This is the first of a two-part series. Next week, Cook explores how to track threats as they migrate into closed forums and turn pseudonymous accounts into actionable intelligence.
Executive protection now requires understanding what’s exposed online and how it can be weaponized, closing digital gaps before they create physical vulnerabilities. S-RM’s Felix Cook explores the two layers of exposure executives face — the fragmented data that reveals home addresses and daily routines, and the online chatter that signals fixation and growing intent — and explains why preventing exposure in the first place remains the only reliable defense in an ecosystem where each data fragment duplicates and reemerges long after the source disappears.
Many of us, including corporate executives and their boards, once saw political assassination as a threat confined to elected officials and polarizing public figures. But the murder of UnitedHealthcare CEO Brian Thompson just over a year ago has upended that assumption, prompting many leading companies to reevaluate protective measures for their sites and personnel.
Thompson’s murderer appeared motivated by a diffuse resentment of the US health insurance sector rather than any specific conduct by Thompson himself. His killing raises the possibility that any executive, even in the most anodyne or apolitical industries, could become the target of an individual radicalized by digitally incubated grievances. The same online currents that distort perceptions and fuel extremism also feed a media ecosystem increasingly eager to monetize division and spectacle.
Traditional security measures, often termed “guards, gates and guns,” offer a time-tested but brittle line of defense. When they serve as the only defense, however, they are vulnerable to catastrophic failure, as seen in two near-miss assassination attempts during the 2024 presidential election. When even the US Secret Service experiences such shocks, the risks of an all-or-nothing protective strategy become apparent.
Meanwhile, as threats multiply, becoming ever more diffuse and less visible, organizations must consider how to fulfill their duty of care and provide peace of mind while still maintaining a quality of life and work-life balance that attracts discerning talent. A decade ago, the chief financial officer of an insurance firm could live largely anonymously; now there are stories of executives traveling with armed details and corporate security teams closing the blinds at children’s ballet classes. Security measures that are heavy-handed, invasive or improperly targeted risk becoming self-defeating.
Beneath the surface
A more organic and integrated model of protection begins with understanding what’s exposed and how it can be weaponized and closing those gaps before they manifest offline. Most executives still picture their online footprint as the parts they can see: an Instagram account, a byline, a press photo. That’s the visible third of an iceberg. Beneath the surface lies a far larger, far more dangerous mass: forgotten accounts and leaked credentials; phone numbers and email addresses; corporate and regulatory filings; and seemingly innocuous telemetry from fitness and geolocation apps.
What we might think of as our isolated, digital refuse can be stitched together by brokers and bad actors into rich dossiers that reveal home addresses, daily routines, financial ties and the identities of family members. Every time an executive fills out an onboarding form, RSVPs to a conference or lets a smart device register on a home network, another fragment of identity escapes their grip. Ransomware groups and dark-web marketplaces routinely bundle and trade breached data: searchable, pre-agglomerated and for sale. Artificially intelligent large language models are accelerating the process of parsing data and identifying patterns, making this kind of analysis faster than ever and scalable across volumes of information that would have been unmanageable only a few years ago.
What might look like an isolated breach today, ignored or forgotten by those affected, may come back repackaged into a target list weeks, months or years from now. That market logic, data as commodity, turns even the most routine digital interactions into potential entry points for harassment, stalking, extortion or worse. A spouse’s or child’s geotagged post can map an executive’s commutes, weekend homes and favorite restaurants. Supposedly “anonymous” aggregate maps can be de-anonymized to infer where an individual lives or works. Fitness trackers and similar services can expose sensitive data unless usage and privacy settings are properly managed. These fragments form many small, low-value pieces that, when combined, produce high-value, actionable intelligence. The picture that emerges for an attacker contains not just the CEO’s address but also their child’s school-run timetable, an unguarded side entrance or the identity of a trusted family member whose social media posts unknowingly or unintentionally reveal when the house will be empty.
