The Overlooked Attack Surface: Protecting Executives’ Families from Digital Exposure
360 Privacy’s Ben Skean explains why protecting executives’ families is critical to security and how attackers exploit overlooked exposures.
Executives may be well-protected against digital threats, but their families often are not. Spouses and children frequently become the overlooked attack surface; soft targets adversaries can exploit to bypass hardened executive defenses.
To explore this risk, we spoke with Ben Skean, Director of Cyber Threat Intelligence at 360 Privacy. He explains how family exposure on platforms like LinkedIn, Instagram, and fitness apps can create exploitable vulnerabilities, and why security teams must treat family enrollment as a core part of executive protection.
His insights offer practical steps for CISOs, executive protection leaders, and security managers looking to close one of the most persistent gaps in enterprise security.
Below is a transcript of our conversation. It has been edited for clarity.
Why is protecting spouses and children from public data exposure such an important and often overlooked part of executive security?
I think most executive security programs do a good job of protecting the executive’s own digital footprint. But that protection often doesn’t extend to the family, and spouses or children can quickly become soft targets.
They don’t have the same training, infrastructure, or awareness about threats.
For me, when I run exposure assessments, the path of least resistance might not be the executive. It could be a spouse’s open social media profile or a child posting photos that reveal details about the home. That can be a much easier way in than going after the executive directly.
So if I’m a child of a high-profile executive, I’m not thinking about operational security. I’m just being a normal kid online, and that creates risk?
Exactly. I’ve seen this many times.
If the family has an uncommon last name, it’s often easy to track down children’s social accounts. Even when those accounts are private, friends may tag them in photos that show their location.
A pool party picture, for instance, can be reverse-image searched and cross-referenced with real estate listings. Within minutes, you can have a clear shot of the family home.
The key isn’t to tell families “don’t use social media.” It’s about being aware of what’s posted, what others tag you in, and how that information can be pieced together.
In your recent digital exposure assessments, what platforms or services most often reveal sensitive family information?
Instagram is a big one, but what surprises people is LinkedIn. Some individuals use LinkedIn almost like Facebook or Twitter, sharing personal milestones and tagging family members. We’ve even seen people post videos in front of their homes. That’s not information you want directly tied to your professional identity.
Fitness apps are another major vulnerability. Strava, in particular, has been problematic.
Even when users think their accounts are locked down, activity data can often be accessed. Runs and bike rides frequently start and stop near the home, which exposes location details and creates a pattern-of-life risk.
If someone knows you jog at the park every Tuesday morning, that’s valuable information for an adversary.
Can you explain how adversaries might use this type of data to profile and target an executive?
Data is king. Between public records, real estate filings, and information on spouses or children, you start to see how the ecosystem connects. Add in dark web breaches and data broker sites, and it’s very easy to pivot between family members and the executive.
For example, if I know an address, I can search it on data broker platforms. That often produces profiles for everyone associated with that location, along with contact details. From there, I can link the spouse, find additional emails, and eventually map back to the executive. It’s about layering sources until the picture becomes clear.
What challenges do security teams face when trying to enroll spouses and children in privacy protection?
It’s a tough conversation. You don’t want to come in heavy-handed and say “you can’t do this anymore.” That only creates pushback. Instead, we frame it around peace of mind and making daily life safer without taking away convenience.
Simple changes can have a huge impact. Using authenticator apps instead of SMS for account recovery, limiting which accounts are public, or removing graduation years and addresses from online profiles are small steps that reduce exposure. It’s not about being a digital hermit. It’s about hitting that 20% of measures that provide 90% of the protection.
What practical steps can families take that make a big difference without being overly burdensome?
Start with multifactor authentication. Any form is better than none, but authenticator apps or biometrics are much stronger than email or text. Using a VoIP number for signups or reservations instead of your personal number is another easy layer of protection.
The idea is to make it harder for an attacker to build a clean profile. Threat actors are constrained by the same things we are—time and energy. If you make yourself harder to identify than the next target, you’ve already won a big part of the battle.
Do you see adversaries using AI to enhance family-based targeting?
Not widely yet, but it’s starting. Traditional scams are still effective, so many attackers haven’t bothered to upgrade.
That said, we’re seeing AI play a role in deepfakes and voice cloning. Imagine getting a call that sounds exactly like your child asking for money in an emergency. We’ve also seen AI models used to quickly assemble “baseball cards” of executives and their families by pulling from public B2B data sources.
It’s an emerging problem, and it shows why reducing the amount of data available online is so important. If AI can instantly stitch together information from multiple sources, the best defense is to limit what’s out there in the first place.
What’s your advice for security leaders on including families in executive protection programs?
It doesn’t need to be a completely separate process. Just include them in the ecosystem. They won’t get the same level of protection as the executive, but they need the same education and awareness.
One thing we emphasize is that protecting the individual protects the organization, and vice versa. That extends to families. If a spouse uses an executive’s corporate email as a recovery contact, and their account is compromised, it creates a path back into the organization.
The best time to put protections in place is yesterday. The second-best time is today.
AI is no longer a future concern. It’s reshaping executive risk right now. Our team at 360 Privacy recently tracked and dismantled two AI-built doxing platforms targeting more than 23,000 executives. The full investigation is detailed in our new technical brief: From Prompt to Platform: AI and the New Era of Executive Targeting. Download it today to see exactly how these platforms were built, why the threat is growing, and how leaders can get ahead of it.
