EDITOR ’ S QUESTION
LAURIE MERCER , DIRECTOR OF SECURITY ENGINEERING
AT HACKERONE
Cyberattacks are on the rise today as the UK claims the highest number of cybercrime victims per million online users in 2022 . This represents a considerable rise in attacks by 40 % from 2020 , highlighting the reality that a breach is no longer a question of ‘ if ’ but ‘ when ’.
The UK claims the highest number of cybercrime victims per million online users in 2022 .
It ’ s no secret that threat actors use the Common Vulnerabilities and Exposures ( CVE ) database to identify unpatched systems and exploit vulnerabilities . However , an organisation ’ s unknown assets can pose an even greater risk , with 20 % of organisations stating that over half of their attack surface is unknown or unobservable . Cybercriminals are going to be looking for those overlooked vulnerabilities as a way in . Therefore , having an outsider mindset to see where the gaps are is critical to gathering relevant threat intelligence and identifying the risks that threat actors could exploit .
Unfortunately , multiple organisations are still sceptical about receiving cybersecurity vulnerability reports from external security researchers or ethical hackers . Most companies do not have defined Vulnerability Disclosure Policies , preventing over 25 % of ethical hackers from submitting a vulnerability report out of fear of prosecution . This leads to organisations not collecting in-depth threat intelligence data that could prevent future exposures and attacks .
( VDP ). Equally , reforming the Computer Misuse Act can help better define and protect good-faith security research .
• Incentivise ethical hackers : Vulnerability Rewards Programmes ( VRPs ) can provide a more significant economic incentive to report vulnerabilities directly to organisations . This would prevent cybercriminals from stockpiling vulnerabilities for ransomware attacks , for example .
Cybercriminals have many resources to identify vulnerabilities in the organisation ’ s unknown assets . Engaging ethical hackers to identify relevant and correctcyber threat intelligence will not only provide organisations with a better understanding of their attack surface but will also help them define and execute a well-rounded cyber strategy .
There are multiple ways of strengthening a security posture by tapping into ethical hackers ’ knowledge and expertise :
• Enable and support ethical hackers : Every digital organisation operating in the UK should have a Vulnerability Disclosure Programme
www . intelligentcio . com INTELLIGENTCIO EUROPE 35