Mapping the unseen conversation
A second layer of exposure lies not only in what exists about an executive but in what is being said about them. The internet hums with constant chatter: customer complaints, activist hashtags, political invective, jokes and gossip. Most of it is harmless noise. Yet buried within that noise are the messages that matter: the ones that signal fixation, unraveling equilibrium, growing intent. Separating the two once bordered on impossible. An analyst could spend weeks trawling through feeds and still miss the single post that counts.
That is beginning to change. Just as advances in AI and computing power have empowered bad actors to interpret and agglomerate data, they have also brought forward a new generation of defenses, making large-scale social media triage both feasible and reliable. Modern machine-led monitoring platforms can parse millions of posts in minutes, classifying language by tone, sentiment and intent, reading with context and distinguishing irritation from obsession and complaint from credible threat. Where the machine calculates risk, it flags the content for further human review and analysis.
From monitoring to attribution
Working together, machine screening and human analysis allow continuous, practical monitoring across hundreds of platforms, allowing potential threats to be tagged, followed and, if necessary, mitigated before they cross the threshold into active danger.
But this new capability collides with a very different internet. The once-open commons is increasingly sealed off: information walled behind pay-gates, private servers and encrypted channels. Pseudonymity has replaced identity; entire communities have migrated into the shadows of the deep and dark web. It is one of the paradoxes of the modern information age: The more we can analyze, the less transparent the public sphere becomes.
When a credible threat emerges, the next step should be attribution, tracing anonymous handles back to real people. Digital forensics methodologies, such as IP tracing, device fingerprinting and linguistic patterning, connect online identities to offline identifiers. From there, the legal path branches: some cases lead to civil injunctions or defamation suits; others rise to the level of stalking, extortion or harassment prosecutions. The priority is documentation: building an evidentiary chain that makes swift action possible without compromising due process. Screenshots, URLs, timestamps and metadata become raw evidence.
Where to begin?
The first step is reducing what is already exposed. That means removing personal data from the open and dark web, sanitizing compromised accounts and submitting takedown requests to hosting providers. Each deletion closes another entry point for social engineering, impersonation or targeted intrusion.
Next comes hardening the devices and networks that remain. Executives should review personal and household technology, secure home routers, disable unnecessary IoT connectivity and install enterprise-grade encryption across phones and laptops. A digital perimeter is only as strong as its weakest device. Eventually, that perimeter must meet the physical one. Effective protection requires integrating online assessments with on-site security: guards, gates, controlled access and contingency planning. The goal is a unified risk map, one that links what appears on a screen to what could unfold at a doorstep.
For corporations, the same principles apply at scale. Companies should screen guest lists for shareholder meetings, monitor activist organizing ahead of product launches and adjust protocols to prevent disruption. The aim is not to police dissent but to ensure that protest does not tip into threat. Digital vigilance, once dismissed as intrusive or impractical, is increasingly understood as a core element of duty of care.
Prevention is the only true defense
Once information is exposed, full retrieval is nearly impossible. If an executive’s email or phone number appears in a breach, that data can be scraped, resold and repackaged across dozens of dark-web marketplaces within hours. Even when takedown requests succeed in one corner of the internet, copies persist elsewhere, cached, mirrored and redistributed indefinitely. The same holds for social media content: A family photo deleted from Instagram may continue to live on inside scraped datasets feeding facial-recognition tools or AI-training models. In this ecosystem, each fragment of data behaves like a spore, duplicating, mutating and reemerging long after the source has gone.
The only reliable protection is to prevent exposure in the first place. Chief security officers should pilot one assessment for a board member or CEO; once leaders see the breadth of their exposure, their appetite for mitigations and defenses tends to expand. Accustomed to fighting for resources, many security functions are benefiting from the recognition that a comprehensive view of online risk has become as essential to corporate governance as financial auditing.
In the interim, common-sense digital hygiene measures remain a good defense: Minimize what you share, vet the platforms that hold your information and treat every disclosure as permanent. But you can probably open your blinds.
Felix Cook is a director at S-RM Intelligence and Risk Consulting, a global intelligence and cybersecurity consultancy. He has extensive experience managing and executing due diligence, disputes and investigations, strategic intelligence and executive protection engagements across the Americas, Europe and Middle East. 
