Resident DDLS cybersecurity expert Terry Griffin makes the case for in-house ethical hackers.
Fighting cybercrime is like playing a never-ending game of cat and mouse. And increasingly, it’s a game Australian organisations cannot afford to lose. Let’s take a quick look at the facts.
A recent CISCO report which compared cybercrime in 11 Asia Pacific countries revealed that Australian businesses receive more attacks than any of our neighbours, with 90 per cent reportedly receiving up to 5,000 threats a day. In Australia, over 800 organisational data breaches were reported in the last three months alone of 2018, while losses from some categories of cybercrime have increased by more than 70 per cent in the last 12 months. That amounts to an estimated total economic cost of $1 billion per year.
Taking these facts into consideration, the cost of having an on-staff ethical hacker to defend your business against potential (and very real) threats seems like a pretty good investment. And yet, ethical hacking still isn’t seen as a must-have skill by all organisations.
Certainly, some Australian businesses are starting to pay a lot more attention to their in-house cybercrime fighting capabilities. According to new research by BDO & AusCert, 85 per cent of SME leaders surveyed intend to implement regular cybersecurity risk assessments by 2020, while 86 per cent expect to have a cybersecurity awareness program in place within the same time frame.
DDLS’ own research backs this up. Our recent white paper, Taking Australia’s IT Pulse, revealed that cybersecurity is one of the top two training priorities for Australian IT professionals this year. But while 70 per cent of survey respondents claimed data breaches and cybersecurity issues were their biggest concerns, worryingly a third had no in-house cybersecurity expertise at all.
More promisingly though, 17 per cent claimed they are either recruiting to fill the gap or planning to build their own expert teams this year. With this in mind, there is a golden opportunity to consider bringing an ethical hacker onto your staff – or upskilling your current team.
Known as penetration testers or white-hat hackers, these cyber experts legally break into computers and devices to test the defences and discover vulnerabilities. It’s touted by some as being the most exciting job in IT: IBM for example sets up video game style puzzles to test potential corporate hackers during the recruitment process. And crucially now, it’s widely considered the most important cybersecurity certification in existence.
Ethical hackers: consultants or on-the-payroll?
Unfortunately, ethical hackers aren’t cheap. Even though we anticipate every large business will have a digital security specialist on their payroll within the next few years, it’s worth bearing in mind an average salary for an ethical hacker in Australia stands at $110,000 – a steep price for many SMEs.
Although smaller businesses may need to use external consultants as a more cost-efficient alternative, the benefits of having an in-house ethical hacker are unquestionable. This is even more paramount when you consider it takes businesses an average of 191 days to identify a breach.
Businesses that regularly monitor, test and update their systems and security technology will have an advantage against cyber criminals. And this is best achieved by housing a white hat hacker inside your business rather than using an external contractor.
Here are three more reasons you should consider recruiting an ethical hacker for your team:
They’re more invested. An ethical hacker who’s embedded in your organisation will have a vested interest in the long term security of the business, incentivising them to have a deeper commitment to protecting it.
Familiarity breeds speed. Spotting vulnerabilities within a network is not easy. It’s problem-solving without knowing what the problem is in the first place. However, a big advantage of employing an ethical hacker is that he or she will become increasingly familiar with your network. As malicious attacks become more advanced and sophisticated, this will help them detect and solve breaches faster than a less familiar external contractor. When you account for the potentially devastating costs of data and financial breaches – plus the reputational damage – a full-time ethical hacker will ultimately save you money in the long-term.
Knowledge is power. Meanwhile, staying ahead of the hackers requires being up-to-date with a rapidly changing cyber industry – a full-time job in itself. It requires being across multiple software vulnerabilities and patches, which need to be updated weekly. Without a full-time ethical hacker, this just becomes an extra – perhaps even impossible – burden to place on your existing team members.
So what makes a good ethical hacker? For one, curiosity and an ability to think outside the box. Only by thinking outside the system can one break into it. Strong attention-to-detail and meticulousness is also essential: if a hacker can’t find any vulnerabilities, it’s because they aren’t looking hard enough. IBM’s security chief compared the role to playing puzzle-solving video games for hours: if you haven’t got that level of patience, the job’s not for you.
And while expertise in specific operating systems is not expected, ethical hackers do need decent grounding in both software and hardware as vulnerabilities can be anywhere in a computer.
Today, having an ethical hacker is no longer a case of choice but a necessity. As systems evolve and environments change, a full-time defender is your best chance of turning the tables on the attackers – playing the cat and not the mouse.
Want to find out more? Explore DDLS’ range of cybersecurity and certified ethical hacking courses.