The hacking lowdown

Given the spate of corporate computer hacks seen in recent years it’d be easy to associate hacking solely with malicious intent or criminal gain. Not so for Samantha Beaumont, who makes a living out of the practice: “It isn’t just about breaking into systems to cause havoc,” she says. “What hacking is really about is helping people."

As a Security Consultant for one of the world’s largest software companies, Samantha is responsible for assessing – and improving – the cyber security of businesses around the world, working on the smallest web applications to the biggest computer systems. Her modus operandi is simple: to foil a hacker she must think and act like one. She is what is commonly referred to as an ‘ethical hacker’.

“The work I do is a bit like that of a watchmaker,” Samantha says. “A watchmaker is responsible for creating timepieces that people depend on every day, and it’s only the watchmaker with a true understanding of his or her craft that can fix watches or break them into pieces and put them back together again in ways that people hadn’t previously thought about – ways that improve them.”

It is this ability to improve security systems which gives Samantha the conviction that her practice is one of help, not havoc. Cyber security, perhaps more than any other aspect of business, is in a constant state of flux. It calls for repeatedly improved solutions in order to thwart compromise. No sooner has a new solution been implemented than hackers are scrutinising it.

“Too many times have I heard businesses say that a solution isn’t relevant to their system because they’ve never been compromised in that particular way before,” says Samantha. “The fact is, hacking isn’t about doing things that people know; it’s about doing things that people don’t expect or that have never been done before, manipulating systems in ways that previous programmers and administrators would never have thought possible and using their logic against them.”

It’s not a checkbox activity

On the one hand, SMEs have an advantage over larger organisations when it comes to cyber security; their size tends to render them more agile and fluid. This comes with a warning from Samantha, though: “No system is an easy target by design, only by negligence.”

Nowadays, any business with a stake in a security system (i.e. any business reliant on computers and the internet) must necessarily ensure that their cyber security is, as Samantha says, built in and not bolted on. “It can’t be a matter of crossing off boxes on a checklist whenever an assessment period comes around,” she says. “Cyber security absolutely has to be built in, from the ground up.”

This doesn’t mean that buying tools fixes everything, though. “There’s no use buying tools with flashing lights that tick boxes if the humans behind them are in need of basic security training,” says Samantha. “When it comes to cyber security, people are always the weakest points. You can have the most secure system in the world, but that’s no use when the guard manning the gate will let anyone in. One of the best things any SME can therefore do in terms of improving its cyber resilience is to look at its people and make sure they are security savvy – even just on a basic level to begin with.”

Nobody is immune

Cyber security vulnerabilities vary from business to business depending on their foundations and individual systems. That said, Samantha recommends researching the Open Web Application Security Project’s Top Ten – an invaluable reference list and starting point for internal cyber security assessments, detailing the ten most commonly exploited vulnerabilities of web applications.

Building on from that, she advises that businesses begin to consider building in security from every avenue into the business. “People come first,” she says, “but businesses also have networks, cloud storage, hardware, websites. All of these are avenues that need to be secured in order to function safely and securely.”

As this issue’s cover feature highlights, nobody is immune to cyber crime today. Even the most secure systems can crumble against attacking entities putting enough time, focus, determination and energy into breaking them. “This isn’t about likelihood anymore,” says Samantha. “It’s about impacts. We need to be vigilant and relevant, and not just assuming that cyber security can be checked at the end of each day.”