When it comes to understanding the different types of hackers out there, it’s not quite as simple as characterising the perpetrators as good or bad.
There are the good: ethical hackers who help and work with organisations to understand their weak points. And there are the bad: criminal, malicious hackers intent on breaking the law to make money. But there is also a group in between known as ‘grey hat hackers’ who often have good intentions but, and here’s the catch, may expect to be rewarded for their work.
No free ride
Hiscox’s largest cyber insurance claim in 2017 came following a grey hat hacker finding a vulnerability in a company’s network. The hacker was not interested in exploiting the vulnerability; instead they wanted a reward for finding the problem.
In this case, the somewhat clumsy activities of the grey hat hacker could be seen as an act of extortion. While also creating a bigger problem for the company than just having to fix the issue.
The activities of grey hat hackers have been encouraged by the widespread use of ‘bug bounty’ programmes. Also known as Vulnerability Rewards Programme (VRP), these are programmes set up by companies who are happy to pay hackers to find vulnerabilities in their systems.
Uber had its bug bounty programme criticised recently when it was revealed that a 2016 data breach, leading to the loss of nearly 60 million customer records, resulted in a payment to a hacker who was on the bug bounty programme. Some claimed this was a simple case of extortion.
Facebook is surprisingly open about its use of grey hat hackers. An article in The Telegraph states that in 2017 Facebook received 12,000 submissions to its bug bounty programme, paying out a total of $880,000 (£64,000). Since the programme was launched in 2011, it has paid out a total of $6.3 million.
Grey hat hacking can lead to regulatory problems
Whether they are operating through official 'bug bounty' programmes or not, there are a growing number of ‘security researchers’ (what grey hat hackers like to call themselves) out there who have varying levels of skill and knowledge. Even if they are trying to do the right thing by protecting organisations, if they don’t do it in the right way, it can cause lots of issues.
One of the main problems that can arise is when a grey hat hacker also accesses data. Such a 'breach' would trigger a company’s obligations under the newly introduced General Data Protection Regulation (GDPR), which automatically ratchets up a company's costs.
While many businesses justifiably use ethical hackers to test their systems, the key difference is they are aware of what is happening, and the testing can be carried out in a controlled environment. Businesses who promote the use of grey hat hacking can face potential issues. These tend to be around the legality of hackers attempting unauthorised access to systems, the damage they can cause in the process of looking for security flaws, as well as the lack of transparency when it comes to payment for their services.
Cyber insurance will respond
From an insurance perspective, a request or demand from a grey hat hacker would trigger a cyber insurance policy in the same way that an attack from a malicious hacker would. This goes to highlight the importance for businesses to have a policy in place that can respond to a wide variety of circumstances - even when the hacker in question has the ‘best’ intentions.
Hiscox can help minimise any loss and possible damage to your business and its reputation, IoD members receive 5% discount for the lifetime of their policies.
0800 280 0354
Find out more
What all SMEs need to know about cyber security
Tuesday 20 November, 9-10am
The webinar will provide an interactive platform for SMEs to gain a greater understanding of cyber security, as well as practical advice around how to defend against attacks, and deal with the aftermath of an attack in the short, medium & long-term
Register for free