Stalking is an issue that many CISOs have faced, sometimes unexpectedly. Some stalking cases clearly fall within our job duties. For example, an employee using company IT resources to harass or spy on another individual, employee or not. In these kinds of cases, it is clear that the security team must reach out to the company’s Human Resources and Legal departments to facilitate disciplinary action and mitigate damage.
However, there are other kinds of stalking situations in which a CISOs actions are a bit fuzzier. I’ve been involved in several cases where an employee was being stalked by someone external to the organization. It’s not a stretch to say that most employees being stalked are female, because statistics show that four women are stalked for every man stalked.1
Note that I didn’t specifically call out cyberstalking, since a quarter of real-world stalkers use cyber techniques, as well.2 It’s happening more often because technology and hacking tools are so common. And there are cyberstalkers who work solely online, too. As far as I’m concerned, the cyber tools and techniques used by cyberstalkers and stalkers are similar enough that we should be prepared to cover both. However, be aware that real-world stalkers represent a greater physical threat than anonymous cyberstalkers.3 Regardless, stalking victims live in fear.
The first question is, should you help them? As the head of security in an organization, you may be the only person that employees can turn to for personal security problems. I realize there could be some personal or corporate liability with providing “official” advice and help. Nevertheless, I always felt my job was to protect the organization as well as its staff.
The second question is, can you provide any substantial help? Some CISOs who have a strong background in law enforcement not only know what to do but can also pick up the phone to leverage former police associates. Other CISOs who might not have that background could feel they are in over their heads. For those CISOs, remember that there are security professionals with skills and experience that can help. Obviously, you should refer the person being harassed to resources like the Stalking Resource Center,4 the Office of Victims of Crime5 and, of course, local law enforcement. In the cases I have been involved with, the victims had already been working with these resources because they needed help at the work place.
Beyond the basics, such as making sure the physical security of your facility is sound and the guard staff is alerted to the threat, what else can you do? As an IT security professional, you can provide advice on how victims can secure their computing devices and their email and social media accounts. Stalkers often try to subvert technology to spy on their victims.6
What else? Let’s look at the primary techniques of the cyberstalker:
- Email threats and harassment from a variety of accounts
- Disguising themselves online so they can re-establish contact with the victim
- Contacting co-workers via phone or IT methods to smear the victim
- Impersonating the victim to sign them up for unwanted services or emails
- Releasing personal information about the victim (doxing)
Given that victims of stalking should be keeping a log of all incidents and gathering evidence, there’s quite a bit you can do to assist them. Targets of physical stalkers often have restraining orders in place against their aggressors, which legally limit physical and electronic communication.7 Evidence of unwanted contact is vital to bringing these perpetrators to justice. An IT security professional should have significant expertise in gathering electronic evidence. In addition, security personnel can modify existing IT controls and procedures to further protect the victim, such as requiring additional checks for password resets, removing the victim’s contact information from any online corporate publications, and adjusting email filters.
There are also cases when cyberstalking and its evil cousin, cyber harassment, can endanger corporate assets. Attackers can try to breach company networks, infect company computers, and in some cases, launch retributive DDoS campaigns. I was involved in a case where a developer was being cyber harassed, which escalated into a denial-of-service attack that affected the entire company. There have also been cases of bomb threats, swatting8 (false calls to police to elicit an armed response), and even sending an animated strobe image to induce a seizure in a victim known to have epilepsy.9 When emotions run high, things can quickly become dangerous. This is another reason why CISOs need to keep an eye on any cyberstalking incidents and capture evidence to support legal action.
I’ve only touched the surface of the stalking problem, but it’s my hope that more security professionals and CISOs will familiarize themselves with this crime. As hacking tools become more powerful and simultaneously easier to use, the cyber threat capability of emotionally disturbed individuals will heighten.