Cyber threats are increasing in rate, variety and sophistication: UK businesses had to combat an average of 686,961 hacking attempts of their online systems over the course of 2020. In response, corporations, institutions and governments must make their IT security a firm priority to mitigate threats. High profile incidents keep occurring, from the Irish Health Service executive cyber breach, to British Airways’ £20m fine following a major GDPR breach, and the Colonial Pipeline’s costly ransomware attack.
A discipline known as ‘ethical hacking’ can help organisations looking to bolster their security. It provides a way for organisations to authorise penetration testing to assess their IT system’s defences. For organisations, plugging these weak spots can be the difference between paying hundreds of thousands in ransom, avoiding days’ worth of business inactivity and/or maintaining the privacy of millions of sets of sensitive data. Having internal, dedicated IT security staff, fully trained in ethical hacking practices, will prepare organisations and help mitigate against future threats.
How to boost internal cyber security training
How can hackers be ethical – and why are they important?
The word ‘hacker’ tends to conjure up sinister images, but what many people tend to overlook is the fact that hackers can actually be ‘good guys and gals’ too. These are typically referred to as ‘white hat hackers’ as opposed to ‘black hat hackers’ – that’s to say, the bad guys.
While there is no official definition or set job description for an ethical hacker, they are computer and penetration experts with an in-depth knowledge of how operating systems, software, hardware, websites, networks, and humans work. They approach these elements from the perspective of malicious actors, with an owner or organisation’s permission, to identify, then secure and protect, system vulnerabilities.
For businesses, employing ethical hackers is exactly the kind of proactive approach that will give them the advantage in combating cyber criminals and protecting their systems and subsequently their operations, sensitive data, and funds. This is especially true, as a large number of businesses fail to realise how much of an easy target they might be. According to Varonis, a data security and analytics company, companies only protect a terrifying 3% of their folders. Recognising their potential vulnerability, some organisations, like Apple and the US military, even offer rewards to those who can find and report vulnerabilities.
Value and momentum in an evolving world
As technology evolves, hackers and their techniques evolve in tandem; compared to 2019, 2020 saw ransomware attacks increase by 485%, and distributed denial of service (DDoS) attacks increase by 154%. By employing benevolent experts in the field, companies can stay abreast of these trends, which is an effective way to protect their systems.
Many large scale businesses that are constantly under attack employ in-house white hat hackers that work full-time. This is a growing trend, as the new reality of remote working catalysed by the pandemic increases businesses’ target attack surface, as employees and devices are widely distributed rather than kept to single buildings and networks.
These employees become links in a growing chain and are often unaware of the role they each play as gatekeepers to the business. According to Varonis, employees each have access to an average of 11 million files on their work devices, posing a substantial risk to any firm not actively taking steps to avoid cyber threats.
Hackers are also increasingly targeting specific sectors. The percentage of businesses attacked in the key industries of technology, media and telecoms (56%), financial services (55%), and energy (54%) were up from 44%, 44%, and 40% respectively in 2020.
Why are DDoS attacks becoming nasty, brutish and short?
Challenges and opportunities for businesses
Ethical hacking is an effective, authorised way to test security defences while also staying competitive and flexible by minimising damage from breaches, retaining customer confidence and loyalty. Indeed, firms qualifying as experts in a cyber readiness modelling report by Hiscox were less likely to suffer a ransomware attack, less likely to pay up, and recovered more quickly.
However, the single biggest challenge for businesses looking to focus on developing internal ethical hacking capabilities is the growing skills gap; estimates suggest an additional 4 million cyber security professionals are needed globally in order to plug this. In the UK, a basic technical cyber security skills gap exists in 50% of private sector businesses, and one third have a more advanced technical skills gap, in areas including penetration testing.
Attitudes towards ethical hacking are changing as hiring and training practices are opening up to a wider pool. Employers are beginning to realise that unconventional education paths in this domain are more commonplace and acceptable, so long as the overall job gets done. And with 81% of white hat hackers having learned the majority of their skills through self-directed online educational materials, university-style qualifications aren’t always the most effective.
Businesses can be proactive in upskilling internal IT experts horizontally, building on existing IT and infrastructure knowledge and leveraging it in a security-based context. Nowadays, online project-based training providers like Udacity offer courses for people to hone various cyber security skills; even providing a ‘Nanodegree’ specifically dedicated to developing ethical hacking skills.
A few steps ahead
Many businesses incorrectly assume that hacking is a wholly negative practice. However, this misconception ignores the large-scale work that white hat hackers carry out defending against potential and incoming attacks from the black hats.
By embracing ethical hacking capabilities – whether externally, or internally via upskilling existing IT experts appropriately – businesses can put themselves a few steps ahead. Dynamic cyber security measures that include an ethical hacking approach can both anticipate and mitigate damaging attacks that are an evolving reality in today’s digital world – and protect a business’ data, operational infrastructure, finances and reputation going forward.