FeatureTaming the cyber frontier
Section snippets
The role of cyber-citizenship
There are substantial risks to an organisation, its IT systems and its information security from online behaviour that is not aligned with the expectations of individuals or groups, including customers, suppliers, staff and the general public. Determining what is or is not appropriate can be a challenge: it may be clear-cut – according to laws and agreements – or blurred and unpredictable, according to context and public opinion.
Traditional citizenship is characterised by the rights and
Developing a cyber-citizenship response
Today, the reputation of an organisation can rest on the quality of its cyber-citizenship. The risk from unfavourable public opinion – among the public, the Internet community and customers – is real, especially with the speed and variety of online communication. But the unpredictability of opinion makes it difficult for an organisation to focus on it and, since most opinion grows out of norms, a focus on norms may provide the best approach.
By focusing on norms in their approach to
Ensuring good cyber-citizenship
To get a full understanding of the key risks, an organisation should review laws and regulations that govern online behaviour, determine its contractual obligations and conduct a risk analysis of those individual or corporate behaviours that may violate laws, regulations, contractual obligations, expected norms or public opinion. It's also important to understand which individuals and groups may respond unfavourably or poorly to the enterprise's online behaviour (across the spectrum from
Security awareness training
The next step is to update training programmes in the area of security awareness. Organisations need to: update all employees on the concept of enterprise cyber-citizenship and how it applies to daily activities; discuss of norms and professionalism, civil agreements and relevant laws, and how these together govern behaviour; and examine various ways in which failure to follow standards of appropriate professional behaviour online can lead to serious consequences.
The organisation should also
Rules of good enterprise cyber-citizenship
To help organisations and their employees become good cyber-citizens, the ISF has developed an eight-point list of rules, as follows:
- 1.
Exhibit professionalism in all online behaviours, 24×7.
- 2.
Assume the most exacting expectations of professional behaviour at all times: different stakeholders may have different expectations.
- 3.
Apply the norms of professionalism to all communications, regardless of whether they are verbal, written, paper or electronic. These include telephone calls, voice
The hacktivism threat
Hacktivism covers a range of activities involving cyber-enabled social activism, for both good and bad ends. Like traditional activism, hacktivism ranges from peaceful protest to highly damaging criminal activity. Hacktivism attacks are highly targeted and often involve a range of methods, including network penetration, social engineering and denial-of-service attacks.
Recent high-profile cases have shown activists what profit-driven criminals have known for some time – that technology and the
Reducing the risk and impact of a hacktivist attack
There are several preventative measures that organisations can take to reduce the risk and impact of a hacktivist attack. Organisations should also have a plan to respond in real time.
A. Understand the threat
The hacktivist threat comes from cybertools being in the hands of people with an activist mentality, and it is this combination that should be the area of focus. While a portion of the response comes from traditional information security and a portion comes from organisations' traditional response to social activism, both functions need to extend their reach to deal with this new threat, and will also have to learn to collaborate in new ways, as illustrated in Figure 2.
B. Secure the systems
As with all information security measures, a complete elimination of risk cannot be guaranteed, but as the level of overall security increases, it becomes harder for hacktivists to succeed in mounting an attack. Organisations should:
- •
Ensure that standard security measures are in place.
- •
Adopt similar controls to those used for profit-driven attacks.
- •
Focus in particular on strengthening the perimeter, hardening all Internet-facing systems, and testing external access.
- •
Address relevant
C. Identify PR weak spots and potential targets
Hacktivist attacks may seem to come out of nowhere but there's a good chance that information about potential activism already exists within the organisation. Therefore, organisations should work with the relevant teams from the business as well as risk management, marketing, compliance, business ethics, client service and public relations to develop an understanding of the public relations weak spots – those products, practices, or positions that could invite public criticism, grievance or
Reducing the impact
There are three broad activities that will help you reduce the impact of a hacktivist attack.
A. Further strengthen relevant systems. Once potential public relations weak spots are identified, they can be mapped to relevant systems, which can then be fortified proactively. Organisations should attempt to answer in advance the question ‘Why and where might we be a target?’. They should:
- •
Map out the online touch points for each weak spot – which online systems might a potential attacker
Conclusion
There is considerable risk to an organisation if it is perceived to be a poor cyber-citizen. Therefore, it is vital that everyone in the organisation understands they have responsibility to behave in accordance with acceptable and expected behaviours in their online activity, and demonstrate professionalism online. Organisations have responsibility to ensure that their policies, actions and behaviours coincide with acceptable and expected corporate behaviour online.
The risk of successful
About the author
Gregory Nowak has worked as an information security professional for over 10 years, in both Fortune 500 companies and consultancy firms. He has experience in a wide range of information security disciplines, with a particular focus on software development, business continuity and data and content management applications. His experience includes project management of infrastructure deployments and business continuity projects, design and development of privacy-management tools
References (1)
‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’. The White House, May 2011. Accessed Nov 2011
Cited by (1)
Hacktivism, interrupted: Moving beyond the "hacker ethic" to find Feminist Hacktivism
2016, International Journal of Critical Cultural Studies
About the author
Gregory Nowak has worked as an information security professional for over 10 years, in both Fortune 500 companies and consultancy firms. He has experience in a wide range of information security disciplines, with a particular focus on software development, business continuity and data and content management applications. His experience includes project management of infrastructure deployments and business continuity projects, design and development of privacy-management tools for websites, and implementation of enterprise governance, risk management, and compliance (GRC) tools.