By Jason J. Hogg
Continue Reading Below
If you have the skills to stop a cyber hacker in their tracks, you may soon be getting calls from recruiters trying to fill a new crop of jobs throughout corporate America.
Criminal data breaches are predicted to cost businesses a total of $8 trillion over the next four years, outstripping worldwide IT security spending, which is expected to be upwards of $120 billion by 2021, according to Gartner. Meanwhile, there is a shortage of talent, and an anticipated 1.8 million cybersecurity jobs will be unfilled by 2022, with millennials likely playing a big role as cited in a report from the Center for Cyber Education and Safety. These jobs will be in demand as the the number of reported cybersecurity incidents (which doubled between 2016 and 2017) continues to rise. Even with expert cybersecurity firms on retainer to improve overall cyber resilience, companies are struggling to stay ahead in the battle against malicious hackers.
To help close the gap, more businesses are turning to another kind of hacker: the ‘white hats’. Through carefully implemented bug bounty programs, organizations can crowdsource the expertise of security researchers to help identify vulnerabilities in exchange for money and recognition, and fix vulnerabilities before they can be exploited. Without proactive efforts such as bug bounty programs, organizations run higher reputational and financial risks of hackers or security researchers trying to extort or blackmail them over discovered flaws.
In 2016 and 2017, we saw organizations in the technology, government, automotive, and financial services sectors lead the pack in successfully utilizing these program, as tracked by Bugcrowd. Shortly after Apple’s release of iOS 11.1 ZDNet reported that researchers at Tencent Keen Security Lab exploited two bugs, earning $70,000 in rewards — a far lower price than Apple could have paid were it not for their proactive approach to determining vulnerabilities.
As the threat environment continues to grow in sophistication, widespread adoption of bug bounty programs will gain momentum among larger corporations seeking a controlled and cost-effective way to strengthen the security of their code. According to security platform Bugcrowd, enterprises with over 5,000 employees accounted for the fastest growth of program launches on its platform over the past 12 months. As attacks continue to plague organizations across industries, they will be expected to run bug bounty programs to prove they have done everything possible to protect themselves. For smaller enterprises, crowd sourced programs will also continue to emerge as a cost effect method to protect against exposure.
In 2018, we at AON expect to see companies beyond the early adopters in industries such as; air travel, retail, and hospitality adopt bug bounty programs, particularly to protect gift card, loyalty, and rewards programs. As credit cards become more secure and criminals target “card-not-present” transactions that use points as a form of currency, bug bounty programs can provide an extra layer of defense.
While bug bounty programs may become part of the standard security lifecycle, inviting this level of scrutiny does create challenges to ensure safe reporting, quality submissions, and smooth execution. It also carries risks that the information gleaned in the program could be open to misuse.
Effective and secure bug bounty programs rely on designing a successful foundation in the early stages of setting them up. Before embarking on a program, companies should seriously consider the fundamentals and best practices, such as; defining the scope of a public or private program; pricing vulnerabilities and managing payments. It is critical to have a plan to address and manage the queue of fixes the program surfaces, vet and track vulnerabilities and duplicates and manage the program in relation to simultaneous security testing programs.
Many companies turn to external providers of private bug bounty programs and cybersecurity experts to manage these types of complexities. As demand grows, the industry will likely see major cybersecurity and information security service providers partner with or acquire private bug bounty program providers to offer more advanced, combined capabilities. As part of a wider cybersecurity and risk management program, properly configured bug bounty programs are a key part of building resilience in the face of today’s evolving cyber risk landscape.
Jason J. Hogg is the CEO of Aon Cyber Solutions, a leading provider of integrated cyber risk management services.