Inviting the hacker in

Inviting the hacker inCollaboration with white hat hackers can improve a company’s security posture and expose vulnerabilities before it’s too late.

Every company has sensitive data needing pro¬tection. Employing a team to focus on how to protect this data is vital. It is no longer a ques¬tion of if you are hacked but when you are hacked. White hat hackers can help companies understand the risks and why managing those risks should be a top priority.

Security efforts and results do not always share a linear relationship. Aleksander Yampolskiy, Ph.D., is co-founder and CEO of New York-based Security Scorecard, a leading security risk benchmarking company. Yampolskiy explains the 80/20 distri¬bution theory, known as the Pareto Principle, which applies to security measures.

“The big problem in cybersecurity today is that 80 percent of the budget goes toward reactive solutions like intrusion detection systems, firewalls and anti¬viruses,” Yampolskiy says. “Those types of solutions catch less than 3 percent of threats. Only 20 percent of the budget goes toward proactive solutions, where you are staying on top of what the hackers are doing by signing up for threat intelligence feeds and hir¬ing penetration testing companies. Those proactive approaches stop more than 50 percent of threats.”

The “2015 Verizon Data Breach Investigations” report estimates the financial loss from 700 million compromised records last year at USD400 million. Among all security incidents, the common denominator across the top three breeches — point-of-sale intrusions, crimeware and cyberespionage — was human involvement. And the data suggests that attacks are becoming more effective. On average, it takes just 82 seconds for a phishing message to get its first click, and 23 percent of the recipients actually open it.


Security protocols and defenses
Security awareness education should be the first focus. Every company should train its employees in basic security protocols about what to be aware of, what websites to go to and how to handle a threat. Compromised credentials are like keys to the front door and account for more than 40 percent of threat actions.

“Smaller companies may not have the techni¬cal sophistication, so the likelihood they are not following the common best practices that larger organizations employ — like making sure employees are resetting passwords every 90 days, aren’t open¬ing emails that may put a virus on the computer and aren’t using their corporate email and password on social media sites — is very high. Right there is the path of least resistance for a hacker,” says Sam Kas¬soumeh, chief operating officer and co-founder of SecurityScorecard.

In addition to spending more on shoring-up secu¬rity defenses internally, companies should consider an outside expert and hire a pen¬etration-testing firm. A team of white hat hackers — also known as ethical hackers — use their skills, tools and knowledge to break into a company with a goal of improving its security posture. The tests can be quite effective in identifying a company’s security weaknesses, and typically ranges between USD15,000-40,000 for a one-time assessment.

“Having white hat hackers onsite at least once a year, if not once a quarter, is a mandatory mini-mum,” Kassoumeh says. “A white hat firm can give your organization a security physical. They’re going to be excessively intrusive and try to take down your system and that is how you want to prepare for the worst. The return on a security investment isn’t necessarily visible until a hacker tries to break in.”

Yampolskiy hired a team of white hat hackers to conduct a simulation attack on the online shop¬ping site Gilt Groupe. The penetration succeeded by exploiting the human element: They sent a developer’s résumé as a Microsoft Word document crafted with malware to several mid-level employ¬ees. When the document was opened, the hackers established a backend-communication channel. That outside perspective gave Yampolskiy insight into security gaps, including employee security awareness.

How safe are third-party vendors?
The increasing use of third-party vendors for storing and processing a company’s sensitive information is becoming a greater security risk for companies, warns Yampolskiy. If those services are compromised, the company’s data is automatically breached as well.

“We’re part of an ecosystem,” Yampolskiy says. “A lot of the business functions like storing files on Dropbox, using Gmail and sending email campaigns outsourced to the Cloud. How do you know if those partners and suppliers are being as diligent as you are when it comes to protecting your data? You have no idea. Most companies vet the security of their partners with pen-and-paper questionnaires.”

To get ahead of potential threats, businesses can work with white hat penetration testers to gain visi¬bility into external threats from third-party partners and providers, to evaluate potential vendors and to expedite the procurement process.

As part of their proactive security efforts, compa¬nies such as Facebook, Google, Microsoft and United Airlines reward individuals for exposing security flaws through established bug bounty programs. There are also platforms like HackerOne, where com¬panies, including Adobe, Dropbox, Square, Twitter and Yahoo, work with a network of hackers — by invitation or open to the public — to locate external security weaknesses.

“What these programs are effective at is enumer¬ating the path of least resistance so you can focus your effort there,” says Alex Rice, co-founder and CEO of HackerOne. “But if you’re not investing in security within your organization and able to incor¬porate what you learn back into your development program practices, you’re likely getting ahead of yourself by inviting hackers to do it. We have not had a single customer launch without a hacker find¬ing a vulnerability within the first 24 hours.”

Chief executives who prioritize best security practices, raise threat awareness, invest in external resources and monitor vulnerabilities will demon¬strate a commitment to cybersecurity and better protect business.

“The most important thing to keep in mind is that nobody gets security right. Everybody is going to miss something,” Rice says. “And the best thing you can do is ask a few experts for help and to point out what you missed. Let those findings prioritize where you should be spending your efforts because there’s nothing worse than wasting the limited resources you have on the wrong initiative.”

The cumulative impact of these efforts can be profound — generating results in the optimal 20 percent rather than the negligible 80 percent.

(The article is contributed by Melissa Fleming, YPO Writer)

(YPO is the global platform for chief executives to engage, learn and grow. YPO members harness the knowledge, influence and trust of the world’s most influential and innovative business leaders to inspire business, personal, family and community impact. Leadership. Learning. Lifelong. For more information, visit‬‬‬‬‬‬‬‬‬‬‬‬‬‬)