How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter
Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers
    Open Facebook group of well-known Arab hackers
  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia
    Secret Facebook group from Southeast Asia
  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group
    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page
    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior
Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE
September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest
Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE
October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

HACKoDROID: An Increasing Tendency Toward Smartphone-Based Attacks

New Smartphone technologies have made our lives easier. At the touch of a button, you can call a cab, pay bills, connect with your friends and even reach your personal trainer. On the other hand, the world of hacking and cracking now also has a lot of useful tools to hack your system and steal your data, using a smartphone.

We have recently seen the development and publishing of hack applications for smartphones on underground forums. The wide range of such tools means that anybody can find a suitable tool for dubious purposes. The items available include a variety of DDoS tools, wireless crackers, sniffers, network spoofers and more.

HackForum Post
HackForum Post

Most tools are only available for Android smartphones, and many require root permissions. The most popular tool for cookie theft is DroidSheep. With the help of this tool, an attacker can collect all browsing data, including logins, passwords and more, merely by using the same Wi-Fi network as the victim.

Moreover, the attacker can connect to the victim’s password-protected Wi-Fi network. There are several Wi-Fi cracking tools, for example, WIBR+ uses uploaded password databases to identify passwords common to the victim’s network. The users can also upload and update these databases. Another tool – Wi-Fi Kill – is capable of shutting down any other device connected to the same network and can intercept pictures and webpages recently visited by users of this network.

More and more tools now include more than one hacking capability. The DSploit tool features such functions as password sniffers, cookie sniffers, browsing history sniffers, and webpage redirecting. Another program, Bugtroid, contains cracking and protection applications. The owner can choose the most suitable program from a list and install it in one click. The tool offers a variety of tools to suit almost every cracking purpose.

Sniffers and DDoS Tools
Sniffers and DDoS Tools

For iOS systems, there is a limited number of hacking tools, mostly in the realm of game cracking. Examples of such tools are GameGem and iGameGuardian. These tools break games for the purpose of stealing monetary units. The most common tool for iOS is Metasploit, which contains a number of useful applications for different fields.

The tools presented above are not new, but they represent the main capabilities in the field. We are seeing a growing tendency to use portable devices, such as smartphones and tablets, to conduct attacks in public places. Mobile devices and public Wi-Fi networks tend to be less protected and more vulnerable. With the help of collected data by mobile device, the attackers can perform more complex attacks via PC. As long as there is no protection awareness regarding mobile devices, we expected a continued increase in the number of smartphone-based attacks.

List of Hacking Tools
List of Hacking Tools

Gartner Identifies Machine-Readable Threat Intelligence as One of the Top 10 Technologies for Information Security in 2014

Last week Gartner, a leading information technology research and advisory company, highlighted the top ten technologies for information security and their implications for security organizations in 2014. Analysts presented their findings during the Gartner Security & Risk Management Summit, held here through June 26.

http://www.gartner.com/newsroom/id/2778417

The top ten technologies for information security are:

  1. Cloud Access Security Brokers
  2. Adaptive Access Control
  3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation
  4. Endpoint Detection and Response Solutions
  5. Big Data Security Analytics at the Heart of Next-generation Security Platforms
  6. Machine-readable Threat Intelligence, Including Reputation Services
  7. Containment and Isolation as a Foundational Security Strategy
  8. Software-defined Security
  9. Interactive Application Security Testing
  10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

We at SenseCy are great believers in article 6.

We have been providing contextual intelligence for the past several years (and will continue to do so), but felt that it was time to take this to the next level by providing structured feeds that can link directly into SIEM and other security infrastructure and automate to a greater degree the threat intelligence implementation process. Although we believe that M2M will take a greater role in cyber security, the role of the analyst will not be diminished, as there will be a greater need to analyze and filter the results prior to us releasing the feed to our clients (to maintain a very low false-positive alert rate). We also aim to engage the malware supply chain at an earlier phase than most, effectively obtaining and analyzing malware before widespread distribution, thus allowing our clients to prepare their security infrastructure by adding concrete identification parameters prior to infection.

An Aid to the Aspiring Cyber Intelligence Analyst (Part 1)

So you read all about the cyber underground and want to start snooping around? Well, knowing English won’t help you very much, as most communication at these online meeting places is in native languages, using unique slang. To help you, we bring you the first part of the cyber analyst terms table to assist you in your efforts.

