Target, Anthem, JP Morgan, Sony, Home Depot and Ebay – what do they all have in common? All of these companies suffered from a significant data breach, hacking incident or major security compromise.
The biggest victim: you.
The likelihood that you’ve purchased products or used services from any of the above listed companies is relatively high, whether you’ve done so directly or indirectly through corporate partnerships.
So why are these incidents happening? The simple answer is that people with malicious intent actively try to find private data, create financial gain or simply create mayhem.
They find ways to breach the security systems of large corporations. Or, like in the case of Target, the systems of affiliated/partnering companies are attacked.
One question that is often posed is ‘how are these breaches occurring when corporations are investing so much in security and IT staffing?’
Hacker groups, crime syndicates and foreign nation-states have armies of individuals who are highly skilled/trained who spend all of their time identifying vulnerabilities of American companies and agencies. This trend is one that will not diminish anytime soon.
So how can an enterprise or growing company minimize, detect earlier or eliminate these incidents altogether?
One method is by inverting the method in which they perform security processes.
While most security audits are currently done by internal divisions and contracted IT firms, there may be benefits to bringing in real hackers to help evaluate your environment.
For example, companies like HackerOne offer a structured bounty-program where enterprise companies can create a prize pool for hackers to expose vulnerabilities in a safe environment, before bigger incidents occur.
In the same manner that crowdfunding allows the masses to raise funds for a product or idea, vulnerabilities can potentially be identified by the masses of smart, well-intentioned security experts from around the world.
The incentive for them to do so: money. Instead of the growing numbers of hackers using their skills to perform illegal activities and putting their freedom at risk, they can leverage their knowledge and expose flaws, bugs and open doors… for small and large amounts of reward money.
I believe that more and more platforms will emerge that are similar to HackerOne to drive proactive identification of security bugs and vulnerabilities for companies to uncover.
Companies like Microsoft, Google and others have operated with similar models for years which have proven to have significant positive outcomes.
By no means would this be the only method for protecting your security environment, but it does provide a new approach to a clearly broken model.
Recently, security experts gathered in San Francisco at the RSA Conference 2015 in San Francisco to discuss countless ways the industry can implement more effective processes and solutions.
Hopefully we will see a more secure world in the near future. Until that time, protect your environment by taking all necessary steps to keep good guys in and bad guys out.