Ethical Hackers: The Good Guys Your Company Needs
Hackers have a bad reputation. A lot of that is deserved, as there are plenty of bad guys out there who want to dig into your network to steal as much data as possible for their financial gain. But there are also good hackers out there, and we can’t forget their contribution to cybersecurity.
An ethical, or whitehat, hacker played an important role in the arrest of Paige Thompson, who allegedly is responsible for the Capital One data breach. The ethical hacker, also called a security researcher, saw Thompson’s brag about the hack on GitHub and reported it to Capital One.
This put the spotlight on the importance of having ethical hackers as part of your security and IT team. They expose vulnerabilities and are often able to find flaws in the system that other members of the team overlook. In the case of the Capital One breach, Julia Kanouse, CEO at The Illinois Technology Association, told me that although the ethical security researcher wasn’t using their hacking skills to identify the breach, it demonstrates the key role whitehat hackers play in notifying companies of cyberattacks.
Ensuring Hackers Remain Ethical
It can be difficult to switch the mindset and think of hackers as good guys rather than the enemy. Especially since many of the tactics they use in penetration testing are meant to mimic the bad guys. It’s easy to think that your good guy could go rogue and turn into a bad guy if they found something of great value to them deep in your system.
Luckily, ethical hackers going rogue is rare, Kanouse said. However, “Like with any employee who has access to sensitive data, precautions must be put in place in the onboarding process,” she added. “Employers should put clauses in contracts indicating legal action or other consequences for the misuse of private company data and information.”
An ethical hacker should be required to adhere to the company’s IT security and data privacy standards. “However, an employee shouldn’t have to follow a special set of guidelines just because of preconceived notions around their jobs,” Kanouse said. “You wouldn’t expect someone like a software engineer or even an HR recruiter to have their own set of guidelines, so why should an ethical hacker? Especially as ethical hacking becomes recognized as a legitimate career, they should only be held to the standards put in place by the company who hired them.”
Tips for Hiring
Just because there may be no need for strict guidelines for the role of an ethical hacker, Kanouse does offer some tips on what to know about hiring a whitehat hacker to work with your company.
The first step in bringing on an ethical hacker is to fully vet the candidate. You must understand their background and how they came into this type of role, including their potential history as a blackhat hacker. Do your due diligence in checking references, as you would with any employee with this type of access, Kanouse advised, and when they have been hired, ensure any contracts specify actions that will be taken if any sensitive information is shared.
“Your new employee shouldn’t work behind walls—their manager or another co-worker should have full visibility into projects they are working on,” she said.
Once the ethical hacker is completely onboarded into the company, trust and team-building efforts should be implemented. Everyone on the security researcher’s team should be included, but the person also should be made known and to feel welcome throughout the company. This can also include educating all staff of the role of the ethical hacker, why they are a good guy, and their cooperation with whitehat efforts are essential.
“This line of work can be isolating since there is a sense of mistrust and a negative perception around the idea of hacking,” said Kanouse. “It’s important whitehat hackers are truly part of the team and contribute to the organization’s mission.”
And who knows—your whitehat hacker could play an important role in bringing the bad guys to justice. The more we can stop the bad guys, the better it is for our overall security efforts.
