What is a hacktivist? Understanding their rise

Hacker by the window

You might picture a hacker as someone sitting in a basement motivated by a purely mercenary desire to rip off businesses. They want to extract data from you and sell it on the dark web.

But in 2022 and beyond, a different type of motivation for cyber attacks will continue to hit the headlines in larger numbers.

The hacktivist or cyber activist isn’t motivated by money. Their ire is drawn by companies that say one thing about their commitment to CSR (Corporate Social Responsibility) and then do another.

Yet even if you believe your business walks and talks in step when it comes to social and environmental issues, it’s worth understanding how your CSR can affect your cybersecurity.

What is a hacktivist?

Sometimes referred to as cyber activists, “hacktivists” are non-mercenary individuals or groups who target organisations whose actions have the appearance of environmental or social responsibility but none of the substance.

The likelihood that an organisation may be targeted by hacktivists increases as their actions climb the scale from small disconnects between word and action to full-on greenwashing, masking of poor practice, and actively trying to give the impression of doing good while doing the opposite.

This is a phenomenon that’s being actively studied. Researchers at the University of Delaware are tracking numerous cases of malicious data breach where a company’s failing to “walk the walk” on CSR was at fault.

You can find the full results in their paper – “Too Good to Be True: Firm Social Performance and the Risk of Data Breach”. But, suffice it to say, they’re pretty convinced of their data, which can be neatly summarised as:

The increased likelihood of breach for firms with seemingly disingenuous CSP records suggests that perceived “greenwashing” efforts that attempt to mask poor social performance make firms attractive targets for security exploitation.”

What sort of activities are hacktivist risks?

In the modern world, where information is increasingly accessible and transparent, companies can no longer so easily get away with certain “disingenuous” claims of the past.

You only need to look at the number of companies that have been actively called out for the disconnect between their words and actions recently. Without naming any names, the kind of actions that tend to draw the attention of hacktivists include:

  • Poor employee relations or treatment
  • Environmentally destructive practices
  • Socially damaging actions
  • Lack of engagement with diversity issues
  • Product safety issues

A symptom of a larger trend

The actions of hacktivists are part of a much larger consumer trend – that we listed in our workplace of the future predictions this year – towards prioritising use of companies with stronger CSR records.

In 2022, and no doubt well into the future, we are seeing consumers willing to vote with their wallet when it comes to social, cultural, environmental, and political issues and how individual organisations meet their expectations in those fields.

Understand how CSR affects your cybersecurity

This all has a major impact on how firms of every size should think about how theoretically unconnected issues like their CSR policies can affect their level of cybersecurity risk.

One of the more subtle observations of the University of Delaware’s research is that understanding consumer perceptions of the difference between “peripheral” CSR efforts and “embedded” engagement is crucial.

In short, it’s no good making a big thing about how much money you give to charity or recycle if you simultaneously burn down the rainforest or ignore diversity in your hiring practices.

And while few businesses take things to such an extreme, making sure that your CSR policies are in-step with what your business does – and are embedded in the way you operate rather than a peripheral, unlinked addition – are key to keeping your cybersecurity out of the crosshairs of hacktivists.