How vulnerable are you?

How vulnerable is your company? If there’s a cyberhit on your firm today, what will you do? What can you do? 

Late last month I was in Tel Aviv at CyberWeek, one of the world’s top cybersecurity conferences, which attracted a mix of hackers, cybersec experts and government officials. One flaw that needed attention: lack of a cyber-risk index that could help companies assess how prepared they are if a cyberhit occurs. 

That gap was addressed on July 4, 2019 with Israel’s Team8 and Moody’s launching a cyber-risk index for businesses. The joint venture will assess how vulnerable businesses are to cyberhits. It will develop a framework to measure companies’ defenses for such attacks vis-à-vis others. The firm will be based in New York and Tel Aviv. 

“We don’t focus enough on the human equation in cybersecurity,” Israel’s Team8 CEO Nadav Zafrir told delegates at CyberWeek. “Hacker attacks have evolved – and so have security measures. But it is human beings who suffer the consequences the most.”

Team8 was founded in 2014 by Ronni Zehavi, Liran Grinberg, Israel Grimberg and Nadav Zafrir, three former leaders of Israel’s military intelligence Unit 8200. Former NSA Director Mike Rogers joined its Board of Advisors in 2018. In October 2018, Singapore’s Temasek Holdings acquired Team8-incubated Sygnia for US$250m. 

“A coordinated global cyberhit could cause economic damages of between US$85-US$193 billion, one hypothetical scenario developed as a stress test for risk management showed,” Reuters reported. “In this scenario, claims paid by the insurance sector are estimated at US$10-US$27 billion, according to Lloyd’s of London and Aon.”

What can you do to find bugs in your firm’s apps? Hire hackers! Meet the world’s first million dollar hacker: He’s 19, he’s Argentinian and he has no formal training in computer science. He’s the first in the world to make US$1m from ethical hacking! 

Meet Santiago Lopez, a self-taught hacker who used YouTube and hacking blogs to hone his skills. He has discovered and reported more than 1,700 unique vulnerabilities to companies such as Twitter, WordPress, Automattic, Verizon Media, and others.

“I watched online tutorials and also read a lot about hacking. This is how I became the hacker that I am today,” he says. “It took me a long time to find my first vulnerability, but with patience and effort, it can definitely be achieved.”

Santiago practices his “craft” for up to 7 hours a day under the moniker “try_to_hack” and told his family and friends about his “trade” only after a while. “They viewed the hacker as a bad person who robbed people,” he admits. “They did not think it was possible that a hacker could be good and make money legally. After spending a great deal of time explaining this to them, they finally started to believe it and were super happy for my success.”

He enrolled at San Francisco-based HackerOne, which in turn was started by hackers and cybersec experts in 2015. The platform works with ethical hackers (“White Hats”) to help companies and government bodies uncover security bugs in their codes and programs. Companies pay “bug bounties” to White Hats to find bugs in their apps. HackerOne has offices in London, New York, Singapore and Holland. The firm has so far paid out US$43m – US$19m in 2018 alone – in bounties to White Hats worldwide.

Santiago’s inspiration came from the 1995 American movie, Hackers that starred Jonny Lee Miller and Angelina Jolie. In 2015, at age 16, he signed up on HackerOne and earned his first bounty of US$50. Over the past three years of hacking after school (and now full-time), he has made 40x the average software engineer’s salary in Buenos Aires, on bug bounties.