Cybercrime has been on the rise for years, but since the beginning of the Corona crisis, attacks by criminal hackers on IT landscapes have also been increasing in medium-sized businesses. In Germany, cybercrime remains one of the top 3 business risks, along with business interruption (including supply chain disruption) and pandemic outbreak, according to Allianz’s latest Risk Barometer. Companies are therefore well advised to look for alternative methods to mitigate cyber risks. In this regard, buyers can assist in sourcing professional services. One of the strategic sourcing approaches is the bug bounty method, which has not yet been popularly known.
Close open entry gates
Of course, software, be it operating systems, email programs or the latest video conferencing tool, is put through its paces before release – but over the last few years, the way software is delivered has changed dramatically. Whether it’s the cloud or the Internet of Things, all of these trends are leading to a larger attack surface. Release cycles have gained speed. All of this contributes to the fact that ultimately, gaps and bugs can still be found in every system. Standardized testing procedures alone, such as pentesting within one’s own team, are not sufficient to sustainably withstand the increasingly creative attacks of cybercriminals. A better and more obvious idea is to involve the best and ethical among the hackers instead.
Bug Bounty: Software professionals on the prowl for rewards
This is precisely the principle that the “bug bounty” process exploits: several highly specialized hackers are set to creatively check systems for gaps – with the contractual obligation not to do any damage. As an incentive to find bugs, success-based bounties are offered, which are lucrative for ethical hackers. For the companies, these bug bounty programs are efficient and the bounties represent only a fraction of any potential damage should criminal hackers succeed in gaining access. In this way, cybercrime can be contained despite advancing digitalization.
Step by step to maximum security with crowdsourcing
This follows the principle of crowdsourcing: The task of security testing is distributed via the Internet to external volunteers (the “crowd”). Since any tested system will have undiscovered gaps when newly introduced, only a smaller group of ethical hackers is initially assigned. This allows the most obvious flaws to be quickly identified and the most critical gaps to be quickly closed. The more difficult it becomes to find further points of attack, the larger the crowd involved should become – with a correspondingly higher monetary reward. In this way, cybersecurity can be increased step by step. Continuous programs serve to provide sustainable protection.
CyberSec – also for medium-sized businesses!
German companies that already offer bug hunters are BASF, Deutsche Telekom and SAP. But the approach is also suitable for medium-sized businesses – if it is set up correctly. This includes developing the approach, the right partners and access to the CyberSec community. Many SMEs initially have reservations about deliberately letting outsiders look for vulnerabilities – trust and disclosed identities play a significant role. A negotiation-experienced IT sourcing consultancy like Kloepfel Consulting can support here with the right methodology and a broad network.
You want to source IT services like a bug bounty program for your company? Then we are happy to support you!
Von Marc Röver, Senior Manager Kloepfel Consulting
Pressekontakt
Kloepfel Consulting
Gerrit M. Schneider
Pempelforter Str. 50
40211 Düsseldorf
T: +49 211 / 882 594 17
gm.schneider@kloepfel-group.com
www.kloepfel-group.com