
The past couple of years have provided ample evidence of how serious the consequences of a hacker attack can be for a company. Recently said the cyber attack it suffered in October 2015 cost it £60 million and lost it over 100,000 customers.
Who are verified hackers and who do they work for?
No CEO would want their tenure at a firm being defined by a hacker attack, so what can an incoming business leader do to ensure that a company’s data-security systems are up to the job?
Basically, these companies can hire a hacker to protect their data security for the purpose against cyber attack.
Ask if the firm is certifiedThere is an obvious sense in asking if the company is ISO 27001 certified. It is, after all, the family of standards aimed at keeping information secure. But, it’s important not to put too much blind faith in an ISO certificate. It shows that a company has thought about the risk and devised a procedure to mitigate that risk, but it doesn’t guarantee those procedures are followed in everyday life. A third of IT managers admitted in the Absolute survey that not all security procedures are being followed. If I were an incoming business leader then I would want to know when the certificate was issued, as well as how long ago the procedures had been audited and stress-tested.
I see an online self-assessment is available as part of the Government’s Cyber Essentials initiative.
I applaud this as a first step for those who are only starting to get their systems secure and who then decide to gain a Cyber Essentials certificate. But this is probably the hottest business issue in the coming years, and I’m sure that businesses’ IT security will become a key criteria in awarding contracts. If I were deciding which company to do business with, a self-assessment certificate would show me that your firm is nothing more than an eager amateur when it comes to cybersecurity.
Hire your own ‘white hat hacker’This, in my opinion, is what every new CEO should do when joining a company. ‘Hacker’ has become a much-maligned term in recent years, but there are many who break into firms’ IT systems with the right motives – and at the firms’ request.
The penetration tester – as a white hat hacker is otherwise known – will offer an independent assessment of the strength of a business’s systems; if there are weaknesses, the tester should identify them and explain to the company how to address them. I think it’s the only way a CEO can be reasonably sure of the firm’s IT systems integrity and security. I say reasonably, because no system will ever be totally secure. Your task is to make it as hard as you possibly can for hackers to break into yours.
Barclays has a team of its own hackers to test its own systems on the basis that to beat the hackers you have to act and think like them. I totally agree, and in fact, I have a guy who can do a ‘quick and dirty’ assessment of a firm’s IT security for me. Most of the time, he finds open doors in the systems he penetrated – without going through them.
I think there are still too many CEOs who take it for granted that their firms’ IT systems are secure, and who don’t bother to get an expert to test whether this assumption is correct.
I’m sure there are still many small business owners who will read this and think: so what? They still cling to the idea that they are too small to attract hackers’ attention. But according to the government, a third of UK SMEs suffered a cyber attack from someone outside their business in 2014.
Also, as I’ve pointed out in my previous columns, hackers will try to break into big companies through their smaller suppliers’ insecure systems – you don’t want to be the weak link in that supply chain. Meanwhile, the Internet of Things (#IoT) is not only making systems more interconnected, they become more vulnerable with every device that is added to that network. Black Hat Hackers have reportedly increased their scans for vulnerabilities by more than 450% since the rise of #IoT.
Other hackers site you can hire a hacker to change university grades and hack student portal.
So, the next time a telecoms giant or big retailer group makes the headline for being hacked you could ask: ‘How did they let that happen?’ But then your next question should be: ‘Have I done enough to prevent it from happening to my firm?’