The security risks of taking a stand

ORGANISATIONS face increasing internal and external pressure to take public stands on issues unrelated to their core business. Examples include a broad range of social, political, and global events, which seldom involve the business directly. While the merits or flaws of organisations engaging in sociopolitical discourse are arguable, the fact that doing so creates security risks is undebatable. The question is, how should chief information security officers (CISOs), chief information officers (CIOs), and other security leadership deal with the inevitable risks that arise from their company taking a public stand?

When an organisation chooses one side of a divisive topic, it inevitably alienates those who strongly disagree. Segments of the organisation’s customer base, employee pool, and professional connections will become disenfranchised.

Their disappointment with the organisation, when expressed in a healthy manner, may lead to people berating the company on social media, employee resignations, or calls for boycotts. When expressed in an unhealthy way, there is a risk that individuals or external organisations may decide to take direct action against the company through many means, including data exfiltration, denial of service, spamming or voice phishing. In fact, in 2019, The Times of India reported that ideological cyberattacks were outpacing physical attacks.