These days, it’s not just modern-day Willie Suttons behind cyber-attacks. While financial motivations still drive the mindset of most hackers, we’re seeing a renaissance of high profile attacks perpetrated for political and ideological purposes. Hactivism isn’t new, but combined with the rising likelihood of success and the greater damage
from successful attacks, we should expect to see it more often.
What it means:
Just as security decisions have a business impact, we are now seeing business decisions have a security impact. Some organizations will always be a target: governments, banks, and as we’ve recently seen NGOs like the IMF. But other organizations step into the line of fire: Anonymous attacked PayPal, MasterCard, and others because of their actions against WikiLeaks and Assange, while Sony’s legal actions against George Hotz (for jailbreaking the PS3) led to the spate of LulzSec attacks against it.
With these developments, we have an opportunity now to look at the bridge between IT security and the business as getting built from both directions. Leading services firms – particularly those engaged at the broader business and IT levels – are in a great position to facilitate this. Organizations need to establish processes whereby executives and business managers (a) work with their IT security groups to evaluate the security ramifications in business decision-making regarding controversial issues, and (b) coordinate new IT security measures or heightened states of readiness as business groups carry out those decisions. This, in effect, turns incident management processes upside down. Given what we’re now seeing as to how intertwined security and the business are, that would be a welcome and necessary step forward.