Let's face it, hackers have a bad reputation. Large companies and governments spend billions of dollars on cybersecurity annually. According to the Cybersecurity Market Report, the US government increased its cybersecurity budget by 35%, from $14 billion set for 2016, to $19 billion by 2017. In the business world, according to the same report, J.P Morgan & Co doubled its cybersecurity budget to $500 million. But is there a way companies can improve their cybersecurity not by increasing the budget, but by hiring those, who they are trying to hide from - hackers?
Despite a bad reputation, there is a phenomenon of Certified Ethical Hackers, also known as white hat hackers. The benefits of having one in a team are countless. The cyber security industry doesn't hesitate to involve them because one of the most effective ways to find vulnerabilities in the system, is by trying to breach it. However, the only difference between black hat hackers and white hat hackers lies in their intentions, which creates a risk, because a person may switch at any time.
The idea of 'ethical hacking' started in 2001, and since, demand for practice is increasing, due to black hat hackers becoming more advanced, and traditional cyber protection methods struggling to handle them. Back in 2001, no one would think that companies would pay hackers to attack their systems voluntarily, but it's now a reality. HackerOne, a computer security startup, provides hacker services for businesses, in particular, 'bug bounty' programs, where hackers can enjoy hacking and companies can get a better picture of the state of their cybersecurity. HackerOne managed to raise $34 million from VC backers like Benchmark and NEA, and individual investors. The startup believes that humans are a problem, yet they are also a solution, therefore their certified ethical hackers are permitted to hack on the web, APIs, IoT, Android/iOS and anything else worth protecting.
Even though white hat hackers employ ethical practices by definition, trust is still an issue. In 2011, a British student was sentenced to 8 months in prison, for breaching Facebook's security, despite claiming his intentions were good and he wanted to find vulnerabilities and forward them to Facebook. Glenn Mangham was previously rewarded by Yahoo for spotting weak spots in their system, but later he breached a web server used by Facebook to set puzzles for software engineers, and eventually, got access to staff member's privileges to get to Facebook's Mailman server.
The white hat role usually goes unnoticed, if all is well, but if hackers start breaking in to high-profile data without notification, that means they’re not working in your best interests. Another example is the attack on Sony Pictures, in 2014. Although the attack was external, performed by GOP (Guardians of Peace), the cyber criminals were then revealed to have worked with insiders from Sony. Terabytes of sensitive data were leaked, and Sony had immediately removed all the white hats working in the company.
It's good to have a community of hackers working alongside the company rather than against it, but businesses should consider the risk before taking hackers on board, even if they are wearing a white hat. As the method is relatively new, companies may find it hard to come up with full terms and conditions on how to work with 'good hackers'. However, by launching more ‘bug bounty programs' and encouraging hackers to work for a good cause, there is an increasing chance that one day, the number of malicious attacks will decrease.