A recent article from SmallBusiness.co.uk claimed that roughly 20% of UK businesses had invited hackers to “assess their cyber security and systems.” The article cites a Radware study and further claims that 37% of UK businesses are open to the concept of working with hackers to improve security.
I would like to pose the following two questions: a) does working with a hacker actually improve your organization’s security, and b) should managed service providers work with and collaborate with hackers?
Do Hackers Perform a Valuable Service?
The legacy argument over the ethics of hacking go back decades. From telephony phishing to more recent cyber attacks on critical infrastructure (think stuxnet), hackers have been living amongst us for a long time. The simplistic view of white hat vs black hat hackers is exactly that; simplistic and ignoring of the deep complexity and shades of ethical and legal issues involved in the hacking community.
But, the fundamental question still remains; are hackers good for businesses? I suppose, there is a basic level of service hackers can provide which is viewing a system from the standpoint of how to penetrate it. Other than white hat hackers who claim to have “ethical” standards to how they perform their services, the real issue I might raise is the credibility of a hacker and how would a business manage that relationship.
It should be evident to everyone that if an organization is hiring an “expert hacker” to find vulnerabilities there is a trust which must exist to believe the hacker is disclosing everything and truly helping the organization and not harming them. The more you trend towards the “dark side” of hacking, I suppose the more vulnerability you or at least the higher risk you have.
Should MSPs Work With Hackers?
That leads us to the questions of this article; should MSPs work with hackers at all. It’s an interesting question and not one that gets a lot of public discussion. However, I do believe an end-user organization engaging a hacker would be much better off doing so with the supervision of a MSP who can monitor and manage the relationship, as well as ensure the client is as safe (or safer) after the engagement compared to before.
There is a liability issue, potentially, with a MSP bringing in a black hat hacker to address security issues with a client. These issues involve legal, ethical, and general business considerations.
We may be entering a new era of managed services where security is playing more of an important role. Does this heightened security mean hackers are the best way to lessen risk? I’m really not sure I have an answer yet.
What do you think?