Companies should invest in ethical hacking, as part of their security lifecycle for applications, systems and network resources, says Jamaica National Group cyber security analyst, Garfield Rodriquez.
Mr. Rodriquez opines that when it comes to ethical hacking, penetration testing, attestation, vulnerability & risk assessments and patching all play a crucial role in the company’s cyber security lifecycle and also in strengthening security controls. Therefore, a company should invest in securing their network and systems.
“If there is a failure to have the proper systems, policies, training in place for company employees and not addressing vulnerabilities found, there is an increased possibility of a breach occurring which may have significant financial loss, reputational damage for companies and customers as well as the exposure of pertinent information or data,” Mr. Rodriquez explained.
Ethical hacking is the process of an organization granting authorized network, application and system access to a hacker (white hat) so that they can attempt to infiltrate them via vulnerabilities, penetration methods and other evasive techniques. It is often confused with penetration testing (pen testing). Whereas pen testing focuses on a specific area defined for testing, ethical hacking is more comprehensive with pen testing being one of the functions.
The ultimate aim of utilizing an ethical hacker is to test all layers of the organizations security framework from a system, application, network and policy perspective. The ethical hacker also aims to show how resilient the organisation’s cyber defences are. Through these tests, the ethical hacker will be able to formulate a report, showing all vulnerabilities and recommendations to address said discovered vulnerabilities which in effect will strengthen the Technical security controls and posture for the organization.
The cyber security analyst explains using ethical hackers to detect vulnerabilities in companies’ networks and application was a growing trend in the Caribbean as more companies have made significant investments in IT security. While not being able to state a definitive number, he added that with cybercrimes expected to cost the world US$10.5 trillion annually by 2025, more Caribbean companies were taking the need to protect their networks more seriously.
“Caribbean companies have embraced the use of more digital and web based technologies, so they are more exposed to IT security threats such as: viruses, malware, ransomware, Trojan, adware, spyware, denial of service attacks, just to name a few,” he affirmed.
“There have been major system breaches over the past decade in the Caribbean,” he added. “The COVID pandemic has transformed the working force to be working more remotely, so there is a greater risk for breaches to occur. As a result, companies have to ensure that systems, network resources and applications, customer facing and internal, are utilizing a patch management cycle to facilitate the updating and strengthening of security modules and to test that these security modules have been updated properly. An ethical hacker is key in this process.”
In 2020, an Inter-America Development Bank (IDB) report titled Cybersecurity: Risks, Progress and the Way Forward in Latin America and the Caribbean revealed that there was marginal progress or lack thereof in the maturity level of two-thirds of LAC countries in terms of education, training, and development of skills in cybersecurity. The report added that in these countries, the offer of specialized training in digital security was nonexistent or incipient, and where it did exist, usually only considered the technical dimension of cybersecurity. It added that cybercrimes in the region was the third greatest area of concern especially as more organisations embraced work-from-home models.
Mr. Henry Osborne, Technical Product Manager, The Jamaica National Group explains that in an era where there are more persons working from home and using company virtual protocol networks (VPN), ethical hacking was beneficial in preventing company data from being stolen.
“It is not uncommon to discover that a ransomware attack was successful because an employee clicked a link, opened an attachment, or inserted a drive they weren’t supposed to. An organization’s end-users also have a role to play in protecting the data resources. Security conscious organizations will ensure their employees receive cybersecurity awareness training so they’re better able to identify the threats and not become an attack vector,” Mr. Osborne stated.
Mr. Rodriquez adds that ethical hacking would also help to find vulnerabilities, whether through accessing the systems, applications and network resources through Virtual private network (VPN) for remote workers and also for all other instances of employees, third party contractors and companies accessing systems, network resources and web-based applications.
Professor Sean Thorpe, Head of the School of Computing and Information Technology at the University of Technology, Jamaica explains that companies should see investment in cyber-security engineers as essential, especially in this digital age. However, he believes that the region can also benefit from training ethical hackers.
“The availability of specialized cyber-security academy training courses through certified ethical hacker (CEH) qualifications has become more urgent. This may be completed by specialized long term offerings in computing and network security degrees at both the undergraduate and graduate level,” he said.
Mr. Rodriquez adds that there also needed to be an emphasis on the importance of ethical hackers in addition to training.
“By educating the public that there is a tremendous need for ethical hackers on both a local and Global level and establishing that an ethical hacker is as a viable career path, more companies would begin to see its value,” he explained.
“Also more local IT training institutions could incorporate courses geared towards this certification. Also, show the availability of ethical hacking training programmes online such as Udemy, Infosec, Cybrary just to name a few of the accredited IT security training Institutions would help more Caribbean companies to invest more in training their employees in this area as well especially since cybersecurity is an area of concern for many,” he stated.