Can competitions help spot vulnerabilities and beat cyber threats?
WHILE organizations still complain that they’re finding it hard to fill cybersecurity positions, hackers continue to breach company databases and make away with valuable information and business and customer data.
The consequences for companies, however, get more challenging every day.
The recent SingHealth data breach, for example, caused Singapore’s Personal Data Protection Commission (PDPC) to levy a total of SGD1 million fine on SingHealth and the technology vendor involved.
The breach at Marriott, on the other hand, is being deemed as the largest data breach in history, and has already attracted multiple class-action lawsuits.
“This breach and other breaches should be signaling to companies that they need to do a better job of protecting customer data, and if they have holes in their security, they really need to take basic steps to keep it secure,” said DiCello Levitt & Casey Attorney Amy Keller, representing Marriott’s aggrieved guests.
In light of this, it seems as though companies are looking at alternative solutions to spot vulnerabilities and beat cyber threats — and the one way some of the leading companies are doing it is by organizing or entering competitions and inviting (ethical) hackers to “test ” the company’s digital assets and report vulnerabilities in exchange for prizes.
The idea, to some experts, although not novel, is quite brilliant.
Tesla, for example, entered its vehicle, the Model 3, in Pwn2Own, the three-day cybersecurity contest to be held in Vancouver, Canada in March. Of course, it’s something that is much needed in a world where cars are connected and digital — and Tesla became the first ever automobile company to give this route a shot.
The reward for “hacking” into the car at the conference? Those in the know say the company will be handing the keys to a free Model 3 (valued at US$44,000) to the security researcher that succeeds, although cash prizes ranging from US$35,000 to US$250,000 are on offer as well.
US-based hospitality giant Hyatt Hotels too just launched a public bug bounty program in which ethical hackers are invited to test Hyatt websites and mobile apps for potential vulnerabilities and securely disclose them to Hyatt.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt Chief Information Security Officer Benjamin Vaughn.
“As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”
Through the bug bounty program, security researchers will be able to earn cash rewards, also known as bounties, if they report valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android versions of the Hyatt mobile app so they can be safely resolved.
From the looks of it, competitions seem to be an interesting and innovative way for companies to improve their cyber defense strategy. However, in the long run, companies will need to build more mature cybersecurity teams and ensure they’re better prepared to handle threats internally.