Good luck!

table

Cyber landscape
Cyber landscape

Iranian Hackurity – Hacking Group or Security Firm

In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.

That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.

This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.

Such was the case in the Iranian DataCoders Security Team and cyber security firm.

Since it commenced activities in 2010, and especially throughout 2012-2013, this hacker group has repeatedly breached American and Israeli websites.

Defacement mirror by the Iranian DataCoders Security Team
Defacement mirror by the Iranian DataCoders Security Team

Additional examples revealed the possibility that the group is also operating under an Arab alias.

At the beginning of August 2013, an unknown hacker group calling itself Qods Freedom claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.

It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.

The group’s new web platform – DataCoders.org
The group’s new web platform – DataCoders.org

Another hacker group recently caught in the spotlight is the Ajax Security Team (AjaxTM). As in the first case, with its misleading decline in defacement activity, AjaxTM started to run a new platform – a security firm by the name of Pars-Security (Persian: شرکت امنیتی پارس پردازش حافظ).

According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.

The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.

‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.

The company CEO is the AjaxTM leader – Ali Alipour – and the contact details on the Pars-Security website are his.

Pars-security.com contact details
Pars-security.com contact details

Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.

Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.

Mihan Hack Security Team Website
Mihan Hack Security Team Website

The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.

This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.

Q&A with Ruth Kinzey: The Reputation Impact of a Cyber Breach – What Are the Potential Risks and How Can Organizations Mitigate Them?

Written by Ruth Kinzey

As current events clearly illustrate (Adobe, Target and eBay breaches), there is more to cyber breach than lost data – a massive cyber incident has also the potential to deeply harm the victim /company’s reputation. Today we would like to explore the issue of reputation management with regard to cyber threats.

For this we have invited Ruth Kinzey, who kindly agreed to share herviews on the topic.

Ruth Kinzey, MA, is a reputation strategist with more than 35 years of communications experience. Ruth is a professional speaker, consultant, author, trainer, and adjunct faculty member of Rutgers University. She is founder and president of The Kinzey Company, an organization dedicated to helping clients proactively and strategically enhance and protect their reputations.

Ruth Kinzey

Q: How does strategic reputation management differ from PR or online reputation management?

Both public relations and online reputation are part of the strategic reputation management equation. Being strategic about an organization’s reputation means taking a holistic view by analyzing multiple audiences and communication channels; determining how well aligned the company is within itself; and examining the context in which the business operates. The organizational context takes into account the potential impact local, national and even international events can have on an organization’s reputation in addition to what is happening in the institution’s industry or sector as well as the culture of the firm.

The goals of strategic reputation management are to proactively enhance an organization’s reputation and to help protect it in times of crisis. Consequently, it’s also necessary to understand the organization’s current reputation as well as its reputational goals.

Q: What are the challenges of reputation management in today’s world of cybercrime and cyber warfare?

The cyber world is a bit like the “Wild West.” Laws are not consistent from country to country. Judicial rulings are challenged to keep pace with cyber crime. And while breaches, which impact the privacy of individuals and organizations, can be significant – even catastrophic, the perpetrators must be caught before they can be dealt with aggressively. So, the problem with “cyber lawlessness” is that it financially victimizes the institution and its many stakeholders and can tarnish reputations. This is why every organization should assess and manage its cyber risk.

System vulnerabilities must be identified, prioritized, and mitigated as much as possible. Because hackers are enterprising and highly likely to find weak links in the operating system that an organization may not even realize are present, a crisis plan should be created, too. That way, when a company – or even a nonprofit – is in the midst of dealing with some type of “cyber atrocity,” the organization isn’t trying to make important decisions such as when to notify government agencies, law enforcement, and customers. The institution also isn’t scrambling to determine the best way to contact customers or shareholders or what they should do to help clients or employees best manage the breach.

Without developing cyber risk mitigation measures and carefully constructing a crisis plan, an organization is going to lose more than data. The breach will lead to a reputational disaster, too, because the company will not be prepared on either front. Depending upon the degree of damage that occurs, the business may or may not be able to recover.

Q: Do you think today’s C-suite and upper management understand the impact a cyber incident could have on the organization’s reputation? And, do you believe they are doing anything to mitigate it?

One cannot listen to the news without recognizing the likelihood of a cyber attack. And, there are many businesses – even departments within the government – that have experienced data breaches. Consequently, there are case studies explaining what happened, how the organization managed the crisis, and the resulting reputational impact. So, senior leadership understands cyber crime is a very real threat to an organization’s operation and reputation.

