Should SMEs Bother with Ethical Hacking? by Alexandre Francois

Big businesses started small. That thought has been a constant source of inspiration for SMEs as they continue striving to grow. But the way up is littered with challenges. For one, cyber threats like hacking have become so rampant that even everyday workplace sources like mobile gadgets can be the object of attack.

In light of its possible disastrous effect, many will be surprised to learn that hacking can actually be used for a good purpose — called ethical hacking. Let me show you how such a practice can help business owners survive and stay competitive in the unforgiving landscape of the Web.

It’s Clever and Proactive

Ethical hacking is one of today’s most effective methods for keeping a business protected against cyberattacks and malware — like pharming and computer worms to name a few. The idea is to deliberately hack a computer system using real-world attack scenarios to find out its weak spots and vulnerabilities, and there could be plenty which a small business couldn’t afford to overlook.

For example, if you receive personally identifiable information (PII) during the course of a business transaction, or use a content management system, you might be at risk. Not updating or troubleshooting software can open up security holes. Weak passwords are an open invitation to intruders, for example. Add to that the prevalence of phishing emails, social engineering, and malware, and the situation gets even scarier.

These and many other factors threatening SMEs can be tested through ethical hacking, and whatever problems may be discovered could be immediately patched up. Turning the tables on hackers by using their weapon against them is a clever and proactive ploy that small businesses can benefit from.

Paid to Hack

The professionals who undertake ethical hacking are called white hat hackers, the color indicating the good purpose for which they undertake the job. An organization regardless of its size can have one on its team to conduct regular tests on its cybersecurity infrastructure.

However, SMEs may hire freelance certified ethical hackers with CISSP (certified information systems security professional) security certification who will conduct covert activities mimicking an attacker. The testing is done in a safe and controlled manner using manual penetration techniques according to the prevailing best practices.  A key part of the testing is infiltration to demonstrate how your network can be infiltrated, thereby producing recommendations to improve your security plans.

At the end of the test, you will be given a detailed matrix of the results including the list of vulnerabilities that have been uncovered. More than knowing your vulnerabilities, and getting additional on-demand services from the specialist you hired, the test will help you see if you are in compliance with data privacy and security regulations — including the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX, protection from accounting errors and corporate disclosure), and Payment Card Industry Data Security Standard (PCI-DSS) for handling branded credit cards.

Pros and Cons

When it comes down to deciding whether to employ ethical hacking or not, SMEs that are new to cybersecurity practices may regard it as an expensive exercise that can further stretch increasing overheads. However, when business planners consider that it could cost a company up to $2.4 million in damages from a malware attack, the investment justifies itself. Ethical hacking can be considered a necessary operational expense to prevent an even greater loss of resources when a business is left vulnerable.

Should SMEs bother engaging the services of ethical hacking? How much material and reputational damage are they willing to shoulder without it? I will leave it to business owners to decide, though the practice can help ensure survival and growth on the Web.

About the Author

Alexandre Francois is a serial entrepreneur and tech enthusiast who believes that knowledge about innovations and emerging technologies should be easily understandable and available to everyone. Walking the talking, he is also the publishing director of Techslang — a tech awareness resource where cybersecurity and IT is explained in plain English.