Your assistant knows more about you than almost anyone.
Your calendar. Your contacts. Your medical appointments. Your family’s schedules. Your financial activities. The passwords to systems you’ve forgotten about. The names of your doctors, lawyers, and advisors. Your travel patterns. Your dietary restrictions. Your communication preferences.
They know when you’re stressed. They know who you avoid. They know which meetings you cancel and which ones you never miss.
When we assess executive exposure, the assistant relationship is always one of the first things we examine.
Not because we suspect assistants of malicious intent. Most assistants are exceptionally loyal and professional. That’s not in question.
What matters is that the access they require to do their jobs makes them a critical node in your security posture.
The Access Reality
Think about what your assistant can access:
Your calendar. Every meeting, every appointment, every commitment. This reveals your patterns, your priorities, your availability windows. It shows when you travel, where you go, who you meet with.
Your email. Many assistants have full access to manage correspondence. This means every sensitive communication, every negotiation, every personal matter that comes through email.
Your contacts. The people in your life, their contact information, your relationship history. A comprehensive map of your professional and personal network.
Your travel. tineraries, bookings, preferences. When you’re away from home. Which hotels you use. Which routes you travel.
Your financial activity. Expense management, credit card information, bank details. Depending on the role, they may authorize purchases or manage accounts.
Your passwords. Many assistants maintain password lists for the executive. Access to streaming services, travel sites, building access codes, alarm codes.
Your family’s information. Schedules for spouse and children. School pickup times. Extracurricular activities. Household staff schedules.
This access is necessary. An assistant can’t do their job effectively without it. The question isn’t whether they should have this access. The question is whether the security around that access is appropriate.
The Exposure Assessment
When we evaluate assistant security, we look at several dimensions:
Device hygiene. Is your assistant accessing your calendar, email, and files on a personal device? Is that device also used for social media, dating apps, game downloads, and other personal activity? What’s the security posture of their home wifi? Where are their backups stored?
The device that accesses your most sensitive information should be secured accordingly. If it’s the same device being used for everything else in their personal life, it inherits all the risks of that personal activity.
Password practices. Do they have access to credentials for sensitive systems? Where are those credentials stored? Are they using strong, unique passwords, or is there password reuse? What happens to that access when they take a vacation, get sick, or leave the role?
Social engineering vulnerability. How would they respond to a call that appeared to be from your spouse asking for sensitive information? What verification protocols exist when unusual requests come through trusted channels? Have they been trained to recognize social engineering attempts?
Assistants are high-value social engineering targets precisely because of their access. An attacker who can manipulate your assistant can often access everything your assistant can access.
Data handling. When they print your itinerary, where does it go after the trip? When they book your travel, which third-party systems get access to your patterns? When they manage your correspondence, what gets archived where? When they leave the role, what information goes with them?
The Case Study
We did an assessment last month where the principal had excellent personal security practices.
Strong, unique passwords for every account. Two-factor authentication everywhere. Careful about what he shared on social media. Genuinely disciplined about his digital footprint.
His assistant had access to everything.
She used the same password for his work email as she did for her personal Instagram account. The Instagram account had been compromised twice in the last year without her knowledge. The compromises were credential stuffing attacks that succeeded because she reused passwords across multiple services.
Through her, his entire life was potentially accessible.
Every email. Every calendar entry. Every contact. Every file in the cloud storage they shared.
She hadn’t done anything wrong. She wasn’t careless by normal standards. She just hadn’t been trained to understand that her digital hygiene was now his digital hygiene.
Her security practices were the weak point in his security architecture.
For executives specifically, physical protection extends to travel security, residential security posture, and coordination across every environment where they operate. It’s not event-based. It’s continuous.
The Uncomfortable Conversation
This isn’t about suspecting your assistant of malicious intent.
This is about recognizing that anyone with significant access to your life needs to be operating at the same security standard you are.
If you use strong passwords but your assistant uses weak ones, your effective password strength is whatever your assistant uses.
If you’re careful about phishing but your assistant clicks on suspicious links, your exposure is whatever your assistant’s exposure is.
If you’ve thought through your digital footprint but your assistant hasn’t, the information they can access is exposed through their vulnerability.
Security is a system. The system is only as strong as its weakest component.
What This Usually Means
Addressing assistant security usually involves several elements:
Training. Most assistants have never received security awareness training. They don’t know what business email compromise looks like. They don’t understand how social engineering works. They haven’t been taught to recognize the red flags that indicate an attack in progress.