However, is upper management doing anything to mitigate it? That is a very different question. And, the response varies from company to company.

Dealing with cyber crime requires vigilance and money, particularly as hackers become more and more sophisticated in their techniques. Senior leadership and the government are recognizing the importance of collaboration and information sharing. Industry and professional organizations are realizing they have a role in bringing together members to focus on the cyber crime issue and to help tackle this worldwide problem as well.

Q: Which is more harmful: insufficient security of corporate information or customers’ information? What could lead to greater reputational damage?

Both are harmful and both have the potential of damaging reputations. Depending upon the amount and type of data compromised, an individual could experience financial devastation and significant reputational damage. The actions of a business – before, during and after a cyber attack – could result in catastrophic financial implications as well as a severely damaged reputation.

People want to know the company has taken appropriate measures to protect data and that the business is doing all it can to keep personal information safe. In addition, the public wants a trustworthy business partner that keeps them informed about security issues and is willing to help them during the aftermath. A company not perceived as behaving in a proactive and trustworthy manner will experience even greater reputational damage.

Q: How can reputational damage be contained?

It is impossible to entirely contain reputational damage because an organization’s reputation is ultimately in “the eye of its beholder.” Having said this, there are steps a business can take to help reduce the severity of reputational damage.

First, it is important for the company to proactively enhance its reputation through actions such as exemplary customer service, ethical and transparent conduct, and environmentally and socially responsible behaviors. Model performance builds trust and goodwill. This positive reputation helps the public believe in the good intentions of the organization, which causes a more favorable opinion and generates support during times of trouble.

Having a crisis management plan, which includes communication, will help an organization better protect its reputation when in the midst of a cyber attack. Minutes count in any crisis, so having protocols and procedures established improves an organization’s responsiveness to the situation and enables the firm to respond to its many stakeholders in a more thoughtful, strategic manner – both during and after the cyber crime.

Q: Can reputational data be measured?

Yes. But the methodology can vary, depending upon what is being measured.

Insurance companies are paying closer attention to the impact a negative reputation has on a company’s success. Some insurers even offer public relations or media relations assistance when they become aware of potential crises being faced by clients. Other agencies offer reputation insurance because they are keenly aware of the financial impact involved when reputational loss occurs.

If publicly owned, the investor relations department may judge the degree of reputational capital the organization has by factors such as the stock price or number of investors; whereas, the marketing department may measure the number of lost customers, customer feedback, and overall lagging sales. On the other hand, the media relations department may judge the status of the company’s reputation by the types of media inquiries, the tone of articles, the frequency of references to the company in relation to a security breach, or other even more sophisticated parameters. And, there are many online agencies that examine the social profile of a business and offer reputational insights in conjunction with this.

So, reputation – both positive and negative – can be measured. But, it is important to know exactly what you are trying to measure and to have objectives clearly in mind before selecting the best form of measurement to capture this information.

Q: Can an organization’s reputation recover after a cyber attack?

It is possible for an organization to recover after a cyber attack. However, this is primarily dependent upon the company’s actions before, during and after the occurrence of this crime.

The public wants to know the firm took appropriate precautionary steps. Were systems in place to help mitigate such attacks? Was management vigilant and issues escalated upon detection?

Also, were victims – and potential victims – notified quickly about the compromise in security and kept abreast as to how their data was affected? Even if a firm doesn’t know the full implications of the breach, it’s a good idea to offer general information and to provide suggestions for protecting personal data.

Not only is a company’s conduct important prior to and during the unfolding of a cyber attack, but people judge a business on its behavior after such an incident. Does the firm demonstrate its understanding of the gravity of the situation? What actions will it implement to try to protect against the same type of situation from occurring again? Are people within the institution being held accountable, particularly if the event was preventable or could have been better contained? Is the organization trying to help victims by taking steps such as offering free credit monitoring?

Overall, the public can be amazingly forgiving, if a business has a good reputation and demonstrates exemplary conduct in how it manages a cyber attack. If this is the case, even if there is a dip in stock performance or lower sales in the short term, people will return. However, if the business has not been proactive in trying to protect its data, lacked transparency in its reporting, or failed to demonstrate its genuine regret for what happened, it will be much more difficult to regain customer, investor, government and public trust.