That’s right: hacking can be good for your business – but not a criminal ransomware attack, no, we mean ethical hacking.
Ethical hacking, also known as penetration testing, is when an accredited cybersecurity consultancy carries out a simulated cyber-attack against a business’s system. Penetration testers can identify exploitable flaws in bespoke software, carry out scenario testing to discover how incidents impact on security, and test a business’s response capabilities to attack or temporary vulnerability.
According to cybersecurity consultant FoxTech, once penetration testing has shown where the weak spots are, and what methods hackers could use to exploit them, the next step is to fix, secure and block these paths to access. Most companies’ IT protection plans focus only on the last step – blocking access – without necessarily knowing exactly where that access is.
Anthony Green, FoxTech CTO, said: “Usually, IT strategies fail when businesses don’t actually know what their weaknesses are – or indeed don’t realise they have any at all. Many companies believe their networks are secure because they have outsourced their IT or installed an anti-virus package. Unfortunately, this is like going on holiday and locking your front door, but leaving all your windows wide open – traditional security methods are not comprehensive, and hackers can easily find and exploit your remaining vulnerabilities.
“It’s impossible to take the right cybersecurity actions without knowing what your problems are. This is why penetration testing really is crucial. Subjecting your IT infrastructure to ethical hacking by someone who isn’t going to steal your data is one of the best things you can do to prevent a real hacker gaining access.
“Initially, companies can find it hard to believe that hacking could ever be ethical, let alone good for their business, but it is the best way to find out exactly how vulnerable your business is to an attack.”
FoxTech’s message comes on the heels of the National Cyber Security Centre’s (NCSC) recently published annual review, which revealed that there were 777 “significant incidents” between 1 September 2020 and 31 August 2021, up from 723 in the year before.
The NCSC noted: “Ransomware became the most significant cyber threat facing the UK this year. Due to the likely impact of a successful attack on essential services or critical national infrastructure, it was assessed as potentially harmful as state-sponsored espionage.”
The NCSC highlighted data from the Department for Digital, Culture, Media & Sport that showed 39% of all UK businesses (that’s 2.3 million businesses) reported a cyber breach or attack in 2020/21.
The ransomware model has developed into ransomware as a service, where off-the-shelf malware variants and online credentials are available to other criminals for a one-off payment or a share of profits, according to the NCSC.
In the first four months of 2021, the NCSC handled the same number of ransomware incidents as for the whole of 2020 – which was itself more than three times greater than 2019.
The NCSC’s Cyber Security Information Sharing Partnership service provides a secure forum where companies and government can collaborate on threat information.