Training doesn’t need to be elaborate. A few hours of focused education on the specific threats they’re most likely to encounter can dramatically improve their security awareness.
Protocols. Clear expectations about what should and shouldn’t be done with sensitive information. Verification requirements for unusual requests. Guidelines for password management, device security, and data handling.
These protocols should be documented, not just discussed. They should be reviewed periodically. They should cover the scenarios that are most likely to create exposure.
Device standards. If your assistant is accessing sensitive information, the device they use should meet appropriate security standards. This might mean providing a work device rather than relying on their personal phone. It definitely means ensuring whatever device they use has current security updates, appropriate protections, and managed access.
Periodic auditing. Regular review of what access exists, what devices are connected, what password practices are in place. Not as an expression of distrust, but as a normal security hygiene practice.
Offboarding procedures. When an assistant leaves, what happens to all that access? Credentials need to be changed. Devices need to be recovered or wiped. Access needs to be revoked. This process should be defined before it’s needed.
The Conversation Framework
Most principals have never had this conversation with their assistants.
They’ve never established expectations. They’ve never provided training. They’ve never explained why security matters and what threats they’re trying to protect against.
Here’s a framework for that conversation:
Start with context, not accusations. Explain that your profile creates certain risks. Explain that people in your position are sometimes targeted through the people around them. Make it clear this isn’t about suspecting them of anything.
Explain the threat model. Describe what social engineering looks like. Explain how credential theft works. Give concrete examples of the kinds of attacks that target assistants of high-profile individuals.
Establish expectations. Be specific about what you need from them. Password standards. Device security. Verification protocols. Data handling. Make these expectations clear and documented.
Provide support. Don’t just tell them to be more secure. Give them the tools and training to do it. Provide a password manager. Arrange security awareness training. Make it easy for them to meet the standards you’re establishing.
Create psychological safety. Make it clear that if they’re ever unsure about a request, if something seems off, you want them to verify. They won’t be penalized for taking time to confirm. They will be supported for being cautious.
The Return on Investment
This might seem like a lot of effort to address a relatively obscure risk.
But consider: your assistant likely has more access to your life than almost anyone else. They’re a single point of failure in your security architecture.
The cost of addressing this is modest. A few hours of training. Some documented protocols. Perhaps a dedicated device. Periodic review.
The cost of not addressing it is that all your other security investments are undermined by a vulnerability you haven’t accounted for.
The executives who’ve had assistants successfully targeted by social engineering will tell you: the investment in assistant security is one of the highest-return security investments you can make.
Beyond Assistants
While we’ve focused on executive assistants, the same principles apply to anyone with significant access to your life:
Family office staff. Who manages your finances? What access do they have? What are their security practices?
Household managers. Who has access to your home? Your schedules? Your family’s information?
Personal staff. Drivers, housekeepers, nannies. What do they know? What access do they have? How careful are they with that information?
Professional advisors. Attorneys, accountants, wealth managers. They hold sensitive information. What are their security practices?
Each of these relationships creates a node in your security architecture. Each node is a potential vulnerability if it’s not appropriately secured.
The exercise of thinking through assistant security is really the exercise of thinking through the entire network of people who have access to your life.
Starting the Conversation
If the person who knows everything about your life isn’t operating with security awareness, your security awareness doesn’t matter as much as you think.
Start the conversation.
Explain why it matters. Establish expectations. Provide training and support. Create an environment where caution is rewarded.
Your assistant is probably one of the most loyal and trustworthy people in your professional life. They deserve to understand the security context they’re operating in. They deserve the training and tools to protect you effectively.
And you deserve to know that the access you’ve granted is being handled with appropriate care.
Next Steps
If you’ve never assessed the security practices of your assistant or other key staff, we offer a complimentary 30-minute consultation to discuss your specific situation and outline an approach to staff security.
We also have a downloadable Staff Security Protocol Template that provides a starting point for establishing expectations and procedures.
Reach out through our website or contact our team directly.
Because the most sophisticated personal security in the world can be undermined by an assistant who uses the same password for your email and their Instagram.
Start the conversation.
About the Author
John Hamilton is the founder of HK Defense Solutions, a converged security firm serving ultra-high-net-worth families, family offices, and corporate executives. He spent twelve years in U.S. Air Force special operations, where he helped build combat search-and-rescue infrastructure across active war zones.
