You may have seen or heard that the New York Times was a victim of a cyber attack earlier this week. As the Times itself reported, its website was unavailable to readers on Tuesday afternoon after an on-line attack on the company’s domain name registrar. The hacking was just the latest of a major media organization, with The Financial Times and The Washington Post also having their operations disrupted within the last few months.
What can companies do to protect against such threats? A recent Industryweek article notes that companies can take several steps, which should begin with preventing spear-phishing attacks tricking employees into revealing their e-mail passwords. Once hackers have access to employees’ e-mail, they can retrieve log-in credentials for websites.
Consequently, companies should focus on teaching employees to recognize and resist such phishing attacks. That’s important because according to a study cited in the article, when assessing whether an e-mail was malicious or legitimate, 92 percent of study participants incorrectly classified at least some e-mails.
What I found more interesting, however, is that some organizations are becoming more aggressive about preventing physical and financial losses. Indeed, CFO reports today that in some cases, this may involve counterattacks against hackers.
Some organizations are beginning to develop the capability of identifying hackers using intelligence, says Larry Ponemon, chairman and founder of the Ponemon Institute, a research and consulting firm focusing on privacy and data protection, in the CFO article. With that intelligence, companies can even aim malware or launch a denial-of-service attack at the servers of the potential perpetrators. If an attack comes from outside the U.S., companies here can also work with telecommunications companies to deflect the attack, he added.
To be fair, this paradigm shift is in the very early stages. Nonetheless, Ponemon does say he has sat in meetings with organizations that are conducting such actions.
“We know of organizations that are doing it, and other organizations that aren’t actually doing it, but are collaborating with government—the Secret Service, the FBI, even state law enforcement—to help them model an attack,” Ponemon says in the CFO article.
Bob Parisi, network security and privacy practice leader at insurance broker Marsh, says he too has seen companies take a preemptive approach to potential cyber-attacks. He does say in the article, however, that “vigilantism has its drawbacks.”
One problem is that potential hackers can be an extremely elusive target. Parisi likens the attackers to a bit of smoke in that they can be hard to actually locate. He further notes that most attacks don’t come from the attacker’s own computer system.
So it’s possible, for example, that a major retailer which fears an attack would act preemptively only to discover that it targeted a dry-cleaning company in another part of the country, according to Parisi. Obviously then, the practice would open the door for serious liability, he says in the CFO article.
Ponemon also sees potential problems when a U.S.-based company preemptively strikes a potential cyber-criminal in another part of the world. So, the question then becomes: Even if you know with perfect certainty that you’re going to get attacked by a bad guy, do you have the legal right to attack first? he asks.
“If it’s government, you can use the rules of warfare, and the answer might be ‘yes, you can do it,’” Ponemon says in the CFO article. “But when it’s corporation against bad-guy, or corporation against nation-sponsored attack, it’s a little bit complex,” he says.
That’s an interesting idea to think about. If you knew hackers were going to attack your company, do you think it’s ok to attack them first? Secondly, what type of liability issues do you think that creates?