PwC has had hackers on its payroll for the past 20 years. But, in recent years, hackers have become a much more important part of its business.
Indeed, Will Rimington has seen the firm’s penetration-testing team, which he heads up, grow significantly in the 12 years he’s worked for the practice.
“It’s become a bit more front and centre in terms of the firm’s wider consciousness,” he says. “We’re not only doing traditional risk consulting around security policies and controls – there’s more of an appetite to back that up with testing. Essentially, we act like baddies, and have a go at it.”
Use of ethical hackers is becoming more common among accounting firms as clients get more nervous about the vulnerability of their data. According to the latest government statistics, one in four UK businesses experienced a cyberattack last year, with large firms losing an average of £36,000 each, and small businesses and microbusinesses losing £3,100 each.
Know your weaknesses
PwC’s penetration-testing team feels that the best way to identify weaknesses is to find and exploit them using its own ethical hackers (‘white hats’, as they’re known in hacker circles), before malicious hackers (‘black hats’) get a look-in. “We follow the whole process, end to end,” says Rimington.
“How do you get from being a complete outsider to an organisation to actually being able to exfiltrate interesting information? That has become the real test of an organisation’s security, and it can start with open-source-type reconnaissance on an organisation. That includes looking at the people who work there, and examining things like LinkedIn, Facebook, blogs and so on, to identify potential personnel weaknesses.”
Insider threats – intentional or unintentional – from current and former staff remain the biggest weak spot for most businesses. As more people use their own laptops and phones to access work systems, they open up more avenues for hackers to carry out attacks.
Rimington says his team spends a lot of time testing mobile devices to see if they can get into clients’ systems. Some methods of testing employee vulnerabilities are worryingly simple. “You only need to do something as basic as sticking some malware on a USB stick and just watch where that ends up,” he explains.
Attacks on businesses are varied and increasingly complex, Rimington says.
His team is currently looking at how attackers might access an ‘air-gapped’ computer (one that is unconnected to the web or another computer, for security purposes) using light sensors and sound waves: “We’re looking into the ability to actually pass commands via those sorts of media to extract specific bits of data.”
Add to this the rise of state-sponsored hackers and you have a pretty scary picture for clients. Smaller practices might not be able to hire their own hacking teams, but they can work with freelance ethical hackers or security firms to check clients’ security.
Rimington says most small businesses just want a seal of approval: “We come in to verify whether their security is up to snuff, so they can continue to build up their businesses.” In any event, the need for greater security isn’t going away.
“More regulations, such as the EU General Data Protection Regulation, are increasing the requirements on businesses for protecting their data,” says Rimington. “The consequences of breaches are becoming more governed. I think that’s the space to watch”.
This article first appeared in the March/April issue of Accounting Technician.
Mark Rowland is the Editor of Accounting Technician.