Crisis management for a thoroughly modern crime
The corporate hack attacks perpetrated by the Anonymous collective are certainly not the first of their kind. However, the fact that the group gained access to unprecedented levels of information, penetrated top-tier government and corporate systems, and boldly claimed responsibility caught the attention of the mainstream media in a big way and shaken corporate America.
Still not convinced? Check out this quote, from a NY Times article by Somini Sengupta and Nicole Perlroth:
“Anonymous is a wake-up call,” said Roger Cressey, senior vice president of Booz Allen Hamilton, a defense and intelligence contractor that was attacked by the group last summer. “Any company that is patting themselves on the back and saying that they’re not a target or not susceptible to attack is in complete and utter denial.”
More to the point, a company that is a target of Anonymous may also be the target of a far more potent adversary. The social engineering tactics that Anonymous members have repeatedly used are often similar to those used by criminal hackers and state-sponsored actors who penetrate company systems in order to steal valuable secrets, whether for monetary gain or competitive edge.
Now that you’re taken that in…pop quiz time! What, dear readers, is social engineering? Ever gotten one of those emails stating that you’ve won the lottery in a random country and, if only you would send your social and bank account numbers, they would be able to pay you? That is social engineering in its most base form. Hackers will email from disguised names (substituting a lowercase L for a capitol I is extremely popular), or call and text from fake phone numbers claiming to have lost passwords and all kinds of other information. These mechanics are far from the most sophisticated used by Anonymous and other hacking groups, yet the email switch alone has been responsible for countless security breaches.
This IS the modern smash ‘n’ grab, except the thieves aren’t stealing jewelry or watches, they’re jumping in, taking your information, and then shouting it from the rooftops, trashing your reputation and destroying customers’ trust in your organization.
All crisis management plans should include not only the tactics which must be employed by IT professionals, but also the tactics and messages required by your Crisis Communications Team.
The BCM Blogging Team