To stop attacks against your company, have in place a plan before you're a victim.
When I was a little girl, Peter Pan (the one with Mary Martin) aired on television once a year. We would all sit there, on the floor, in our footed pajamas waiting for the good part: when we were asked for our help and given the power over life and death. At the point when Tinkerbell swallowed the poison meant for Peter and flickered, dying, children from everywhere were asked to clap if they "believed." And inspired by all the young children's clapping, she became stronger and survived. For my generation, it was the first demonstration of the power of the people.
People today have a different format for making a difference. Using the Internet, they can show their support for missions, people, and campaigns by blogging, redirecting traffic and search engine rankings, or engaging in "hacktivism" and shutting down child porn, fraud, and the Web sites of people and companies they oppose. Unfortunately, with the Internet as a soapbox, the potential for doing evil is as great as the potential for doing good. Angry, frustrated, and naive people--as well as those who may be misled by others acting out of greed, ego, and vindictiveness--can use their Net-power to do harm. Individuals may send hateful anonymous E-mails; launch IM, E-mail, text-messaging, denial-of-service, and spam campaign attacks; destroy or deface Web sites; or create Web sites that bash and threaten companies and individuals. They can even get others to join their cause; unfortunately, many people click before thinking and become the unwitting tools of another. In this "bizarro world," this blind support often means destruction, not inspiration. It often can destroy Tinkerbell's life, not save it.
These attacks are called cyberwarfare, cybersmear campaigns, or cyberbashing. They can be malicious and hateful. The instigators of such attacks are usually motivated by something personal, not for financial gain. They may have been fired, or denied a raise. They may feel that they are righting wrongs against them or others they want to protect. Perhaps they are jealous, or a rejected lover. Sometimes they're looking for media or other attention or trying to exert power or control over another. They may even be mentally unbalanced. Many of the people who launch such attacks are looking to feed their egos, humiliate their victims, and enjoy their roles as intimidators.
These attacks can affect stock prices, or get in the way of an important business deal. They can cost people their jobs and even their careers. They may be as impersonal as falsely accusing the company of a crime. Or they can be as personal as claims that the CEO is a child molester.
These campaigns have several victims, not just the target. Those being misguided into supporting the attacks are victims. They may be criminally prosecuted or sued for their actions. They may lose their jobs or ISP accounts. The hosting companies of the sites being attacked also are victims, with other sites and services provided by that hosting company often being disrupted or destroyed in the attacks. And the employees and stockholders of the target company, and the family members and loved ones of the people being targeted, are victims as well.
But, obviously, the company or person being targeted is hurt the most--often irreparably.
So, what can you do if you or your company is being victimized by one of these attacks? How do you stop it, avoid unnecessary hemorrhaging, and get the correct word out? Can you survive it long enough to get a handle on it? The answer depends on how you are being bashed, why, and who you are. The wrong move can help boost the profile of the basher and his message. The right one can help bring things back under control. Knowing the difference often requires the help of professionals.
No one is safe from these kinds of attacks, so careful planning to combat them is crucial. You need to be able to compile a team to help deal with the different aspects of the bashing. The team must include technology experts, security, human resources, legal pros, and, most important, a well-informed public-relations expert. If your company employs a separate media relations person, he or she needs to be included as well. The team needs to be prepared to act quickly if necessary; they must be familiar with places where information about your company is normally sourced online, and be able to deploy your own information broadcast resources. They must know how to reach the decision makers within the company, as well as investor groups and analysts. Contact information should be circulated, including off-hours contact information. Any delay in the early crucial hours of a cyberattack can cost a company and individual dearly.
Policies should be implemented in advance of becoming a victim. They should include policies relating to confidential or proprietary information, passing rumors, cyberharassment, and trade secrets. It's also helpful that they include a prohibition (to the extent permitted by law) of public statements or passing rumors about, or attacking the reputations of the company or its executives and board members, as well as a reporting method for valid complaints about these people, and the penalties for violation of that policy. Good monitoring software should be deployed to help avoid security breaches. Monitoring polices should be implemented, with the employees warned that their cybercommunications are being monitored, and preferably signed and acknowledged in advance of a problem by the employee. Trained supervisors should review the logs generated by the monitoring software in accordance with the monitoring policy, with an aim of protecting both the privacy of the employee while also protecting the reputation and legal rights of the employer. A clear chain of communication should be set out, so that employees and the supervisors can report policy violations and get a quick response. And anonymous reporting options can be very helpful in getting early reports of cyberbashing campaigns, when the reporting employee isn't willing to be identified.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.