The world of retail tends to move in cycles—perhaps using an ethical hacker is the next trend in retail. For a year or two, all the talk will be of how retailers can use technology to reach new customers and expand into new markets. Then, as the pendulum swings and we’re all spooked by the latest retail hack, companies will retreat from these same technologies, believing them to be a major business risk.
Breaking that cycle means recognizing that cybersecurity is not an event, but a process. Keeping your systems secure, especially if you are taking advantage of new technologies, entails a continuous process of training, testing, and consultation with experts. These experts should be drawn from the widest pool possible. It’s for that reason that more and more companies are turning to ethical hackers.
Inviting someone into your business to try and hack it might sound like a terrible idea, but in reality, it can be a very useful source of insights into your security vulnerabilities. Just who is an ethical hacker, what can they do, and how can you go about hiring one?
Who Is an Ethical Hacker?
Those in the know talk about hackers in terms of “hats.” In this nomenclature, the typical picture of a hacker that everyone has in their mind—a criminal who breaks into systems—would be called a “black hat” hacker. But there are many other types. A “white hat” hacker, for instance, is someone who uses the same skills and techniques in order to help companies improve their security.
They do this by simulating attacks. Ethical hacking of this type has been a mainstay in the tech world for a few decades—not least because many of the people working for cybersecurity companies used to be hackers themselves. But the popularity of ethical hacking is now reaching beyond the world of tech, as more and more companies realize it’s value.
For retailers, the value of a consultation with an ethical hacker is clear. Most retailers lack the in-house expertise to rigorously test cybersecurity systems and are reliant on the claims made by their cybersecurity supplier. This means they have no way of verifying that their systems are secure, or that their physical security won’t allow a hacker to get into their systems from the outside.
All this said, retailers should also recognize that there are ways to get the most out of an ethical hacker. Without putting some work in first, you run the risk of hiring an expensive and potentially useless consultant. Let’s look at what ethical hackers can do and what they can’t.
What Can Ethical Hackers Do?
There are a number of tasks and techniques that an ethical hacker can perform for you. These range from simply trying to break into your systems, to a more full-spectrum service in which they assess how you can improve the cybersecurity of all your systems. These tasks can be usefully broken into four types:
- Monitoring. They’ll monitor a company to understand the data it creates and stores and where any sensitive data is—the gold mine hackers are after.
- Testing. Existing defenses will be tested for a way through via out-of-date security patches or open ports.
- Diving. Ethical hackers will also go dumpster diving—meaning they’ll go through physical and digital bins for charts, passwords, and any sensitive data they could use to launch an attack.
- Surfing. Shoulder surfing (looking over someone’s shoulder) to view what they’re typing is another common method.
Many of these techniques are used by actual criminal hackers as well, and that is their value for retailers. By simulating a “real” attack, you can get a far more accurate picture of how vulnerable your systems actually are, and the likely routes through which attacks will come.
Hiring an Ethical Hacker
That said, you should also know that there are ways to use ethical hackers effectively. There is no point hiring an ethical hacker if you know that there are unpatched vulnerabilities in your systems, because then you are paying to have your existing knowledge confirmed. Rather, hiring an external consultant should be done at the end of every security improvement cycle, when your systems are as strong as you can make them on your own.
Ideally, these cycles should match your retail cycles. If you generally have a slow month in July, for instance, that’s the time to hire outside help. By now most retailers are aware that the holiday period is especially dangerous when it comes to cybercrime, so you should aim to be as secure as possible at that time of year.
When it comes to finding an ethical hacker, you should also think carefully about which systems you need to test. Getting someone in to run through all of your systems might produce feedback too broad to be of much use, for instance, so make sure that you are testing your most critical systems first.
Finally, you may feel uneasy about hiring an outside hacker and inviting them in to test your systems. You should make sure that you use employment contracts where ethical and moral requirements, as well as police checks, can be implemented.
Of course, ethical hacking is just one way to improve cybersecurity for retail firms, albeit an effective one. By thinking outside the box and making use of the expertise that is out there, retailers can use ethical hackers to expand the scope of retail security beyond the current model. So instead of relying on the claims of your cybersecurity provider, put them to the test by getting someone to try and break into your systems. Sometimes offense is the best defense.
About the Author
Stefan Maraj was almost an accountant but now knows more about cybersecurity than the Revenue Recognition Principle. Two decades later, he’s a cybersecurity consultant who provides insight into hacker brains to ferret out exactly what kind of computer malfeasance they’ve been up to and how to stop it.