Modern day information risk has evolved from amateur script kiddies, locked in their bedrooms at home seeking to outsmart their friends, to a highly organised and professional criminal activity.
While the nature of the attacker has changed dramatically, has the victim’s response been adequate? We have previously spoken at length about the technical solutions necessary for a business to tackle that ever-increasing and evolving threat, but lately I have been thinking, "is that enough, or are other parameters as important?".
In my view, to truly understand the threat you have to understand why a company could become a target. Why does the hacktivist community, even though their numbers swell and they become ever more organised in their operations, remain focused on targeting specific companies? Indeed, historic analysis suggests that there may be a number of indicators that point to why hacktivists undertake attacks on those specific companies and that, in many cases, it could be argued that the company itself is to blame.
The indicator I want to discuss here is not, surprisingly, the approach of the information security team or the lack of investment by the overall business in cyber security defences, but the link between a business’s operating methods, its client-facing posture, and how these can make that business a possible target.
Many members of the hacktivist community are quite ideological in their stance and target companies not because they think it is a challenge to do so, but because they fundamentally believe it is the right thing to do.
Hacktivism is fuelled by individuals who believe in a cause: Freedom of speech, eradication of poverty, religion, fair trade. While many companies have actively taken steps to promote their responsible behaviour towards all these issues, how many of these have actually taken steps to implement this through the overall culture of their business and down to the grass roots of their approach to risk and incident management?
Open source reporting claims that two of the most renowned hacking incidents of 2011 were undertaken by Anonymous with retribution against their victims in mind.
Take a look at Sony, which was reportedly targeted for its lawsuit against the Playstation 3 hacker, George Hotz. Anonymous’s manifesto states: “These lawsuits are an unforgivable offense against free speech and internet freedom…your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for and rightfully own, in the manner of their choosing.”
Or look at the attacks against HBGary in 2011. Open source reporting links the statements that business leaders made threatening to expose Anonymous ringleaders to these attacks. The business community was caught by surprise about the risks that such statements pose.
Business leaders are by their nature confident people and they have to be able to command and maintain the trust of their employees and shareholders. Yet are they truly aware of the risks that this outward confidence and bravado may bring upon their business?
In today’s cyber connected world, where the effects of bad information security practices can affect not just the technology that runs the company, but also its financial performance, share price, customer loyalty and brand, has the evolution of cyber risk reached a position where business leaders must examine an ideological approach to business management?
Would Sony, in our example, have been better off by accepting that it may have been a programming fault on its part that was the issue, rather than retaliating with a lawsuit? Do companies that regularly hit the headlines think of how their actions fuel the activist communities’ fires?
I don’t mean to be conclusive, and I always want to be on the side of the victim, but I can foresee an increasing trend analysis where a company’s modus operandi brings upon it the wrath of the hacktivist community.
This trend requires two changes in a company’s approach to cyber risk: business leaders need to become educated on the true threats that their business faces and information security professionals have to arm their business leaders with that information. Such a high level of awareness is not easily obtained and will require an evolution of a new capability within the infosec arsenal.
The time to become proactive is here. Cyber threat intelligence will be required by companies to help them understand how they can avoid becoming a cyber target, and help their leaders to reposition their brand and prevent them from crossing the ideological threshold before it is too late.
Mark Brown is director of risk and information security at Ernst & Young.
30 Jul 2013