Banks Under Attack: PR MisstepsBetter Communication Needed in Wake of Outages
Because there is so much media coverage of these attacks, allegedly waged by a group calling itself Izz ad-Din al-Qassam Cyber Fighters, consumers are alarmed and confused about the security of their accounts. And the targeted banks are doing nothing significant to ease concerns, says Nowak, a principal research analyst with the ISF.
"The banks that have been affected are missing a great opportunity to communicate and educate their users," Nowak says. "I've tried visiting the sites, and there's nothing on any of the bank sites that says 'Here's what's going on; here's how you can understand it. Your information is safe.'"
Some third-party sites have tracked the attacks and outages well, he says, but the institutions themselves have been too quiet - which only heightens fears. "They seem to be regarding it as a secret," Nowak says. "They say 'Some people have access issues.' Well, people know they have access issues. [The banks] should be taking the opportunity to explain to their customers the difference between a denial of service attack and some sort of hacking attack that actually puts information at risk."
Nowak, an expert on this new phenomenon of hacktivism, says security leaders need to realize that these incidents are ideological attacks against the U.S., and banks are not the only potential targets.
"The attacks have nothing to do specifically with the activities of these banks - they were innocent bystanders," Nowak says. "The message is: This can happen to any organization, and they need to consider [hacktivism response] as part of their risk management."
In an interview about how organizations should respond to this new wave of hacktivist attacks, Nowak discusses:
- Why these DDoS attacks are successful;
- Flaws in institutions' prevention and response plans;
- How to properly manage the risks of hacktivism.
Also, don't miss Nowak's new webinar on hacktivist attacks: Hacktivism: How to Respond.
Nowak is a principal research analyst for the Information Security Forum, an independent authority on information security. He has worked on ISF research projects on Hacktivism, cybercitizenship and securing mobile devices. He also is responsible for ISF's Information Risk Analysis Methodology (IRAM).