How hackers keep your data safe

Many of the most massive data breaches in recent memory were caused by software vulnerabilities. Many companies have internal processes in place to search for and resolve vulnerabilities, but too often, that's not enough.

Most software engineers are trained to develop a process to go from point A to point B. They often test only for security vulnerabilities or disruption of their processes, missing vulnerabilities that fall outside of the most direct data paths.

It needn't be this way. There's a whole ecosystem of hackers out there who want to mitigate the problem of data breaches that can result from all kinds of vulnerabilities.

These hackers are also known as "security experts" and "white-hat hackers." They're the good guys: young, talented, motivated hackers who can find weaknesses within systems so that they can be resolved before the bad guys can exploit them. They’re a fresh set of eyes on systems and often find complex security flaws missed via routine methods.

That’s why hacker-powered security is so valuable to companies that leverage it. What's more, internal security teams can learn from hackers. Hackers can help internal teams see larger trends, better identify risks, spot where changes can be made during development to boost security, and prioritize which vulnerabilities should be addressed first.

Unfortunately, hackers often—and unfairly—get a bad rap. Here's how and why you need to embrace hackers to protect data and boost your security game.

State of Security Operations 2018: Go Inside World SOCs

Understand the hacker

The Cambridge Dictionary defines a hacker as "a person who is skilled in the use of computer systems, often one who illegally obtains access to private computer systems." While there are bad actors in every profession, most hackers are the good guys and have the best intentions. They don’t do what they do out of ill intent—they’re creative problem solvers. In fact, a recent survey by Infosecurity Europe found that 70% of IT professionals believe that the Cambridge Dictionary should remove the word illegally from its definition.

But despite the obstacles, hackers are making tremendous contributions to data security. In the last year, the number of vulnerabilities related to insecure storage of sensitive information that were reported increased 38 times from the year before, according to "The Hacker-Powered Security Report 2018." There was also a 22% jump in reported high or critical severity vulnerabilities, according to the same survey.

Bug bounties on the rise

It’s only natural that the number of organizations adopting bug bounty programs and partnering with hackers has similarly increased to combat these threats. The government is leading the way in adopting vulnerability programs (look no further than the U.S. Department of Defense, a paragon in the cybersecurity world), and brands such as Toyota, Nintendo, and General Motors are also running successful programs.

Take for example the work hackers have done with the Department of Defense (DoD). The Pentagon has received more than 5,000 reports since implementing its Vulnerability Disclosure Program (VDP) in 2016, and HackerOne has also conducted six bug bounty challenges for the overall DoD, the Army, the Air Force (twice), the Defense Travel System (DTS), and the Marine Corps.

Reina Staley, chief of staff at Defense Digital Service, was quoted in the HackerOne report as saying that millions of government employees and contractors use and rely upon key enterprise systems every day, and “any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission." 

"These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”
Reina Staley

Open the doors to the hacker community

While these projects are encouraging, there's still a lot of work to be done. Nine out of 10 companies on the Forbes Global 2000 list do not have a policy to receive, respond to, and resolve bug reports submitted by the outside world. That's a problem.

One quarter of hackers do not report vulnerabilities they find because the implicated company doesn't have a way to disclose it. That means the vulnerability remains unresolved, putting company and its customer data at risk.

For hackers to continue to help keep data safe, companies should put all options on the table to safeguard the data they have a responsibility to protect. That means making cybersecurity a priority, implementing a VDP, and working with the community of hackers who want to help.

Topics: Security