Put to the Test Against Fully In-Office Employees — Here's Who Came Out On Top

Productivity barely changed whether employees were in the office or not. However, hybrid workers reported better job satisfaction than in-office workers.