When is a Hack Not a Hack?BofA Incident Highlights Need to Communicate About Outages
"It wouldn't be the first time a hacktivist group used a denial of service attack to express their displeasure over a company policy," said Julie McNelley, a fraud analyst at Aite.
As it turns out, BofA's sporadic outage, which affected customers for five days, resulted from internal upgrades. In short, there was no hack.
But the public today cannot be blamed for jumping to cyberattack conclusions. From the breach of e-mail marketer Epsilon and the online gaming arm of Sony, to the hack and compromise of RSA's SecurID tokens, which impacted government contractor Lockheed Martin and others, online cyberattacks have become common occurrences.
That's one reason why the latest threat against the New York Stock Exchange, allegedly made by Anonymous, garnered so much media attention. No one can afford to ignore the threats and subsequent risks associated with even rumored cyberhacks and breaches.
"Assuming it's an attack or breach is now the default response," says Neal O'Farrell, founder of the Identity Theft Council. "What added to the skepticism was the fact that Bank of America's website was out for so long."
People are skeptical, especially when the possibility of a breach is involved. "Cynicism prevails, especially over the reluctance of breach victims to come forward and fess up," O'Farrell says.
Renewed Focus on Internal SystemsDamage control is a difficult topic to tackle. Consumers and security experts are programmed to make assumptions. What organizations can do is turn more focus inward, by working on internal processes and systems testing to prevent outages.
"Organizations just need to do what they can to ensure they don't have outages," says Gartner analyst Avivah Litan. "They do focus on fraud prevention, but they don't have as many resources dedicated to internal processes to fight the devil within."
Banks, especially, Litan says, are more concerned about outside threats than internal controls, and many are missing the mark when it comes to managed processes. "It's the internal oversights that can cause a lot more damage," she says.
In BofA's case, Litan says, the sporadic online outages likely could have been prevented with more thorough testing of upgrades before going live.
Luckily, more organizations are giving those kinds of internal processes the necessary attention. "Honestly, it's more about process deficiencies that relate to fraud than it is fighting the bad guys," Litan says.
But the world is facing a new age. "We're always assuming it's cyberattacks," Litan adds. "That's a natural reaction, regardless of the industry."
Get the Word OutBeyond process improvement, organizations must focus on communications. [See BofA's Site Outage: PR Nightmare.]
Security privacy expert and attorney Kirk Nahra says organizations have to react quickly to these situations, and that means they must have an upfront understanding about the type of incident with which they are dealing. Did a server attack lead to a system overload, with no information compromised? Or was there no breach or attack at all? And what if you're not quite sure what happened? It's a fine line organizations have to walk.
"I'm always leery about advising my clients about generalizing too much," Nahra says. "Every situation is different."
From a legal perspective, if the assumption is that no personal or sensitive information was compromised, then legal concerns take a backseat to public-relations. "With that assumption, that no personal information was revealed, I don't see a legal requirement to do anything," Nahra says. "If there's not a breach, I'm not sure there would be any legal issues. If you are just trying to inform the public of what actually happened, that is purely a PR issue."
PR is a big concern, especially in today's environment of real-time communications dissemination.
Businesses can't fight the cyberattack presumption, but they can respond to it. "The old culture is, 'We're going to figure out what happened and then tell you,'" says Andy Greenawalt, CEO and founder of Continuity Control, which provides web-based software for financial institutions. But that won't in a world that's now filled with tech-savvy consumers and blog-happy readers. "You see these web companies like Amazon that respond really fast, just to say there's an issue and they're addressing it," Greenawalt says. "Big corporations like BofA are not used to doing that."
Matt Kamer, a partner at Bandy,Carroll, Hellige, a public relations and marketing firm, says the proliferation of blogs and social media, as well as other real-time communications modes consumers use to communicate, have amplified the need for organizations to respond quickly when anything out of the ordinary garners public attention.
"It highlights the importance of transparency," Kamer says. "Social media has changed how issues like this have to be responded to."
This scenario poses yet another reason why organizations must embrace social media as a way to disseminate information. "You would have to have an established following with some of those outlets to get that word out quickly," Kamer sys. "And the traditional news media are using social media to develop sources as well."
If an organization has an established social networking presence, either through Twitter, Facebook or both, for instance, it could use that presence to push information to beat reporters who are followers.
Kamer also recommends organizations, especially governments and municipalities, take advantage of text/SMS alert communications. "In a crisis situation, you see more city governments using text messages as a way to communicate with citizens and neighbors," he says. "I think that's an emerging practice, and it's proven quite effective."