The global news cycle is a daily reminder of the pervasive and potentially devastating cyber risk facing businesses. Three out of four businesses can expect to get hacked within the next year, according to the World Economic Forum's (WEF's) Centre on Cybersecurity.
Hackers are exploiting digital security flaws to commit a dizzying array of crimes. Cybercriminals are using stolen data to perpetrate business email compromise, invoice, payroll, phishing, and ransomware scams that cost companies billions of dollars annually.
Data breaches have cost the global economy trillions of dollars, according to the WEF. It's not just financial: Data breaches can cause significant reputational damage that imperils relationships with customers, partners, and vendors, and are a reality that no finance department can ignore.
"Cybersecurity is a hard trend, and it is going to continue to evolve," said Steven Ursillo Jr., CPA/CITP, CGMA, partner and national leader of Information Assurance and Cybersecurity at Cherry Bekaert, a US-based accounting and advisory firm. "Ultimately, it's going to be a cat-and-mouse game."
But it's not a fair contest. Most companies aren't fully aware of how vulnerable to cybersecurity breaches they are.
Hacker Alex Chapman knows. He spends his workdays combing the networks of global corporations in hopeof finding security flaws that, if exposed, could bring a corporation to its knees.
But Chapman isn't out to get you or the organisation you work for.
Instead, he's a member of a cadre of "white-hat" hackers, computer systems analysts and programmers paid by corporations and cybersecurity companies to locate and shut down technology system vulnerabilities before their more nefarious counterparts on the black or grey markets can find them.
"Everyone understands what the bad version of a hacker is," Chapman said. "I'm a good guy; I try to help organisations."
Companies need all the help they can get. The average global cost to companies of a data breach is $3.92 million, with costs reaching $8.19 million per breach in the US, according to the Ponemon Institute's 2019 Cost of a Data Breach Report. These are not just one-time charges either; the Ponemon Institute researchers found that breaches cost organisations millions of dollars for years after the initial breach.
That's why corporations are increasingly turning to ethical hackers like Chapman to run "penetration tests" to find vulnerabilities before criminals do and shield themselves from the security risks. White-hat hackers can offer insight that routine cybersecurity audits can't, with the ability to narrow in and notice problems embedded in network systems or present in employee behaviours before a costly attack occurs.
"If you don't know the risks, you don't know the vulnerabilities, and you don't know the assets, then you are going to have a hard time protecting those assets," said Ursillo, who is also a white-hat hacker. "These assessments give organisations an understanding of what an attacker can see from the outside."
While hiring a white-hat hacker can provide value, it is not a silver bullet, and Ursillo cautioned that there is no single solution and the approach should be a part of a larger cyber risk management programme. Finance departments, IT, and those responsible for risk will need to address significant reputational concerns and incorporate white-hat hackers into a larger cybersecurity strategy before engaging with them.
The business of bug bounties
Matthew Southworth, chief information security officer of Priceline, is charged with overseeing cybersecurity for the US-based online travel website. He decided that hiring white-hat hackers made sense from both a security and a financial viewpoint. Before engaging with white-hat hackers, Southworth began receiving "unsolicited vulnerability reports" from hackers and security researchers pointing out bugs in the company's cybersecurity.
"It made it much easier for me to tell my leadership that hackers are going to be testing our website whether we invite them or not," he said. "We should want a programme to capture their efforts in a way that we can triage, that we can somewhat control."
Southworth reports directly to Priceline's CFO, and he approached the CFO with the idea of offering a bug bounty. It was not a tough pitch.
"The CFO is interested in managing risk, and this is an extant risk," he said. "So the bug bounty programme is ultimately his responsibility. He understands the budget, and he understands how the programme works. He's an advocate for the programme across the company."
In a bug bounty programme, companies invite white-hat hackers to poke around their system and agree to pay bounties to hackers, from $100 for a low-profile bug to $2,000 or more for more critical issues, said Laurie Mercer, a London-based security engineer for HackerOne, which conducts bug bounty programmes. High-profile clients include Goldman Sachs, Starbucks, and Google.
Midsize companies and startups may spend $25,000 to $100,000 in total while larger, multinational companies shell out hundreds of thousands of dollars, Mercer said. This investment often pays off by preventing far costlier data breaches. The company recently commissioned a study completed by technology and market research company Forrester that predicted a 115% return over several years for its clients.
Companies can get bugs and problems reported on a rolling basis, as opposed to other types of security assessments that serve as more of a snapshot in time.
"You're not getting this time-limited assessment with reports at the end," Mercer said. "You're opening yourself up to a process that never stops" unless companies choose a time-limited bounty.
The case for white-hat hackers
Bug bounties are just one component in a larger suite of cybersecurity approaches — from system penetration tests to red team agent exercises (see the sidebar, "Types of White-Hat Hackers") — that white-hat hackers can perform to shore up a corporation's security defences, potentially giving you the same view of your cyberdefences that criminals have.
That's why employing or contracting with people with the same skillsets as hackers is increasingly becoming a key component of a successful cybersecurity strategy, said Sherri Davidoff, founder and CEO of US-based LMG Security, who started her cybersecurity career nearly two decades ago during her undergraduate years at Massachusetts Institute of Technology.
