When we hear of a major cybersecurity attack, we immediately think of the perpetrator as a bad actor. We assume it is an individual or, more often, a collective of cybercriminals, stealing personal information for financial gain. However, more and more we're seeing a move to what's known as "hacktivism," which is the act of hacking, not for personal gain but to enact social change or promote a political agenda.
Take the recent Verkada camera hack as an example. Thousands of cameras across a variety of industries were compromised, exposing personal information and allowing the collective to access live video and audio. The collective's alleged hope was to expose the dangers of mass surveillance, but in doing so it violated the privacy of people in prisons, the healthcare system, and more.
As activism across the globe continues to increase, so will cases of hacktivism. That should make it a top focus for CISOs and security leaders. Yet, many CISOs are still reluctant to take these types of hacks seriously and therefore aren't taking necessary steps to protect against them. While hacktivists' intentions may not be malicious, the outcome is often just as costly and damaging to an organization's reputation. Not to mention, it's a violation of personal privacy and information and places a target on an organization once their weaknesses have been exposed. Once a hacktivist compromises a system, and that information becomes public, the door is open for more nefarious activity.
What Hacktivism Has Taught Us
Hacktivism highlights the dual responsibility security professionals take on to not only protect intellectual property but also the confidentiality, integrity, and availability of personal data. What hacktivists unearth, as in the case of Verkada, are the weak spots within an organization — vulnerabilities that have been there all along and could have been taken advantage of by cybercriminals with much worse intentions. It's a call to action to all security professionals to be more vigilant and relentless in our approach to cyberwarfare.
Zero Trust vs. Hackers
Implementing approaches like zero trust is a great start to mitigate cyber threats. A zero-trust networking model asks for permission at each level of protection — it doesn't assume that once an entity is inside the network it is trusted or should have access to everything. It goes beyond traditional perimeter protection and acts as a second and third line of defense for personal information.
Teaming Up in the Fight Against Cyber Threats
In addition to specific security procedures, one of the best defenses against emerging threats is communication. Talk with the different departments within your organization to ensure you know what Internet of Things devices they are implementing and how you can best work together to keep an eye on vulnerabilities. Also, connect with your peers at other organizations about the threats they are seeing, attacks they have mitigated, and the new solutions they are implementing to fight those threats. In the fight against cybercrimes it is all organizations — across a variety of industries — against those bad actors. It doesn't have to be an individual fight.
At the end of the day we know security threats will never go away. They will keep escalating, and it is the duty of all security professionals to be in tune with emerging threats and tactics to combat them. But it isn't always hackers putting personal data at risk. We have seen cases in the past of federal agencies collecting data without considering the impact it can have on those in the crossfire. Hacktivism has taught us that the end goal for security professionals should always be protecting personal data, and that sometimes means being introspective about the ways an organization is gathering or using data — even if the intent (as with many hacktivism cases) is good.