A “White Hat” Hacker’s Perspective on Cybersecurity

Dr. Jenni Hesterman

Is your company doing all it can to protect itself against hacking? Check in with the experts.

I recently attended a security conference with a great session on cybersecurity where a so-called “white hat” hacker gave a fascinating presentation. This individual was a professional hired by companies to test their information security. The expert (we’ll call him “X”) explained that most companies are so confident of their system protections they will ask him to “go at it” with everything he has, confident he’ll be repelled. However, X claims he’s never once failed to get into their systems. He may be hindered and forced to regroup or change tactics, but that has never completely stopped him from obtaining his objective.

X says he sees two main vulnerabilities in companies. The first is poor patch management, or not actively downloading the fixes to viruses and other attack protocols that seem to pop up almost daily. If you have the option of automatic updates – take it. Yes, it may slow the system down or be inconvenient, but you will be vulnerable until you manually accept the patch.

Second, organizations underestimate the ability of hackers to get into their system through social engineering such as spear-phishing emails. Hackers can develop an email address that very closely resembles a legitimate one from the organization. Employees may not look carefully enough to see a missing letter or punctuation and will click on the email to open the attachment, instantly infecting their system or even the entire network.

X explained that 80% of the people he targets in an organization would take the spear-phishing bait. Why does this happen? He preys on people’s desire to help. For instance, X was hired to test a hotel chain’s information security. He sent an email to guest services from a “prospective bride” who said she was down to three hotels for her reception. The “bride” had supposedly made a spreadsheet with the pros and cons of each hotel and had asked if they could take a look. The kind employee opened the spreadsheet, thereby infecting the system with a virus.

If a company wants to deter hacking, they should leverage their best (and often overlooked) resource: their people. Humans can do things technology cannot. For instance, people intuitively know if something is wrong or off, typically before analytics figure it out. Organizations must have a culture and system for reporting these types of observations since hardware is not yet able to confirm a hunch. X believes people can act as early-warning radar systems in organizations.

To defeat hackers, X says organizations should have air-tight processes, procedures, and policies in place regarding system use and administration. Perhaps more importantly, they must train employees on a regular basis. For instance, companies should have policies regarding clicking on attachments in suspicious emails, social media use at work, using a USB drive to transfer files and other software from home, and so forth.

A new twist on hacking is extortion. Ransomware is a hacking program that encrypts a company’s data, and then holds it ransom until payment is received. Although we occasionally hear about this on the news, this blackmail is far more prevalent than we think, with companies, public utilities, and even hospitals paying bitcoins to hackers in the hopes of preventing data loss, or exposure of system failure to the public. X couldn’t advise companies whether or not to pay the ransom, as this is a personal corporate decision. He just helps these companies manage the aftermath. Many companies are already setting up bitcoin accounts so they can pay hackers right away.

X hopes his information will serve as a wake-up call to companies. Our experts at Watermark can help you identify disconnects in your workplace training, and deficiencies in culture that leave you vulnerable to hacking. Using Focus72^TM, we can prepare you to handle a brand-altering event, and then recover from it in minimal time with the least amount of impact to your organization and customers.

By the way, X is only 32 years old, but is considered “old” in his field. This should serve as a reminder to get workers from the Millennial and Generation Y workforce at your table to help you understand and prepare for emerging technological threats.