The Security Risks of Taking a Stand

Originally published by CXO REvolutionaries here.

Written by Heng Mok, CISO APJ, Zscaler.

Organizations face increasing internal and external pressures to take public stands on issues unrelated to their core business. Examples include a broad range of social, political, and global events, which almost never involve the business directly. While the merits or flaws of organizations engaging in social-political discourse are arguable, the fact that doing so creates security risks is undebatable. The question is, how should CISOs, CIOs, and other security leadership deal with the inevitable risks that arise from their company taking a public stand?

When an organization chooses one side of a divisive topic it inevitably alienates those who strongly disagree with them. Segments of the organization’s customer base, employee pool, and professional connections will become disenfranchised. Their disappointment with the organization, when expressed in a healthy manner, may lead to people berating the company on social media, employee resignations, or calls for boycotts. When expressed in an unhealthy way, there is a risk that individuals or external organizations may decide to take direct action against the company through many means including data exfiltration, denial of service, spamming, or vishing. In fact, in 2019 The Times of India reported that ideological cyberattacks were outpacing physical attacks.

Most cybersecurity measures focus on external threats, making them relatively well-positioned to handle an increase in normal threat activity. Insider threats, however, can cause considerable damage to a company, largely due to the perpetrator’s access to internal resources. Consider the following cases of angry employees using cyberattacks and data leaks to punish their employers:

Sudish Ramesh, a disgruntled former employee of Cisco, shut down 16,000 Webex accounts and deleted 456 VMs belonging to his former employer. Total damages from his retributionary strike: $2.4 million.

Christopher Dobbins was fired by his medical supply packaging company during the COVID-19 pandemic. He responded by hacking his former company’s network and deleting or modifying 120,000 delivery records. His actions delayed the delivery of medical equipment during the pandemic.

The ransomware group Conti pledged to attack anyone who aggressively acted against Russia during the early stages of the conflict in Ukraine. This stance resulted in 60,000 internal messages of the threat group being publicly leaked, crippling their operations and sending members on the run.

The U.S. government has suffered several cyberattacks by insiders ideologically opposed to the positions and policies of their employer. Examples include Bradley/Chelsea Manning, Edward Snowden, and Reality Winner.

Government agencies, in particular, seem to have a number of high-profile cases where former employees have used their positions to leak data. Of course, insider threats are not the only source of cyberattacks arising from ideological tensions. External actors attacked GiveSendGo during the Canadian Trucker protests of 2021, leaking the personal information of supporting donors. Ideologues are increasingly turning to cyberattacks as a means of retaliation, forcing CISOs to consider the security ramifications of their organization’s position on divisive issues.

Preparing for Post-Announcement Cyber Risks

As part of an organization's overall threat profile, begin assessing potential cyber risks through identifying areas that might be particularly appealing to ideologically-driven threat actors. The attacker’s motivation may be more focused on reputation damage rather than financial gain. This means CISOs should look at other high-risk assets aside from the standard “crown jewels”. Examples may include:

• The organization’s website
• Third-party and vendor access points
• C-level email accounts
• Organizational social media accounts
• Internal communications

Once it is clear what may be used to cause reputational damage to the organization, it is time to consider which actors might be motivated to harm the organization. Possibilities can be narrowed down by considering a series of questions, such as:

• Which entities (nations, organizations, political groups, etc) will strongly oppose our organization’s position? Do they possess cyber capability? Are they a likely risk?
• Which partners, suppliers, and employees will strongly oppose our organization’s position? Do they have access to resources that may be targeted in an ideological attack? Is our supply chain and data secure from infiltration by third-parties
• Will members of the general public want to retaliate against our business based on our position? If so, what can they access?

Knowing this information can help a CISO adjust security parameters, processes, and controls to better protect the company as it moves towards making its announcement. Of course, there are still many problems to tackle after the initial threat assessment is complete. Suppose some employees are likely to be angered by the company’s position and have direct access to sensitive assets. If these resources are critical to the employee’s workflow then removing access is not feasible. Should access be constrained, or more tightly monitored - or would doing so simply offend the employees and increase tensions?

These kinds of questions need to be considered on a case-by-case basis, and weighed carefully before any changes take place. Ultimately, the right answer will be the one that keeps organizational resources the safest. Have a pre-defined approval process agreed with HR and other business stakeholders that can initiate an additional monitoring process of high-risk individuals if the approvals and criteria are met.

If the assessment must be presented, CISOs must work hard to maintain the appearance of neutrality while covering the information. Divisive topics bring out heightened emotions among participants, and some may view the threat assessment as an attempt to derail their efforts. For this reason, CISOs should emphasize that the assessment is part of normal security protocol, and not intended to change minds. Care should be taken to present the report as something important to all involved parties, and unrelated to the company’s ideological position.

Cybersecurity is a tough field, and successfully navigating through divisive topics and emotionally charged conversations without compromising its effectiveness is a challenge.