As more business shifts online, hackers have plenty of targets to aim at. The effects of a hacking attack can be devastating for a company’s reputation and its bottom line.
At the end of last year, giant American retailer Target was hit by hackers who swiped the details of credit and debit cards held by 40 million of its customers by placing malicious software on thousands of registers in its stores. In total, intruders gained access to 70 million records.
The retailer faces a whopping bill for cleaning up the mess the massive data leak has caused.
Jefferies, an investment bank, estimates that it may have to pay up to $1.1 billion to the payment-card industry because of the breach. Target is also spending a fortune on such things as free identity-theft insurance for customers.
The threat posed by determined cyber-invaders explains why companies that offer to mimic them and test the vulnerabilities of clients’ systems—a practice known as “penetration testing”—are in demand.
Some businesses, such as banks and outfits handling electronic payments, are required by regulators or industry bodies to conduct regular “pentests”.
Others hire pen testers because they think outsiders may spot things that internal security teams miss. You tend to get tunnel vision in-house.
Critics of pentesting say cheap software that automatically scans for vulnerabilities in a firm’s systems can automate much of the work pentesters do. They also claim that tests can create a false sense of security inside companies.
However, firms often make big changes to their systems between pentests, which can accidentally create new vulnerabilities. Moreover, some pentesters may simply lack the skills and ruthlessness to spot weaknesses that cyber-crooks will find.
To convince sceptical clients that their systems are vulnerable, ethical hackers can show videos of its hackers breaking into them, to prove that they really did get in.
Some ethical hackers go even further, pinching a confidential document from their clients’ servers and then presenting it to them with a flourish. This makes the threat much more real.
When shocked bosses are presented with this sort of evidence, they usually reach for their cheque books fast to fix the problem.
Still, even a robust pentesting strategy combined with other security measures may not be able to foil dogged intruders.
New risks are constantly emerging, notably in the field of mobile apps. Companies are rolling out lots of these, so that their employees can work on tablets and smartphones as they travel.
But pentesters who have begun probing them say that the quality of the security associated with them is years behind that of other corporate apps.
The writer is director of digital forensics and fraud investigations at Matrix Digital