The business case for ethical hacking
IN the online marketplace, the same technology that can propel your business forward is available to the next interested individual or company.
And even if you believe in business ethics, there’s no guarantee your competitors do. Given how APAC organizations are expected to lose some US$1.745 trillion (that’s 7 percent of the region’s total GDP) to cyber criminals this year, it’s clearly something your business needs to think about.
Some companies hire ethical hackers, or white hat hackers, to help them find and patch vulnerabilities in their systems. It’s not a new trend; there are training programs, workshops and available tutorials on white hat hacking. You can also take an exam to earn your Certified Ethical Hacker (CEH) qualification.
But even as demand for ethical hacking grows, businesses may grapple with the ethics of hiring a hacker to catch a hacker. Do the ends really justify the means? Is ethical hacking even ethical in the first place?
Narayanan Vaidyanathan, Head of Business Insights at the Association of Chartered Certified Accountants (ACCA), however, says those are the wrong questions to ask.
“It’s not important whether it’s ethical or not, that isn’t the true question,” he told the ACCA’s Annual Conference in Kuala Lumpur this week. “Most organizations are more concerned about not having a deeper understanding of the work at play.”
There is no doubt, of course, that ethics are important in the digital age for any business small or large. The increase in new policies managing risk and privacy alone is testament to its importance.
But the same time, security too is just as crucial. As KPMG Malaysia Executive Director Alvin Gan said at the conference: “You don’t want to spend millions on a project but only secure it with a two dollar padlock from the market.”
Gan makes a fair point. Enter the “ethical”, white hack hackers. These hackers intentionally perform penetration testing in an attempt to break security layers to identify weaknesses in a system.
In most cases, the hacks are directed internally at the company’s own systems. However, in some instances, the vulnerability leads these hackers to perform hacks on external networks.
But this is unavoidable.
Narayanan pointed out that companies don’t work in a vacuum. Every company needs to work with partners, which means all systems are somehow interlinked.
In an example he raised, a company was trying to track down the source of some fake orders that were appearing on the system. With the help of a white hat hacker, they were able to identify that a business partner had been defrauding them using falsified order records.
In this instance, Narayanan noted that many would agree it was ethically acceptable to use hackers to identify vulnerabilities.
“In this case, the hacker is merely doing his/her job… they followed the trail and ended up at the partner business’ systems,” he said. “Your partners aren’t going to suddenly have a conscience one day and decide to disclose the fact that they are defrauding you.”
So where do you draw the line?
In the ACCA’s August 2017 report titled ‘Ethics and Trust in the Digital Age‘, nine in 10 professional accountants said ethical behavior was key to building trust in the digital age. They agreed that the fundamental principles of ethics, as laid out by the International Ethics Standards Board for Accountants (IESBA), still apply and remain relevant.
These include integrity, objectivity, professional competence and due care, confidentiality, and professional behavior. Respondents deemed ‘professional competence and due care’ as the most important and most vulnerable to being compromised.
What this shows is that the question of ethics is beyond issues of honest and straightforward professional and business relationships. At the end of the day, the more pertinent question is whether or not the organizations themselves are able to uphold their own professional code.
Narayanan also said it was crucial for organizations to understand thoroughly the opportunities and risks presented by their use of digital platforms.
Many companies fear they are unable to fully understand the implemented strategies and purpose, which could lead to following the wrong procedure, resulting in unintended consequences.
It is also important for proper mechanisms to be in place for reporting unethical behavior. This will help reduce the risk of breaches.
“Tech can fundamentally alter the way you do business,” Narayanan pointed out. “It’s really important to assess the impact technology would have on your governance and risk management.”