Ethical Hacking: Programs for Small Businesses and Communities

How can small organizations, even with limited resources and IT know-how, gain easy access to bug bounty programs in order to effectively increase their IT security? Finding this out is the goal of a study launched by Bug Bounty Switzerland together with the Zurich University of Applied Sciences ZHAW, which is supported by the Swiss innovation funding organization Innosuisse. In a preliminary project that recently got underway, the target group of SMEs and municipalities is first being investigated to understand what special needs these organizations have, where hurdles to ethical hacking lie, and how a suitable offering would have to be designed.

Ethical Hacking: The Bug Bounty Concept

The bug bounty concept, i.e. the search for vulnerabilities in IT infrastructures by ethical hackers who are rewarded for their findings, has now arrived in Switzerland - not least thanks to the pioneering work of Bug Bounty Switzerland. With its comprehensive range of services (from consulting, program development and customer support to assistance in closing security gaps) and its own platform hosted in Switzerland, the company has succeeded in making bug bounty programs accessible to more companies. Nevertheless, today it is primarily larger organizations such as the University Hospital Zurich, Ringier, Valiant Bank, the Baloise Group and BKW that run ongoing ethical hacking programs. With the joint research project with the ZHAW, Bug Bounty Switzerland is now pursuing the goal of further reducing the complexity of the method so that small organizations can also gain access and be empowered to continuously improve their information security. In view of the often scarce financial IT resources in small organizations, the preliminary study aims to find out which alternative financing models are conceivable and which non-monetary incentives could be offered to ethical hackers. There is also the question of how to provide the expertise needed to deal with the identified vulnerabilities. In particular, external service providers who take care of the management of IT systems as outsourcing providers must also be involved. And finally, the researchers are also interested in the extent to which a community of bug bounty users could be useful for exchanging information with each other and with ethical hackers.

No digitization without IT security: "Digital Trust

IT security is relevant for everyone who relies on modern business models and processes in the context of digitalization. After all, the digital transformation can only succeed if users and customers have confidence in the processes and security of their data and these remain operational. This is also referred to as "digital trust". However, this trust is at risk if new data leaks occur every week and security gaps can be exploited. SMEs and municipalities are also increasingly falling into the clutches of cyber criminals. "If the digital transformation in Switzerland as a whole is to succeed, we must not neglect SMEs - or the public sector - in terms of security," says Peter Heinrich from the Process Management and Information Security Unit at the ZHAW School of Management and Law. It is not enough to simply point out security gaps: "We have to create real capacity to act. Organizations must be given the means and know-how to correctly assess their vulnerability and make sensible decisions. We therefore want to find out where they need help to help themselves."

A Swiss ecosystem for dealing with vulnerabilities

In a follow-up project, Bug Bounty Switzerland and ZHAW want to work on the further development of Bug Bounty Switzerland's platform into a Swiss ecosystem for holistic vulnerability management. This should connect all stakeholders (in addition to ethical hackers, e.g., authorities and suppliers) in a continuous information security process and also be accessible and affordable for SMEs, micro organizations and public administration. "We live in a networked world. We have to get a grip on protecting Switzerland as a business location on the global network together," explains Sandro Nafzger, CEO of Bug Bounty Switzerland. "As a Swiss bug bounty pioneer, we want to contribute to the security of the country and the success of the digital transformation: together for a secure Switzerland." Source and further information: www.bugbounty.ch

This article originally appeared on m-q.ch - https://www.m-q.ch/de/ethical-hacking-programme-fuer-kleinunternehmen-und-gemeinden/