Ethical Hacking: Programs for Small Businesses and Communities

How can small organizations, even with limited resources and IT know-how, gain easy access to bug bounty programs in order to effectively increase their IT security? Finding this out is the goal of a study launched by Bug Bounty Switzerland together with the Zurich University of Applied Sciences ZHAW, which is supported by the Swiss innovation funding organization Innosuisse. In a preliminary project that recently got underway, the target group of SMEs and municipalities is first being investigated to understand what special needs these organizations have, where hurdles to ethical hacking lie, and how a suitable offering would have to be designed.

Ethical Hacking: The Bug Bounty Concept

The bug bounty concept, i.e. the search for vulnerabilities in IT infrastructures by ethical hackers who are rewarded for their finds, has now caught on in Switzerland - not least thanks to the pioneering work of Bug Bounty Switzerland. With its holistic service offering (from consulting to program set-up and customer support to assistance in closing security gaps) and its own platform hosted in Switzerland, the company has succeeded in making bug bounty programs accessible to more companies. Nevertheless, today it is primarily larger organizations such as the University Hospital Zurich, Ringier, Valiant Bank, the Baloise Group or BKW that run continuous programs with ethical hacking. With the joint research project with ZHAW, Bug Bounty Switzerland is now pursuing the goal of reducing the complexity of the method even further, so that small organizations can also gain access and be empowered to continuously improve their information security. Given the often scarce financial IT resources in small organizations, the preliminary study is about finding out what alternative funding models are conceivable and what non-monetary incentives could be offered to ethical hackers. In addition, there is the question of providing the know-how needed to deal with the identified vulnerabilities. In particular, those external service providers who take care of the management of IT systems as outsourcing providers must also be involved. Finally, the researchers are also interested in the extent to which a community of bug bounty users could be useful for exchanging information among themselves and with the ethical hackers.

No digitization without IT security: "Digital Trust

IT security is relevant for everyone who relies on modern business models and processes as part of digitalization. After all, digital transformation can only succeed if users and customers have confidence in the processes and security of their data and these remain executable. In this context, one also speaks of "digital trust". However, this trust is at risk when new data leaks occur every week and security gaps can be exploited. Today, SMEs and municipalities are also increasingly falling into the clutches of cybercriminals. "If the digital transformation in Switzerland as a whole is to succeed, we must not neglect SMEs - and also the public sector - in terms of security," says Peter Heinrich of the Process Management and Information Security Center at the ZHAW School of Management and Law. It is not enough to simply point out security gaps: "We have to create a real ability to act. Organizations must be given the means and know-how to properly assess their vulnerability and make sensible decisions. We therefore want to find out where they need help to help themselves."

A Swiss ecosystem for dealing with vulnerabilities

In a follow-up project, Bug Bounty Switzerland and ZHAW want to work on the further development of Bug Bounty Switzerland's platform into a Swiss ecosystem for holistic vulnerability management. This should connect all stakeholders (in addition to ethical hackers, e.g., authorities and suppliers) in a continuous information security process and also be accessible and affordable for SMEs, micro organizations and public administration. "We live in a networked world. We have to get a grip on protecting Switzerland as a business location on the global network together," explains Sandro Nafzger, CEO of Bug Bounty Switzerland. "As a Swiss bug bounty pioneer, we want to contribute to the security of the country and the success of the digital transformation: together for a secure Switzerland." Source and further information: www.bugbounty.ch

This article originally appeared on m-q.ch - https://www.m-q.ch/de/ethical-hacking-programme-fuer-kleinunternehmen-und-gemeinden/