Executive Digital Protection: Beyond Just PII Removal
It's time we had a real discussion about what Digital Executive Protection actually is and what it is currently lacking today. Personally, I've only been in the Digital Executive Protection (DEP) space while working at Hetherington Group, however I've been in the OSINT world for 15+ years in various capacities. During my career I've seen new products and SaaS solutions come and go across various verticals in the investigative and intelligence world. They all have their own hook, differentiator, or problem they solve better than another solution. This is, of course, what all businesses do. What I am seeing now however, is different. This is not a company punch line or a sales hook to say why company A is better than company B. What is happening in the DEP space, in my personal opinion, is the misinformation about, or, for a more in your face approach, the dumbing down of, what DEP really entails.
How PII is Propagated Across the Internet
Personally Identifiable Information (PII) is nothing new, however there has been a mainstream awakening about its prevalence and just how easy it is to find out basic information about another individual. The most glaring and in your face reason for the availability of this information comes from third party data brokers.
Googling someone often shows results for these third-party listings that contain phone numbers, email addresses, physical addresses, and relatives/associates of an individual. The fact that this much information is available with a few keystrokes and on dozens, if not hundreds of websites, is alarming. The counter to this problem has been a rapid explosion of companies whose sole purpose is to mitigate this exposure by helping individuals remove these listings or mitigate the information being displayed by these third-party data brokers.
There is no doubt that the rise of these businesses is a fantastic thing. In my opinion, every person should be looking to take control of their own information and data to the best of their ability, either by utilizing one of the now dozens of companies that offer this service or learning how to do it on your own. This information should not be broadcast to the world unless YOU choose to do so. The rise of PII removal capabilities, and more specifically the messaging that is being relayed and received, is that removing your data from these third-party data brokers is good enough for everyone. That is just wrong.
The Digital Component of Executive Protection
For the majority of people, me included, removing your data from third party brokers is most likely good enough. Remember however, we are talking Digital Executive Protection, with Executive as a verb describing the level of protection being provided. The messaging that removing PII from third party data brokers is good enough in the arena of executive level protection is disingenuous and can at times be dangerous. The more prevalent someone is on the socioeconomic scale of society, the more at risk the person is for threats, doxxing, etc.
Visualize this like a pyramid. The more wealth, status, career importance, public visibility, or combination of these things an individual has the more risk there is for that individual. The people who need DEP the most are business executives, athletes, actors and actresses, politicians, influencers – anyone with high net worth or public visibility.
When we are talking about executive-level protection, removing PII from third party data brokers is step one of the process. It is not the entire process itself. REAL digital executive protection not only has numerous aspects to it but also includes the immediately family members of the main person enrolled in the service; spouse/significant other and their children.
Just considering PII disclosure alone here are just SOME of the other ways PII can be found.
Breach data (this has turned into a WHEN it's going to happen and is no longer IF it is going to happen)
Deep web (all of those non-indexed things, which we will revisit later in a future blog)
Dark web (the dark and scary corner where most people should never go)
FEC filings/political donations/voter registrations
SEC filings
IRS documents (501/503/990 - just to name a few)
State/Local Gov't Filings (property ownership, business registration, licenses)
Social media (both from the person/family that is part of a DEP and the general public)
Removing PII Online: It's Not that Simple
Again, speaking specifically to PII these are just some of the other places that this information can be found. Are you starting to pick up what I'm putting down? Good. Now, if you are still reading this and saying BORING (insert Nigel Farage gif), then let's really drill down into REAL Digital Executive Protection.
Let's talk de-indexing for a minute. This is a strategy that some companies use instead of taking down a PII listing directly from the source. At times, a third-party data broker may be unresponsive or does everything in their power to push back on the removal. There is nothing wrong with de-indexing per se, but it should be the option of last resort. The person involved in the DEP should be advised that while the listing won't populate in a search engine, anyone can search directly at the source and still find their listing.
You thought you were done with PII at the removal phase? Think again. This stuff is going to repopulate, guaranteed. That is why once you are done with the initial removal phase you must continue to monitor for re-population and enjoy playing whack-a-mole for the new listings that always rear their ugly heads. Monitoring for new data exposures should ALWAYS be part of a Digital Executive Protection program.
