This week the BBC reported that more data is stolen for hacktivist purposes than financial gain. Hacktivism has become one of the top global threats facing organisations, and information security professionals are beginning to recognise that it’s not a case of if, but when an organisation is going to be attacked.
Emotion motivates behaviour, whether it’s criminal activity or getting people to do the right thing. Hacktivists will often deploy a DDoS (distributed denial of service) attack in support of political issues, whether it is the arrest of Megaupload’s co-founders Kim Dotcom and Mathias Ortmann, or in protest against national censorship. The hacktivist’s motivators are purely emotional – at the moment – and it could be argued that they will exploit security holes just because they exist.
It’s near impossible for technical security solutions to keep up with the growing complexity and availability of our networks, and yet we heavily rely on them. Perhaps this isn’t a concern, however, when we consider the majority of security weaknesses are caused by simple internal system failures and unadulterated human error. Before we attempt to analyse the behaviour of the hacktivists, let’s do what we can to change the behaviour of our employees.
Your workforce will always ask ‘what’s in it for me?’ so it’s important to align secure behaviour with their core values, as well as those of your organisation. Personal accountability certainly contributes to creating a more secure culture within the workplace, but this must be communicated clearly to avoid confusion. You are physically and metaphorically handing some responsibility over to your employees, so be sure to emphasise this change is to empower colleagues as individuals. Many organisations fail to classify their most important information assets yet still expect their workforce to protect them. On the contrary, your employees won’t struggle to identify their personal priorities, and here’s where we can learn from them.
Freedom to be secure
The popularity and widespread adoption of BYOD (Bring Your Own Device) provides an excellent opportunity to remind employees of their responsibility to securely manage the company data they have access to via their personal devices. They are given the freedom to use the device that suits them and, in return, they must abide by key rules set out in your organisation’s policy. Give them the advice and tools they need to protect themselves at home, and they’ll be sure to thank you for it. In this scenario, demonstrating the right behaviour not only ensures company information and reputation is protected, it helps to protect their personal equipment from compromise.
Think like a hacktivist
While the experts accept we’re all vulnerable to hacktivist attacks, we’re by no means admitting defeat. Hacktivists’ emotions and beliefs are strong enough to motivate them to act. Putting hacktivism and other forms of cybercrime into context will help you to clearly explain the risks and align correct behaviour with professional and personal values. If we join the hacktivists in their way of thinking, we might just find we can beat them.