Social Media OPSEC for Executives: What Your Profiles Reveal and How to Reduce the Risk

A kidnapper planning a ransom operation does not need an informant inside the target’s company. A stalker building a pattern-of-life on a public figure does not need surveillance equipment. A fraudster preparing a social engineering attack on a company does not need an inside source. Each of them has access to the target’s social media.

The information most valuable for targeting an executive — location, routine, relationships, property, schedule — is routinely published by executives themselves, their families, and their organisations on public platforms. Understanding what you are publishing and to whom is the starting point for social media operational security.

What a Threat Actor Can Build From Open Source

Intelligence professionals call the systematic collection of publicly available information Open Source Intelligence (OSINT). The same tools and techniques that intelligence services use to build threat pictures on adversaries are freely available and routinely used by criminal investigators, private detectives, and, at the lower end, criminals selecting targets.

From a publicly accessible LinkedIn profile, a Facebook account, an Instagram feed, and a company website, a competent OSINT researcher can typically establish: the executive’s current role, employer, and seniority; their approximate home area (from historical tags, check-ins, or background details in photos); their travel frequency and destinations; their family structure; their typical daily schedule (derived from posting times); the schools their children attend; their vehicle (from photos); and their property (from background details in photos and, in many jurisdictions, from public property records cross-referenced against name and location).

This is not hypothetical. Control Risks’ protective intelligence unit and similar functions at Kroll, G4S, and other major providers consistently identify social media as the primary open source intelligence gathering point for threat actors targeting individuals.

The Five Information Categories to Control

Location in real time or near real time. Posting from a venue while still there, or posting within hours of arriving at a location. This tells anyone watching where you are right now.

Routine. Consistent posting from the same gym at the same time, the same commute route, the same restaurant every Thursday. Routine is the enemy of security. Predictable behaviour reduces the planning burden for anyone intending to cause harm.

Property information. Home exterior photos, home interior photos (which reveal address through cross-referencing), holiday property photos, and security-relevant information such as visible gates, absence indicators, or safe room details inadvertently disclosed in background.

Travel schedule. Announcing a conference attendance, posting airport departure photos, or sharing a speaking engagement schedule. This tells anyone interested exactly where you will be, on what date, often at what specific venue.

Relationship and contact information. Tagging family members (linking the executive’s account to accounts that publish from the family home), publishing the names of close associates, or revealing the corporate security function’s identity and staffing.

What Good Social Media OPSEC Looks Like

Good social media OPSEC does not require silence or disappearance from platforms. It requires deliberate, informed decisions about what to publish.

For location: post retrospectively, after leaving the location, not in real time. Avoid posting from the home or from any location that forms part of a regular pattern. Disable location tagging in photos at the device level, not just at the platform level.

For schedule: avoid publishing travel plans in advance. Conference and speaking engagement appearances can be listed on the company website after the event rather than announced in advance. Avoid publishing departure flights or specific hotel information.

For property: audit existing photos for inadvertent property detail. A photo in the garden or on the driveway that is publicly visible may contain enough detail to identify the property through reverse image search or cross-reference with property records. Apply the same review to family members’ accounts with their cooperation.

For relationships: consider whether tagging family members, friends, or security staff in posts creates an unnecessary connection between accounts. Information published on a family member’s less-protected account becomes accessible via the executive’s account if the accounts are publicly linked.

The Review Process

Social media OPSEC review should be part of the executive security programme, not a one-time activity. A review at the start of a new security programme establishes the baseline. An annual review identifies changes. A review following a threat upgrade or a new specific threat is standard practice.

The review covers: publicly visible profiles on all platforms where the executive and their immediate family have accounts; historical posts for location patterns, routine disclosure, and property information; the executive’s connection and follower network for identified persons of concern; and the executive’s organisation’s social media for information about the executive’s role, location, and schedule.

The review produces specific recommendations: posts or profile sections to remove or restrict, privacy setting changes, and ongoing protocols for what to publish and what not to publish.

For executive threat intelligence services, including social media monitoring and OSINT review, see our executive protection services. For the broader threat intelligence framework see our guide to threat intelligence for executives. City-specific threat profiles for our P1 network are at Lagos, Moscow, Istanbul, and Riyadh. For technology executives facing the specific doxxing-to-physical-threat pipeline, see our security for technology executives guide. For the broader digital footprint management framework – data broker removal, Companies House address suppression, electoral register opt-out, and DVLA address protection – see our executive digital footprint management guide.