In October 2015, telecommunications company TalkTalk suffered a huge data breach during which the details of up to 150,000+ customers (past and present) was stolen.
Given that this is the third security breach to hit TalkTalk in the past year, many customers have understandably lost confidence in the company which is now facing an estimated loss of £35m in revenue; the company’s share price dropped by 10 per cent in the first few hours after the London Stock Exchange opened at 08:00 the next day. Ultimately, in this digital age, rigorous security and privacy is expected of a businesses and if this cannot be guaranteed, it can have serious reputational damage, both in terms of lost revenue and undermining customer confidence.
TalkTalk had apparently come under a Distributed Denial of Service (DDoS) attack, and it is likely that a second attack, such as a SQL injection, may have been occurring at the same time in order to gain access to the database. What leaves TalkTalk with the biggest question though is how 3 teenagers and a 20 year old man from Norwich were able to infiltrate a major communications company.
TalkTalk is not alone though; last week Vodafone became the third company in a week to suffer a significant data breach, after the hacks on TalkTalk and British Gas (where 2,200 customers were left exposed during an “unexplained data leak”). The Vodafone hackers had gained access to the accounts and personal data of 1,827 customers leaving these customers intrinsically exposed.
Andy Heather, VP at HPE Security explains that personal data has a much greater value to cyber criminals compared to financial/credit card information which has a limited lifespan, as personal data can be used to commit a wide range of fraud and identity theft and “simply cannot be changed”. Ryan Wilk from NuData Security explains that this data is sold to aggregators who cross-reference and compile full identities – called “fullz” – on the data black market. Customer details from the TalkTalk hack are currently for sale for as little as £1.63. Avois Airmile accounts with 20,000 points (enough for a return flight from London to Moscow) are for sale for just £6.50.
The average cost of a data breach
According to the 2015 Information Security Breaches Survey, published by the Department for Business, Innovation & Skills, the average cost of the most severe online security breaches for big businesses is now between £1.46 million and £3.14 million and for small and medium sized businesses, this is between £75,000 and £310,800.
A survey by Grant Thornton International Ltd, a professional services network, found that one in six businesses experienced a cyber-attack in the past year.
It has become a case of when data is left unprotected, it is not a matter of if it will be compromised – it’s a matter of when. Manu Sharma, head of cyber security at Grant Thornton UK states that “vigilance alone won’t keep businesses safe” – businesses that take the threat of a cyber-attack seriously are not only protecting themselves and their customers’ data, but they are securing a competitive advantage over those who haven’t.
A growing demand
This is why there is a growing demand for Ethical Hackers – computer and networking experts who systematically probe networks, applications and other computer systems on behalf of employers for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit. The ultimate goal is to prevent data theft and fraud.
Whereas once cyber-attacks were considered weak in nature compared to other physical crimes, they are now viewed as potential weapons of business destruction. Cyber space has become the preferred environment for criminals to wage industrial espionage and it is estimated that global losses from cyber-attacks reached $400 billion (£260 billion) last year and 400,000 cyber threats on the British government had to be blocked. Likewise, the ethical hacker – or less colourfully, penetration tester – previously regarded as a furtive, nerdy character, is enjoying a makeover. For a start, Terry Cutler, CTO at Digital Locksmiths, considers an Ethical Hacker “the coolest name on the planet”; alongside this, the job is fascinating and, perhaps most importantly, the demand for Ethical Hackers is “insatiable”.
The recent Cyber Security Strategy paper from PWC suggests that 90 per cent of large organisations had a security breach in the past year, with 69 per cent of large organisations and 38 per cent of small organisations being attacked by an unauthorised outsider. Hence, companies are on the hunt for Ethical Hackers to fortify their networks and block incoming hacking cyber-attacks by systematically exploring the network for technological flaws.
Cyber security wake-up call
Recent large-scale attacks such as the Sony Pictures Entertainment hack and the Heartbleed Bug in 2014; then the US Central Command, Ashley Madison and TalkTalk in 2015 have acted as a serious wake-up call for executives. The extent of communication and information technology has meant that there are more avenues available for cyber criminals to target, however this should also be seen as an opportunity for the growing field of Ethical Hacking.
Demand is high for qualified Ethical Hackers, and the job description is varying: strong computer network skills and programming knowledge of C, LISP, Perl or JAVA as well as Unix/Linux commands are essential attributes, alongside a high level talent for “social engineering” – a non-technical method of intrusion that relies heavily on human interaction and involves tricking people into breaking normal security procedures. The IT security field is expected to grow 37 per cent by 2022 so it’s no wonder everyone is putting a premium on Ethical Hackers and willing to pay an average starting salary of £48,250 ($74,000). However, there is still a significant gap in the market as the demand for high quality, competent and experienced Ethical Hackers far outstrips supply.
According to the Department for Business, Innovation and Skills, the cyber security sector is expected to grow from £2.8 billion in 2013 to £3.4 billion in 2017, presenting huge opportunities for Ethical Hackers. There are already a myriad of Ethical Hacking courses and qualifications available online, the most common qualification being the Certified Ethical Hacker (CEH) programme offered by the EC-Council – this is considered to be the pinnacle of the most desired information security training program.
The CEH course explores cyber security from the mind-set of a hacker and students will be immersed in this mind-set, evaluating not just logical, but physical security too – exploring every possible point of entry to find the weakest link in an organisation. Participants will learn the common types of exploits, vulnerabilities and countermeasures, involving master penetration testing, foot printing and social engineering. Other accredited certifications from the EC-Council include the Computer Hacking Forensic Investigator (CHFI), Certified Secure Analyst (ECSA) and the Licensed Penetration Tester (LPT).
The Council of Registered Ethical Security Testers (CREST) scheme has been described as fast-becoming a gold plate of Ethical Hacking. CREST is a not-for-profit organisation that serves the needs of the technical information security marketplace, focusing on penetration testing, up to date knowledge of the latest vulnerabilities and techniques used by real attackers and appropriate standards for incident response in the cyber security arena. All examinations have been approved by GCHQ and CESG and CREST works alongside these organisations to deliver controlled, bespoke, intelligence-led cyber security tests.
Benefits of CREST and CEH certification
The benefits of CEH and CREST qualifications are enormous and this is most in part due to the growing demand for Ethical Hackers. In a time when cyber security is considered one of the top 4 threats to the UK, the need for individuals who are able to ethically, and legally, hijack web servers and crack wireless encryptions in order to exploit vulnerabilities to determine the possibility of unauthorised access by a ‘black hat’ hacker is increasing apace with the growing global cyber threat.
69 per cent of large UK businesses, and 38 per cent of small UK businesses were attacked by an “unauthorised outsider” last year; the latest attack on TalkTalk has provided yet another example of the stark reality and cost of cyber-attacks.
There is a suggestion and growing understanding that employing Ethical Hackers to penetrate and test a company’s network should no longer be seen as a luxury advantage, but an essential and necessary business practice in the modern day.
Image Credit: ra2studio / Shutterstock