NEW YORK—It is understandable if risk managers and other corporate executives are not exactly sure what to make of the Internet activist group known as Anonymous, according to Christopher Soghoian, a graduate fellow at the Center for Applied Cyber Security Research in Washington.

While much of Anonymous' notoriety has been achieved through its efforts to thwart government-sponsored Internet censorship, oppression and other human rights violations—the group has been widely credited with a key role in the 2011 Arab Spring uprisings—the group also has made a frequent target of corporations it feels have acted against the public's interest, Mr. Soghoian said during a presentation at the third annual Business Insurance Risk Management Summit^® in New York.

“Anonymous has engaged in a huge number of high-profile attacks that have been extremely embarrassing for many companies,” Mr. Soghoian said. “These attacks are significantly impacting a lot of bottom lines, and for a company that is on the receiving end of one, it can seem like it came out of nowhere.”

Unlike cyber criminals and government spies whose primary objectives in accessing protected corporate files are typically money and trade secrets, respectively, Mr. Soghoian said Anonymous' private-sector attacks are usually meant to disrupt business operations or publicly shame companies deemed to be infringing on Internet users' freedoms, including technological development.

In April 2011, Tokyo-based Sony Corp. reported that more than 100 million consumer accounts had been compromised in a series of attacks on its PlayStation Network servers, which were taken offline for nearly a month. Days after the attacks, Sony executives said evidence indicated that Anonymous had committed the hacks, supposedly in retaliation for the company's lawsuit against a New Jersey programmer who had published his hacks of its PlayStation 3 gaming console.

A statement posted in May 2011 on an Anonymous-affiliated blog declared that the group did not officially sanction or condone the attacks, but that individual members may have carried them out on their own.

Mr. Soghoian said the breaches—which reportedly cost Sony in excess of $170 million—highlight the elusive nature of the organization and the devastating financial and reputational impact it can visit upon corporate entities.

“Not only did it cost the company about $171 million, but the company's reputation was left in tatters,” Mr. Soghoian said.

Conversely, Anonymous' January 2010 attempts to shut down PayPal, the online payment operation owned by eBay Inc.—along with the websites of MasterCard Inc. and Visa Inc. in retaliation for their cutting ties with WikiLeaks—were largely ineffective. The difference between those incidents and the Sony episode, Mr. Soghoian said, comes down to the firms' respective levels of sophistication in breach prevention and response.

“An attack by Anonymous doesn't have to take down your entire firm, but it can if you have poor security,” Mr. Soghoian said.

Companies concerned with becoming Anonymous' next target can take steps to minimize their vulnerability to the group's activities, Mr. Soghoian said. In the first place, firms should exercise caution when considering legal action against developers who publish hacks and workarounds to their proprietary software.

“Make sure your efforts are focused on engineering and not legal retaliation,” Mr. Soghoian said.

%%BREAK%%

“Everyone has a right to build software that protects your business model, but people in the technological community don't like it when you use lawyers to enforce that protection. You gain nothing by threatening someone.”

Mr. Soghoian also advised companies to account for the personal reputations of executives, noting that the group also has been known to publish compromising photos and messages mined from personal social media and email accounts in its efforts to shame a corporation.

Companies also should consider whether any of its operations, policies and business relationships directly or indirectly contribute to activities that could be construed as censorship, surveillance or other violations of individual rights.

“If you're in doubt, talk to your in-house Internet cultural experts in your IT department,” Mr. Soghoian said.

“Technologists know intrinsically how the Internet will react to your activities. You all employ these people, so use them.”