Cyber crime is increasing, but ethical hacking can help

cyber risk

It may sound like a contradiction in terms, but hacking is a crucial weapon in the fight against cyber crime.

Ethical hacking involves external testing of an organisation’s cyber security to identify any vulnerability that could be exploited maliciously, either by industry competitors, state actors or organised crime. Globally, losses from cyber theft are estimated to cost trillions of dollars, with most organisations being slow to understand the scale of the risk involved, according to GR’s sister title StrategicRISK.

As malicious hackers have become increasingly clever in beating IT defences, the majority of companies don’t appreciate the mounting level of risk they face. Firms now hold a growing proportion of their capital in the form of information stored on their IT systems. In the hands of a malicious hacker, customer records, business records and financial records can be used to steal intellectual property, cash or access to client or partner companies’ databases.

“A major problem is that many companies do not fully comprehend the value of the data they hold on their servers,” says KCS Group chief executive Stuart Poole-Robb. “An organisation such as a power supplier may have client details and access codes for anything from a power station to a military installation.” 

Malicious intent

Most companies have also been slow to grasp the level of risk involved when opening up their communications systems to other organisations. It is now commonplace to allow other organisations access to parts of a company’s IT system in order to streamline the supply chain and improve customer services.

Malicious hackers can use these opportunities to breach a company’s IT defences. There are also a growing number of cases of rival firms using exploratory talks to gain access to privileged information such as vital industry intelligence or confidential customer records. 

Often those breaches that occur under these or similar circumstances are carried out without the host company’s knowledge and can go undetected for months or even years. Meanwhile, rivals or industrial spies willing to sell information for cash can continue to siphon off intellectual capital until the breach is eventually spotted.

The objectives of an ethical hacking exercise are to identify any vulnerability that could be exploited by a malicious hacker in websites, software applications, hardware or mobile devices.

The most common type is known as a ‘black box’ exercise. This typically involves testing all IT systems connected to the internet.

In most cases, this testing is an external exercise, with the tester adopting the mindset of a malicious external hacker in an effort to breach IT defences.

But according to KCS, four out of five illegal cyber hacks are carried out internally. Those companies that do not wish to haemorrhage cash and intellectual property should therefore also commission internal tests. These focus on what internal staff can do and see with their own IT network. 

Revealing information

However secure a system may appear on paper, people are the weakest link in IT security. Sometimes staff can be bribed to reveal access codes to malicious hackers or business rivals. But often staff may unwittingly jeopardise their company’s security by revealing information in person to strangers or business associates, or may simply be careless when it comes to using unsecured personal devices such as smartphones to access sensitive areas of the corporate network. 

“Without proper access controls, colleagues may deliberately or unwittingly jeopardise the confidentiality and integrity of the data,” says Poole-Robb.

As well as taking full account of an organisation’s external and internal IT security, a fully effective ethical hack should focus on an organisation’s supply chain. Companies with the most secure IT networks can still be compromised by suppliers and clients with access to their systems. 

A penetration test that reveals security weaknesses is likely to pay for itself many times over, reducing ICT costs in the long term and shielding the company from the kind of dramatic losses often associated with compromised financial data or mission-critical business intelligence.

But each test is only a snapshot in time, and as cyber criminals are constantly developing new tools and strategies for malicious hacking, regular testing is needed to safeguard crucial data and business intelligence.