Not a hacker. Anyone with a laptop and an hour to spare.
And here’s the part that catches people out: you can spend a fortune on cybersecurity and still be an open book. They’re not the same problem, so they don’t have the same solution.
Cybersecurity protects your systems — the firewalls, the passwords, the network. Worthwhile work, and not this. Digital risk is a different question: not whether someone can break into your systems, but how much of your life they can piece together without breaking into anything at all.
The issue
Start with the digital footprint. It’s the trail of information about you that exists online, and the part people miss is how much of it they never put there themselves. Property records. Company filings. Planning applications. Old interviews. A charity gala write-up that names the family and the venue. A teenager’s tagged holiday photo. A member of staff who’s mentioned the family online without thinking. None of it looks dangerous on its own.
But it doesn’t stay on its own. Pulled together, those fragments tell someone where you live, when you’re away, who you love and how to reach them. Enough to build familiarity, then access, and eventually opportunity. And almost all of it is sitting in the open, free to anyone patient enough to gather it.
That’s the gap. Cybersecurity asks whether your systems are locked. Digital risk asks the harder question: what can someone find out about you without breaking in at all?
The risks
A while ago, I looked at a case that, on paper, was minor. A single email account had been compromised. The technical response was textbook — passwords reset, matter closed, sorted.
But that inbox held travel itineraries, a child’s school name and a weekend address. The financial loss was nil. The real damage was that a near-complete picture of a family’s movements now sat in the hands of someone who shouldn’t have had it.
That’s the heart of it. Information gathered online, whether stolen or simply found lying around, reveals routines, relationships and whereabouts. That intelligence is precisely what enables stalking, extortion, harassment or a physical approach. A digital exposure can be a far greater threat to someone’s safety than to their bank balance.
The other way in isn’t technical either. It’s trust. A convincing message appearing to come from a principal or a lawyer. A cloned voice on the phone, now achievable with tools anyone can buy. The details that make those approaches believable — names, projects, relationships, turns of phrase — were very often gathered from open sources first. The question is no longer whether a message looks genuine. It’s whether anyone checks before acting on it.
What actually works
If cybersecurity won’t close this gap, what does? Not more technology. It comes down to understanding your exposure and reducing it with some discipline.
See yourself as someone with hostile intent would. A proper assessment of what’s findable about a family — across data brokers, people-search sites, public records, old filings, social media, breached credentials — almost always surprises people. You can’t reduce exposure you don’t know about.
Then reduce the footprint you can control. Tighten privacy settings, remove what’s no longer needed, get personal details suppressed where the law allows, and bring the wider circle into the same habits. People with harmful intent rarely approach a principal directly. They work around them, through family, staff and advisers.
Put a verification step in front of anything that matters. A second human check defeats most impersonation, deepfake or otherwise.
And don’t stop at monitoring. Watching for your information to resurface is necessary, but on its own, it’s worth very little. What matters is interpretation — and this is where personal threat management earns its keep. When something surfaces, the question is never simply what it is, but what it means. Real escalation, or noise? What should happen next? Overreact, and you create anxiety, visibility and cost you didn’t need. Underreact, and you miss the moment when stepping in is easiest. Knowing the difference is the whole job.
None of this is about living in fear, and it doesn’t turn life into a security operation. It’s about taking back control through understanding — knowing what you’re giving away, closing down what you can, and reading what’s left calmly.
Because invisibility no longer exists. Control does.
And in a world this connected, protecting information and protecting people stopped being separate jobs a long time ago.
