Beyond The Cyber Basics: Bug Bounties And Simulated Attacks

Jump to Section:


This month marks the one-year anniversary of the WannaCry ransomware attacks, which Wired called the “worst digital disaster to strike the internet in years.” By exploiting an operating system vulnerability, the ransomware corrupted data on some 200,000 computers across 150 countries, then demanded payment for restored access. The cost of damages has been estimated in the billions of dollars.

With losses of that magnitude and upcoming regulations such as the EU’s General Data Protection Regulation (GDPR), it’s clear that cyber continues to be a high priority for businesses, governments and the general public. Addressing cyber risk has been made all the more complicated by the multitude of entry points that hackers can exploit – and it’s not just software and hardware. Simple human error and malicious intent from employees also play a significant role. Every employee who automatically clicks on an attachment has the potential to unleash a crippling virus on the company.

Yet, despite increasing breaches and regulations, many organizations still do not have the basic elements of cyber security in place. Others, however, are attempting to focus on proactive security to augment their efforts with a range of approaches. And these tactics – including red teaming and bug bounties – have opened a new front in the battle against hackers.

In Depth

According to Aon’s 2018 Cybersecurity Predictions, the days of simple firewall protection and malware-detection software are long gone. Thanks to further digitization and the ever-expanding web cast by the Internet of Things, the line between the physical and cyber worlds is becoming more and more blurred – which means a seemingly limitless number of end points for hackers.

It’s the responsibility of companies to keep up with and adapt to these advancements. As such, coming years will see increased emphasis on accountability with regulations such as the European Union’s GDPR and Australia’s Disclosure Requirements. On top of the hefty fines from new data protection laws, the potential costs of an attack can be astronomical, damaging both a company’s reputation and its finances. According to Aon’s report, the global cost for organizations of ransomware attacks in 2017 was nearly $5 billion, which is 400 percent higher than the previous year. In addition, companies spent a total of $86.4 billion on cyber security, up seven percent from the previous year. As the world becomes more connected, these numbers will likely continue to climb.

Every aspect of an organization is touched by an attack, and attacks require a comprehensive response, from the c-suite to board members to frontline workers. Cyber exposure can’t be successfully addressed if viewed in a silo. With this mind, below are innovative ways for organizations to combat cyber threats.

Cyber security: Proactive approaches

Data breaches can be as simple as “spear-phishing” for passwords, or they can be as sophisticated as hacked IoT devices, coordinated misinformation campaigns or botnets. Recent attacks have occurred through end points as seemingly innocuous as Wi-Fi enabled cameras, fitness apps and bug-tracking databases. Malware has even been camouflaged as a popular software installer.

As the methods of attack evolve, so too does the likelihood of an employee or partner organization making a mistake. For now, companies can use the following approaches to better protect their data.

Pen Tests and Red Teaming Exercises

Organizations worried about any aspect of security should combat threats by testing their own systems and people. Building a strong defense entails working with both employees and security professionals and can be accomplished with penetration, or “pen,” tests and red teaming exercises.

Penetration tests

These tests are authorized, simulated attacks on a company’s network or technology. The goal is to identify vulnerabilities and put together a full risk assessment. As Justin Clarke-Salt, Managing Director at Stroz Friedberg, an Aon company, says, “A good metaphor is a security team testing all the doors and windows in a certain area to see which are unlocked or slightly ajar.” Some companies may need external support if no such team is in place. Any time new software or hardware is adopted, or new regulations require updated compliance, a pen test can help bring organizations up to speed.

“A good metaphor is a security team testing all the doors and windows in a certain area to see which are unlocked or slightly ajar.”
– Justin Clarke-Salt, Managing Director at Stroz Friedberg, an Aon company
Tweet This

Red teaming exercises

These exercises are unannounced “attacks” that are meant to simulate the real thing. Unlike pen tests, which check a wide variety of end points, red teaming is carried out by external security professionals – or white-hat hackers – and seeks only to identify and isolate a single vulnerability. In the case that such a vulnerability is found, the security team will then shift gears and see how deep into the system they can go. Whenever an attack makes headlines, red teaming exercises should be scheduled to look for similar weaknesses. Likewise, they are effective for testing threat detection technology.

In addition to pen tests and red teams, companies should also alert employees to recently identified malware, require staff to regularly update their passwords and keep employees abreast of any recent attacks reported in the news.

Working with the Public at Large: Cyber Bug Bounty Programs

In 2017, tech behemoth Google paid out nearly $3 million as part of its bug bounty program. Bug bounty programs are what they sound like – a “bounty” is paid by an organization in exchange for users finding bugs, namely vulnerabilities, within its critical infrastructure. And it’s not just tech giants flocking to such programs. Businesses that operate rewards programs such as gift cards and loyalty points – including airlines, retailers and hospitality providers – will particularly benefit from bug bounties.

While the bug bounty programs help find vulnerabilities, these programs might require support from external experts to avoid introducing new risks. Nitai Mandhyan, Vice President, Cyber Proactive Advisory at Stroz Friedberg, warns that companies using such programs must be ready to act on disclosures. “When you learn of a critical vulnerability, this knowledge can quickly turn into a liability if the risk isn’t quickly mitigated. Without remediation readiness, your risk management program could flip and actually introduce risk.”

It’s not difficult to imagine that in the years to come, organizations will continue to partner with one another to strengthen the line of defense against attacks.

“When you learn of a critical vulnerability, this knowledge can quickly turn into a liability if the risk isn’t quickly mitigated.”
– Nitai Mandhyan, Vice President, Cyber Proactive Advisory at Stroz Friedberg
Tweet This

Industry Partnerships: Addressing Cyber Threats

The need for increased security is not limited to a comprehensive view within an organization; a broader collaboration between industry leaders is needed. For example, Allianz, Aon, Apple and Cisco recently announced a new cyber risk management solution for businesses, which utilizes the cyber resilience evaluation services of Aon, the technology of Cisco and Apple and the insurance coverage of Allianz. This sort of partnership signals the need for industry leaders to come together to better serve the market and work toward protecting consumer data.

According to Clarke-Salt, “Criminals look to attack smaller, poorly defended companies that provide services to global organizations to gain access to the bigger companies systems.”

On top of that, more than 70 percent of data breaches now occur through end points used by individuals, such as personal computers and smartphones, and the number of handheld devices per employee is expected to continue growing rapidly.

Therefore, it’s incumbent upon larger organizations to work with partner organizations to address appropriate cyber security measures – such as single sign-on, cloud storage and credit card processing – in hopes of identifying and closing any IT and security end points.


Organizations will need to maintain vigilance in the face of constant threat. Customers are likely to respond positively to companies viewed as responsible stewards of their personal data. In the event of a large-scale, headline-grabbing attack, companies must be able to demonstrate that precautions were taken and that they are prepared to respond.