The Call of HacktivismBanks Must Respond to Escalation of Attacks
Cybersecurity threats waged by groups such as Anonymous pose increasing concern, and they are positioned to garner more attention in 2012 and beyond. [See Anonymous Attacks Citi and Anonymous Brazil Targets Bank Sites.]
Why are hacktivist groups like Anonymous finally raising alarms in board rooms among top financial executives? Because it's become increasingly clear that their attacks are being waged for more diverse and far-reaching reasons.
We have this new breed of Anonymous coming in to expose our customer data. It's something we have to take seriously.
It's not just about humiliation. The seemingly innocuous denial-of-service attacks, like the one last week that hit Citigroup, are the least of our concerns.
Joe Rogalski, who oversees information security for Buffalo-based First Niagara Bank, say the anonymity of the attacks makes them and their motives dangerous. Anyone could be behind today's attacks, some waged for complete corporate takedown and theft, others for political espionage and personal gain. All of which are motivations that fall outside the typical hacktivist ideal of cyberanarchy for the greater good.
During this month's RSA Conference in San Francisco, addressing cybersecurity risks posed by hacktivism will be a key discussion point.
"The risk is not financially motivated anymore," Rogalski says. "Now we have this new breed of Anonymous coming in to expose our customer data. It's something we have to take seriously. With Occupy Wall Street and Anonymous getting behind them, it's just starting to get attention. ... We're now looking at how to defend against it and what we can do."
Damage control is a big piece of that, especially for banks, as identity theft expert Neal O'Farrell is quick to point out. But there is an even darker side that most banks, up until very recently, have not considered.
"It started as a form of protest, but could easily be hijacked by more ruthless criminal elements," O'Farrell says. "There are so many different hacking and hacktivist groups, often offshoots of others, it's getting harder to verify claims of exactly who's behind a specific attack or if it was even sanctioned by the named group."
It's an unknown every financial entity needs to consider.
Fraud detection and analytics can help, but institutions also have to consider the internal risks: say, a rogue employee who compromises corporate and client information for the hacktivist notion of greater good. What are organizations doing to better screen and monitor their own employees?
Education will play an increasing role, not only internally, but from a communications and PR perspective as well. The more consumers understand about how and why banks work, the less suspicious and supportive they may be of groups such as Anonymous. [See Banks Need to Focus on Image.]
The greatest worry now? The direction some of these attacks could take. Who will be the next exposed victim? The best thing banking institutions can do right now is to keep their eyes and ears open, and their security measures in check.