How secure is our company from hacker attacks? This question is being addressed by numerous companies, including in Switzerland; among them the financial services provider Baloise. To answer this question, it is allowing to be hacked – in a protected setting.
Following the credo «Fight Fire With Fire» or «Hack Hackers With Hackers», Baloise has decided to enter the ring to defend cybersecurity. To do so, it launched a program together with the Swiss start-up Bug Bounty Switzerland, which aims to actively find and fix hidden vulnerabilities. Seeing the results after the first steps was very exciting. There was also relief at the initial feedback from ethical hackers, as security vulnerabilities could also be closed. In one project, the efficiency of penetration testing and bug bounty programs could be directly contrasted and important insights gained.
Companies can ask themselves the following question: Should we let cybercriminals do their worst or do we take control of the situation and sit in the «driver’s seat»? Sandro Nafzger, CEO & Co-Founder of Bug Bounty Switzerland, says:
“It’s not about hoping that you have already done enough for information security, but figuring out where you need to do more to protect yourself from cyberattacks. Through a bug bounty program, you finally get a realistic risk assessment and proactively address your increasing vulnerability.”
By working with ethical hackers, one can continuously gain an important knowledge advantages over cybercriminals. The description of the findings is easily understood, which means that a suitable solution can be implemented quickly. Also, one gets a step-by-step guide on how the hackers proceeded, as well as a recommendation on how to fix the problem sustainably.
The days are gone when software versions were released once or twice a year. This also means that the ability to plan for newly emerging, potential security vulnerabilities is lost. In recent years, the trend (also in the financial sector) has been moving more and more in the direction of «Continuous Delivery & Continuous Deployment».
So you have to keep up all the time. It therefore makes sense to supplement traditional pentests with a bug bounty program and even replace them where it makes sense.
Financial companies must comply with Finma’s organizational requirements at all times. This includes measures to protect institutions and the financial system from abuse. Tobias Lux, Finma media spokesman, comments:
“The supervised institutions must outline how they deal with threats from cyberattacks and protect their systems from such attacks. Where are our own risks? How do we respond to attacks? To answer such questions, institutions need to know their own vulnerabilities. Regular penetration tests and vulnerability analyses are therefore indispensable.”
Nafzger welcomes that:
“What many companies do not know, this includes bug bounty programs.”
Particularly in the rapidly mutating cyber domain, we have to constantly adapt to new risk situations and continuously adjust our approach to defending against damage. When selecting and evaluating new tools and services, we look very closely at the cost-benefit factor. And the benefit of a bug bounty program is very high compared to the work or cost involved.