Crowdsourcing—garnering input or support for a venture from a large number of people via the internet—has become an everyday practice, and the most common variety is the crowdfunding campaign.
According to the popular platform GoFundMe, more than 10,000 people start a GoFundMe campaign each day—a statistic that explains the site’s claim to have raised more than $5 billion since its 2010 launch.
Such campaigns are well and good for individuals and businesses looking to raise money to get new products off the ground or muster support for a pet cause. But would you trust crowdsourcing as a means to improve the security of your network and enterprise systems?
Quite a few of the world’s largest high-tech vendors do just that, and the smart money suggests that hundreds of organizations, abroad and here in Australia, are set to follow suit. Offering financial rewards or “bug bounties” to hackers who can find a weakness in your cybersecurity bulwark can be a fast and cost-effective way for organizations to strengthen their defenses before trouble strikes for real.
The chance of real trouble is rising. Nearly 50 percent of the local enterprises surveyed by PwC for its 2018 Global Economic Crime and Fraud Survey: Australian Report claimed to have experienced a cyberattack between 2017 and 2018. Cybercrime has been flagged as the most disruptive economic crime du jour and the prime danger to growth prospects for businesses.
Research commissioned by Microsoft in 2018 put the economic costs associated with cybersecurity incidents—revenue loss, reduced profitability, fines, lawsuits, and remediation—at a staggering $29 billion a year; almost two percent of Australia’s GDP.
Large organizations—those with more than 500 employees—may incur losses as high as $35.9 million in the form of direct, indirect, and induced costs should a significant breach occur.
A crowdsourcing cybersecurity initiative is not a complete safety solution, but it can be an excellent way to test the efficacy of the measures you’ve already put in place.
It’s not a matter of throwing down the gauntlet to random, faceless hackers with dubious intentions. Companies can engage with the cybersecurity equivalent of GoFundMe, established platforms whose verified security researcher members can opt-in to challenges as they’re posted. Popular platforms include HackerOne and Bugcrowd, winner of the Australian American Chamber of Commerce’s Most Innovative Company award for 2018.
Here are some reasons why it makes sense to open your enterprise security infrastructure up to the crowd.
If you’re an Australian organisation looking to beef up your internal cybersecurity team, then good luck with that. The industry is in the grips of a significant talent deficit—federal agency Aust Cyber has estimated an additional 11,000 cybersecurity professionals will be needed to meet demand over the coming decade and that’s unlikely to change any time soon. Importing overseas specialists to plug the gap is not answer, given that experts claim the skills shortage is similarly acute elsewhere in the developed world.
Security crowdsourcing can provide access to a smorgasbord of specialized skills that would be expensive and difficult to access on the open market. Better still, they’re available on a no-win, no-fee basis, as companies only pay bounties when bugs are detected. That makes it a cost-effective means of augmenting existing resources.
A headline-hitting breach or security outage has the potential to be a long-term reputation wrecker. Consumers fret about the fallout should their data fall into hackers’ hands and wonder whether the company in question is committed to ensuring it doesn’t happen again. Commencing a crowdsourcing security initiative can be one way to demonstrate you’re taking the issue seriously and are willing to explore new measures to bolster your defenses.
If there’s one thing hackers and cybercriminals like, it’s easy access.
Keeping pace with other organizations on the cybersecurity front lessens the chance you’ll be a sitting duck. As security crowdsourcing goes mainstream, that may mean joining the crowd of companies posting their own bug bounty challenges.
In a climate of rising risk, there’s no room for complacency. Australian companies need to act wisely and strategically if they’re to keep pace with the army of hackers and cybercriminals intent on compromising and exploiting corporate networks and the customer data they contain. Enlisting a crowd of experts to the defense team can be a great start.
If you enjoyed this article, read Why bug bounty programs are going mainstream, by Bil Harmer, Zscaler Americas CISO.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Scott Robertson is the Zscaler Vice President of Sales in the APJ region