Theater mask next to laptop, manned by presumed hacker

Not All Hackers Are Bad For Business

By News

Your Business Could Benefit From Being Hacked

It’s the wild west out there, where code vulnerabilities ramble the cyber range as far as the bots can crawl.

Almost no industry was immune from cyberattacks in 2021, according to PropertyCasualty360.com (Jan. 28, 2022). “We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud. Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

The term “hacker” is synonymous with bad people using their computer skills to do bad things. The truth is there are all types of hackers roaming the internet; some are using their powers for good.

Researchers (also known as white-hat hackers or ethical hackers) test business systems connected to the internet and expose the vulnerabilities. Some do it as a career; some do it for sport. And while they might successfully hack your business, the difference is they’ll tell you about it in an altruistic effort to improve your cybersecurity. They know it’s only a matter of time before a nefarious hacker finds it, and that’s what they’re hoping to prevent.

The problem: Most researchers don’t have a foolproof way to alert businesses about the vulnerabilities they find. Companies often ignore a researcher’s findings when they email to assist because the company didn’t request the help, and they believe it’s a scam. (What’s more suspicious than a hacker offering help?)

But what if there was a way to encourage helpful hacks and standardize the process for reporting security vulnerabilities? There is a way — the vulnerability disclosure policy (VDP).

Creating a vulnerability disclosure policy

A VDP is a webpage or a webform hosted on a company’s website that gives ethical hackers instructions on reporting system vulnerabilities to your business. VDPs are gaining popularity: Exploitation tactics are tough to predict as cyberattacks evolve. It takes a group effort to expose data vulnerabilities — and researchers want to help sound the alarm.

Post a bug bounty

If you want to go a step further, you can crowdsource parts of your cybersecurity by posting bug bounty offers through your VDP. Bug bounties are paid projects that offer rewards to anyone who can expose system weaknesses. Your company communicates the parameters using a webform on your website (usually linked to the VDP). The instructions specify the locations to hack and the sections of your system that are off-limits.

Try a VDP template

The Cybersecurity and Infrastructure Security Agency (CISA) published a VDP and webform template for anyone to use. Always consult with an experienced cybersecurity and data privacy lawyer before posting a VDP to ensure your policy complies with current standards. Once developed, a solid and well-maintained VDP can be an asset to your cybersecurity risk management strategy.

But if you’re unsure or worried about your vulnerability points, a hired hack can come in handy.

Go on the digital defensive and hire a hack

If a bug bounty isn’t appealing, you could hire a researcher to scour your system. The cost is priced based on the project, so it’s best to scope your objectives before making the call. You can hire researchers to test a multitude of things, like:

  • Stress test system weaknesses
  • Fix security problems (pre-launch)
  • Expose cloud configuration issues
  • Identify application program interface (API) weaknesses
  • Demonstrate compliance (proof of concept)
  • Identify vulnerabilities in a system (public internet or internal intranet)
  • Payment card industry data security standard (PCI DSS) compliance
  • Remote work and virtual private network (VPN) exploitation points
  • Bring-your-own-device weak points or system switchovers, like unified endpoint management (UEM)

A complex task could be costly, but it’s worth it when weighed against the cost of a data breach.

For perspective: 44% of small businesses spent $250,000 to $500,000 to recover from a data breach, and 14% paid $500,000 to $1 million, according to PropertyCasualty360.com (Oct. 28, 2021). A proactive cybersecurity program will require an investment, but (unlike a hack) it won’t drive you toward bankruptcy.

Positioning your business for a hardening cyber insurance market

Part of the insurance challenge is getting the proper coverage for your risk areas while also getting a reasonable price point. As data breaches increase, insurance companies’ aversion to insuring cyber risk also increases.

Some companies compensate by raising premiums to ensure enough reserves to cover catastrophic losses. Other insurance companies leave the sector and stop writing new policies. Insurance companies become more selective about who they’ll insure, and that’s based on relative risk. Your agent will work with you to position your business to cyber insurance carriers.

Most cyber liability policies will require you to inventory your business system hardware, software, apps, remote work protocols, employee device usage, vendors and payment systems. They’ll be assessing your potential weaknesses and rating you based on that. It’s a good idea to know your weaknesses early on and plan to handle them.

Give your CBM a call about cybersecurity tools like training or researcher referrals. They’re also happy to help you figure out what kind of cyber liability coverage works best for you.