HackerOne recently released a report that shows progress in fighting cybercrime, but also makes clear that the need for diligence is becoming more urgent than ever. The 2020 Hacker-Powered Security Report (download required) details the activities of just one of several “bug bounty aggregators.” In addition to HackerOne, there are organizations like Bugcrowd, YesWeHack, Intigriti, Synack and others — private companies and government agencies that post bounties to reward hackers who find bugs and vulnerabilities in the poster’s systems. The aggregators act as a go-between, posting curated bounty lists for their hacker communities.
Bug bounties work on the theory that to catch a thief, you have to think like a thief. Bounty amounts vary quite a bit, and most are a few hundred dollars for smaller bugs and glitches. However, an ethical hacker, as these professionals call themselves, can earn much more for finding and reporting a serious vulnerability.
Who are the ethical hackers? Most are software professionals who hack in their spare time. They do it for money, but many donate the money to worthy causes, through programs like Hack for Good. Many do it because they understand the gravity of the threat.
It’s more than just a hobby, however. Increasingly, ethical hackers are being seen as an important element within the cybersecurity ecosystem. HackerOne claims to have 830,000 registered hackers. No company could afford to hire enough full-time hackers to fully test their systems. The crowdsourcing solution is working well.
Great news shielding a troubling reality: HackerOne members submitted over 181,000 valid vulnerability reports last year, and that’s just one organization. If we assume that ethical hackers have discovered just a portion of the vulnerabilities out there, that means there are still many waiting to be discovered. It’s a race between ethical hackers and cybersecurity experts on one side and powerful cybercrime syndicates on the other.
The stakes are high for business, considering the $3.86 million estimated cost of an average breach. That kind of money can send small to medium businesses into bankruptcy. While that price may not topple an enterprise-level corporation, a security breach can result in serious damage to the company’s brand and reputation. Organizations in all verticals are subject to attack. HackerOne reported large year-over-year increases in bug bounty programs in computer hardware, consumer goods, education and healthcare.
Awareness is essential. Assuming your company has a cybersecurity strategy in place, whoever designed and implemented it, whether internal or vendor, should have advised you that there is no such thing as perfect impregnability. As one tech expert writes, “The effectiveness of encryption, for example, is measured in the amount of time it takes to break it, not that encryption is unbreakable.”
It may be a good idea to establish a bounty program as a proactive approach to identifying issues or gaps. However, if the need is more urgent, you may need help. An urgent need could be a scenario in which you know there is a gap but don’t know where it is. Even more urgent could be a scenario in which you have identified a gap and need it fixed.
If your existing technology staff has the expertise and bandwidth to find and fix gaps, you’re in good shape. If not, you need another solution. The right solution will depend on your needs, which might include:
• Hiring a specialist to ensure, on an ongoing basis, that you respond quickly and effectively to issues.
• Engaging a consultant temporarily to respond to known issues.
• Outsourcing aspects of your cybersecurity strategy, such as posting bug bounties.
Other factors in the decision include the threat level, the maturity of your systems and cybersecurity strategy and your budget. Cybersecurity service providers tend to work on a longer-term model, in which you outsource all or parts of your cyber-strategy. A cybersecurity talent consultant can connect you with the short-term talent you need.
It’s important to find professionals who will fit in well with your company culture, even temporarily. This can help ensure credibility with your team during change management. In selecting any of these resources, your talent audit should screen for specialized knowledge. A general IT resource won’t fill the bill. This resource should know the cybersecurity landscape and should have experience identifying and closing gaps — whether it is vulnerability gaps in your infrastructure or talent gaps on your team.
In all this, keep in mind that this talent is scarce and in high demand. You should remain flexible and open to different solutions. For example, finding a single cybersecurity expert who knows it all may be like looking for a unicorn. Instead, consider looking for two strong horses whose combined knowledge gives you what you need.
Ethical hackers are now a valuable and welcome part of the cybersecurity battlefield — it takes a hacker to catch a hacker. If you want to recruit these soldiers, you have options. The first step, of course, is for you to incorporate this tactic into your overall strategy.
This article was originally published on Forbes and was written by Domini Clark, CEO of Blackmere Consulting. The original article appears here.
Interested in working with us? Contact us.