"We hack you before the real criminals do," she said.
However, inviting hackers to poke around your systems is, in and of itself, a potentially risky endeavour, according to Peter Steel, vice-president—Professional Standards and Conduct at the Association of International Certified Professional Accountants. Companies should take special care that hackers, invited or not, don't accidentally gain access to either customers' or employees' personally identifying information in violation of various international laws in the course of their work.
"My main concern would be that you are unintentionally exposing data, which could lead to severe legal penalties," said Steel. "Whether you wilfully expose protected data or not, the risk is still there."
Priceline's Southworth recommends adding controls to the bug bounty programme prior to commissioning any penetration testing to help flag and prevent accidentally risky data exposure. "For example, we requested participants to add a special header to all of their requests when they're testing our website so we can identify them as a participant of the bug bounty programme," he said.
While an unintentional sensitive data exposure hasn't happened in the Priceline bug bounty programme, according to Southworth, these controls give the company "strong attribution between traffic coming in and the bug bounty programme, and that gives us some forensic evidence of who found this and what they actually saw".
The ROI of managing risk
Companies can also pour huge sums into cybersecurity efforts and still have no guarantee that their data is safe, said Sandro Gaycken, the director of the Digital Society Institute, ESMT Berlin and chief scientist at Hensoldt Cyber GmbH.
"Prices range from $30,000 to millions," he said. "It's hard to say."
That means some, overwhelmed at the prospect, end up doing very little to develop their cyberdefences beyond basic network protections and the occasional penetration test, something Gaycken cautioned is not an option in today's world.
"If you're not taking this seriously and something serious happens, you can be ruined in just a few hours," he said.
It's also nearly impossible to measure how ethical hacking pans out, considering the goal in most cases is to prevent data breaches or a similar disaster from taking place.
Davidoff has even incorporated that paradox — "achieve nothing" — as LMG Security's corporate tagline, given that success for her and her employees means having her clients report back with no issues.
"You are trying to make it so that nothing happens, and that's a hard thing to measure," she said.
That said, the global market for cybersecurity continues to grow, with technology research firm Gartner putting the worldwide bill for security services at $124 billion in 2019.
Have a plan
For finance departments considering engaging with white-hat hackers, the first step is deciding where to start. Davidoff suggests conducting a system-wide assessment to identify the most vulnerable areas before figuring out what type of approach is needed.
"It helps you set your priorities," she said. "You are not going to be able to tackle all your security issues at once."
It's important to know whom you're hiring when putting out queries to white-hat hackers, said José Esteves, an information systems professor and associate dean for International MBA and Tech MBA programmes at Madrid's IE School of Business who has worked as a white-hat hacker for 30 years.
He suggests going through third-party consultant groups that have vetted hackers and have legally binding pledges that they won't use information discovered for unethical purposes. Ursillo said it's the risk management team and, in many cases, the CFO's responsibility to oversee this process.
"If you have a CFO that's responsible for cyber risk in a broader level, the most important thing is for them to take a step back and look at that whole governance programme," he said. "It's going to be predicated on making sure that the rules of engagement are established."
It's an effort well worth making, according to Priceline's Southworth.
"A breach could be seriously disruptive to our company," he said. "People are trusting us with not only credit card numbers but information about travel: when they're going to be where, [when] they're going to be out of their house. We have a duty to protect all their information."
Types of white-hat hackers
White-hat hackers work in myriad ways. Here are some of the common methods used in the ethical hacking community:
Bug bounty programme
With this approach, organisations, often working through third-party vendors like HackerOne, pay white-hat hackers for each code flaw or vulnerability discovered. Organisations can either leave their bounties open, with expectations that vulnerabilities will be sought out on a rolling basis, or structure their bounty programmes to be time-limited or offered to select groups of white-hat hackers. Costs can vary for each vulnerability discovered, though companies with lower profiles may need to offer more to drum up interest from the hacking community. The first hacker to make more than $1 million in collective bug bounties was a self-taught 19-year-old Argentine.
Also referred to as a pen test, this enlists in-house or contract ethical hackers to simulate a cyberattack to examine how systems hold up and detect where problems may exist. These types of tests are increasingly required for security compliance regulations and certificates, including PCI DSS (payment card industry data security standards).
This comes into play after infiltration or a data breach has already taken place. Using white-hat hackers to re-create the path the illicit hacker used, back-hacks examine system vulnerabilities, close any doors that remain open, and trace the attack back to its source.
Red team and blue team exercises
These cybersecurity approaches stem from military planning exercises and call for white-hat hackers to look for issues, similar to what happens in a penetration testing exercise. The red team groups will look to infiltrate a system's defence, while blue team players play the part of defence, testing whether an organisation would respond adequately to an actual cyberattack.
Sarah Ovaska-Few is a freelance writer based in the US. Drew Adamek is an FM magazine senior editor. To comment on this article or to suggest an idea for another article, contact Adamek at Andrew.Adamek@aicpa-cima.com.