Feature
Taming the cyber frontier

https://doi.org/10.1016/S1361-3723(11)70122-1Get rights and content

In the words of President Barack Obama, in his introduction to the cyber-security strategy document published recently by the White House: “The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place where the norms of responsible, just and peaceful conduct among states and peoples have begun to take hold.”1

In our increasingly connected society, organisations need to ensure that their information security function is doing all it can to protect corporate reputation. There is considerable risk to an organisation if it is perceived to be a poor cyber-citizen.

It is vital that everyone in the organisation understands that he or she has the responsibility to behave in accordance with acceptable and expected behaviours in their online activity. And organisations need to do the same with their policies and actions. The risk of successful hacktivist attacks is greatly mitigated by well-implemented, regular information security measures. Greg Nowak, Principal Research Analyst at the Information Security Forum (ISF), explains how organisations can formulate effective policies.

Section snippets

The role of cyber-citizenship

There are substantial risks to an organisation, its IT systems and its information security from online behaviour that is not aligned with the expectations of individuals or groups, including customers, suppliers, staff and the general public. Determining what is or is not appropriate can be a challenge: it may be clear-cut – according to laws and agreements – or blurred and unpredictable, according to context and public opinion.

Traditional citizenship is characterised by the rights and

Developing a cyber-citizenship response

Today, the reputation of an organisation can rest on the quality of its cyber-citizenship. The risk from unfavourable public opinion – among the public, the Internet community and customers – is real, especially with the speed and variety of online communication. But the unpredictability of opinion makes it difficult for an organisation to focus on it and, since most opinion grows out of norms, a focus on norms may provide the best approach.

By focusing on norms in their approach to

Ensuring good cyber-citizenship

To get a full understanding of the key risks, an organisation should review laws and regulations that govern online behaviour, determine its contractual obligations and conduct a risk analysis of those individual or corporate behaviours that may violate laws, regulations, contractual obligations, expected norms or public opinion. It's also important to understand which individuals and groups may respond unfavourably or poorly to the enterprise's online behaviour (across the spectrum from

Security awareness training

The next step is to update training programmes in the area of security awareness. Organisations need to: update all employees on the concept of enterprise cyber-citizenship and how it applies to daily activities; discuss of norms and professionalism, civil agreements and relevant laws, and how these together govern behaviour; and examine various ways in which failure to follow standards of appropriate professional behaviour online can lead to serious consequences.

The organisation should also

Rules of good enterprise cyber-citizenship

To help organisations and their employees become good cyber-citizens, the ISF has developed an eight-point list of rules, as follows:

  • 1.

    Exhibit professionalism in all online behaviours, 24×7.

  • 2.

    Assume the most exacting expectations of professional behaviour at all times: different stakeholders may have different expectations.

  • 3.

    Apply the norms of professionalism to all communications, regardless of whether they are verbal, written, paper or electronic. These include telephone calls, voice

The hacktivism threat

Hacktivism covers a range of activities involving cyber-enabled social activism, for both good and bad ends. Like traditional activism, hacktivism ranges from peaceful protest to highly damaging criminal activity. Hacktivism attacks are highly targeted and often involve a range of methods, including network penetration, social engineering and denial-of-service attacks.

Recent high-profile cases have shown activists what profit-driven criminals have known for some time – that technology and the

Reducing the risk and impact of a hacktivist attack

There are several preventative measures that organisations can take to reduce the risk and impact of a hacktivist attack. Organisations should also have a plan to respond in real time.

A. Understand the threat

The hacktivist threat comes from cybertools being in the hands of people with an activist mentality, and it is this combination that should be the area of focus. While a portion of the response comes from traditional information security and a portion comes from organisations' traditional response to social activism, both functions need to extend their reach to deal with this new threat, and will also have to learn to collaborate in new ways, as illustrated in Figure 2.

B. Secure the systems

As with all information security measures, a complete elimination of risk cannot be guaranteed, but as the level of overall security increases, it becomes harder for hacktivists to succeed in mounting an attack. Organisations should:

  • Ensure that standard security measures are in place.

  • Adopt similar controls to those used for profit-driven attacks.

  • Focus in particular on strengthening the perimeter, hardening all Internet-facing systems, and testing external access.

  • Address relevant

C. Identify PR weak spots and potential targets

Hacktivist attacks may seem to come out of nowhere but there's a good chance that information about potential activism already exists within the organisation. Therefore, organisations should work with the relevant teams from the business as well as risk management, marketing, compliance, business ethics, client service and public relations to develop an understanding of the public relations weak spots – those products, practices, or positions that could invite public criticism, grievance or

Reducing the impact

There are three broad activities that will help you reduce the impact of a hacktivist attack.

A. Further strengthen relevant systems. Once potential public relations weak spots are identified, they can be mapped to relevant systems, which can then be fortified proactively. Organisations should attempt to answer in advance the question ‘Why and where might we be a target?’. They should:

  • Map out the online touch points for each weak spot – which online systems might a potential attacker

Conclusion

There is considerable risk to an organisation if it is perceived to be a poor cyber-citizen. Therefore, it is vital that everyone in the organisation understands they have responsibility to behave in accordance with acceptable and expected behaviours in their online activity, and demonstrate professionalism online. Organisations have responsibility to ensure that their policies, actions and behaviours coincide with acceptable and expected corporate behaviour online.

The risk of successful

About the author

Gregory Nowak has worked as an information security professional for over 10 years, in both Fortune 500 companies and consultancy firms. He has experience in a wide range of information security disciplines, with a particular focus on software development, business continuity and data and content management applications. His experience includes project management of infrastructure deployments and business continuity projects, design and development of privacy-management tools

References (1)

  • ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’. The White House, May 2011. Accessed Nov 2011

Cited by (1)

About the author

Gregory Nowak has worked as an information security professional for over 10 years, in both Fortune 500 companies and consultancy firms. He has experience in a wide range of information security disciplines, with a particular focus on software development, business continuity and data and content management applications. His experience includes project management of infrastructure deployments and business continuity projects, design and development of privacy-management tools for websites, and implementation of enterprise governance, risk management, and compliance (GRC) tools.

View full text