How bug bounties are safeguarding cyberspace
How well are companies prepared for potential cyber attacks? To find out, they have ethical hackers carry out test attacks in what is proving to be an indispensable service towards protection against cyber crime. Read on to find out more.
With more than 130,000 employees, 16,400 stores, an online offering in 28 countries and more than 5.5 billion customers, AS Watson Group is one of the world’s largest international health and beauty retailers. Founded in 1841, one of their most valuable assets today is the data that customers leave behind when shopping. Protecting these millions of sets of data from unauthorised access is one of the most important tasks of the company’s IT security chief Feliks Voskoboynik.
To make this work, he not only relies on the skills of his security team; Voskoboynik regularly commissions professional hackers to check the resilience of his digital firewalls. In one such instance recently he introduced some new anti-credential stuffing software (credential stuffing is when criminals gain access to customer accounts by using stolen data). "The hackers we hired helped us find the weak spots and mitigate them," says Voskoboynik.
Ongoing crisis simulation
Many other companies are doing the same as AS Watson Group – whether in retail or the automotive industry, the financial sector or the chemical industry: they know that they have to arm themselves against attacks, which are increasingly sophisticated as a result of artificial intelligence and because they are increasingly automated. Crisis simulation is an ongoing concern because companies can now no longer rely on their security systems being able to protect against cyber criminals in the long term, nor can they rely exclusively on the know-how of in-house experts or external service providers.
And so they have professional but friendly hackers attack them - to test how well their digital defensive walls hold against assault and to legally find gaps in the security set-up and close them immediately. This way, they can stay one step ahead of cyber criminals.
Companies still rely on traditional security measures such as firewalls, VPN systems, antivirus software and multi-factor authentication to protect themselves against cyberattacks, but they are also increasingly investing in penetration tests and bug bounty programs – 62 percent of companies, in fact, who were asked about their cyber security strategies in a survey conducted by auditing and consulting firm EY in 2023. These targeted attacks on their own security systems are done with a view to implementing lasting improvements.
Hackers have become an essential part of our security ecosystem.
Hackers – an essential part of security
This way of working is proving a successful one. Since 2016, for example, by collaborating with more than 55 hackers across the world, US car manufacturer General Motors (GM) has been able to close more than 700 online security gaps discovered within its own organisation and at its logistics partners. "We have always relied on a variety of tools when it comes to security," says Jeff Massimilla, who is responsible for Internet security at GM, explaining his preference for digital crash tests. "Hackers have become an essential part of our security ecosystem."
In order to take advantage of the skills of these so-called white hat hackers, companies like GM usually rely on cooperation with service providers such as HackerOne. Their platforms have established themselves as a gateway between clients from the business world and contractors from the hacker scene.
Bug bounty of up to one million euros
Depending on the complexity of the task, between a few hundred and several hundred thousand, sometimes even a million euros in “bounty” are paid to hackers who successfully penetrate the firewalls of their clients, find bugs and help to close security gaps.
It is not just monetary incentives that motivate friendly hackers to help: Finnish hacker Mikko Hyppönen, for example, says that his career "has been to protect the internet and its users from threats." Others are driven by curiosity and a thirst for knowledge: "Hacking is about thinking differently, challenging the status quo – and using technology differently than it was originally intended," writes Jon Erickson in "Hacking: The Art of Exploitation".
If you can’t do cyber security simply and easily, people will always find a way around it.
Jürgen Schmidt from our very own #ExpeditionFinance series recently visited a white hat hacker in Singapore. Steve Kerrison works as a lecturer in cyber security at the city state’s James Cook University. He showed Schmidt how he converts a fingerprint reader in just a few simple steps so that the device can pick up fingerprints from its users and use them to access their protected data.
Kerrison's recommendation “If you can’t do cyber security simply and easily, people will always find a way around it – because people are lazy. It is a case of understanding what the user wants to do and what the business wants to achieve. And finding a way of making the solution still fit.”
This page was published in 07/2024.
#ExpeditionFinance: How to hack a fingerprint device?
Volker Klak
… is part of Deutsche Bank’s communication team, currently totally into a horse riding metaphor and believes there is a lot of good worth protecting. So, happy coding everybody!
Recommended content
Digital Disruption | Video Story
“German companies are not well enough protected” “German companies are not well enough protected”
Ralf Wintergerst, Chairman of the Management Board of Giesecke+Devrient, talks about the greatest risks regarding cyber attacks and what we can do to protect against them.
Digital Disruption | Photo Story
“The attack brought us closer” “The attack brought us closer”
The attackers hit shortly before Christmas. How our client, office supply store Schäfer Shop, got business back up and running after having fallen victim to a cyber attack.
Digital Disruption | Insights
From data theft to ransomware: threats and protection in the financial sector From data theft to ransomware: threats and protection in the financial sector
Sven Schaumann and Petra Leclaire, cyber security experts at Deutsche Bank, talk about the evolving threat landscape – and shed a light on how to protect.
What Next: our topics
