"Picking a lock could make you a burglar. Or a skilled locksmith."
How to protect your firm from a cyber attack
Should you hire hackers to protect your company's cyber security?
October 2015. Executives at UK based phone and internet service provider TalkTalk made a shocking revelation: One of the company's databases, containing customers' personal information, had been breached by hackers. The cyber criminals had accessed names, phone numbers and details of bank accounts and credit cards relating to around 157,000 individuals.
When it comes to IT security, the penalties for complacency can be steep, as TalkTalk's management team discovered following their disclosure. During the financial quarter in which the attack took place, the company experienced a ￡15 million ($19 million) impact on trading and lost some 95,000 customers. On top of that, it had to spend a whopping ￡42 million ($53 million) in "exceptional costs" relating to the attack: restoring online capabilities, upgrading IT security, hiring consultants and offering free upgrades to disgruntled customers.
And then in October 2016, TalkTalk was slapped with a ￡400,000 ($500,000) fine by the Information Commissioner's Office, a record penalty from the UK body charged with enforcing the Data Protection Act.
Others have also been hit by similar attacks.
When customer information was stolen from Sony's PlayStation video games network in 2011, the company spent around $15 million in the US settling lawsuits arising from the incident and was hit with a ￡250,000 ($300,000) fine in the UK. To avoid such minefields, companies are increasingly looking to hire so-called "white hat" hackers – skilled IT security experts who probe systems for weak spots.
These white hats, also called "ethical hackers," provide an opportunity to preemptively fix vulnerabilities before they are exploited by criminals – or "black hat" hackers. The terms "white hat" and "black hat" have their roots in the symbolism of old Western movies, where the good guys wore white hats and the villains wore black ones. These terms describe an approach to IT security rooted in the idea that, in order to beat criminals at their own game, a company needs people on its side who are able to think and act like them.
They must be able to use the same tactics: find vulnerabilities in IT systems and then test them to see how they might be exploited in order to gain access to underlying databases – a process known as "penetration testing" and an important element in the ethical hacker's playbook.
Thinking like a hacker
Certain industries are further along in accepting white hats than others, says Vince Warrington, an IT security advisor who has worked on projects for organizations such as Diageo and GlaxoSmithKline. The financial services sector has a pretty good understanding of how hackers think, he says, as do the public sector bodies that guard state secrets. "[Other industries] are still in the mindset that 'We have to defend the castle,'" he says, adding that they need to come at it from the attacker mindset.
For those that have made the switch in thinking, however, maintaining an internal white hat team comes at a cost. That's not just the salaries that skilled personnel expect, says Warrington, but also the constant pressure to keep white hat skills up to speed in the face of increasingly sophisticated attacks. With that in mind, some organizations turn to third-party specialists. For those that go down this route, there will be no shortage of offers of help – at a price. This is a crowded market, in part because many white hats have recognized that they can make more money on the open market.
There are also serious questions about trust. "There's a certain nervousness around the fact that you're giving outsiders privileged access to key systems, no matter how stringent the non-disclosure agreements you ask them to sign," says Warrington. That makes the market for ethical hacking skills a "lemon market," says Rowland Johnson, an executive at CREST, a nonprofit providing accreditation and certification to the information security industry.
The term "lemon market" coined by Nobel Prize-winning economist George Akerlof describes a situation where sellers know more than buyers. He uses the usedcar market as a comparison, where there are good cars for sale and dodgy ones (or "lemons"). The seller knows which is which, but most buyers can't differentiate between the two. The same applies to the market for ethical hacking, Johnson says, which is why CREST doesn't just focus on the certification of individual testers, requiring them to undergo extensive training and to re-sit exams every three years, but also the accreditation of the organizations for which they work. That involves them demonstrating appropriate policies, processes and procedures for protecting client information.
According to Johnson: "This is highly sensitive work, so companies need to be very clear exactly who they are dealing with and confident that they meet a set of extremely high standards when it comes to data protection."
When the best approach is hacking the hackers
Some organizations take a novel approach to tackling IT security problems. This involves organizing white hats into a "red" team that works separately from the "regular forces" who manage day-to-day operations, monitor attacks and remediate security flaws – the "blue" team. The red team poses as the enemy, exploring ways to carry out attacks. For penetration tester Gemma Moore, a founder of UK-based IT security firm Cyberis, staging this kind of exercise is the most thrilling part of the job. It's very useful because developers of systems don't tend to think in the same way that penetration testers do, she says. "Our first thought, always, is 'How are we going to break this?' and that can be a real education for a client." And the sooner companies reap the benefits of those lessons, the better: The best defense, after all, is to hack the hackers themselves.
This article by Jessica Twentyman appears in our Think:Act Magazine Trust.