Who is hacking your network?
When talking about networks that have been hacked or breached, the default assumption is that it was someone on the outside, a nefarious individual trying to steal sensitive corporate data. However, in a recent study of IT professionals, Absolute Software discovered that 33 percent admitted that they have hacked their own network or another company’s network.
Why would IT professionals, the very employees that Absolute refers to as “security gatekeepers,”, hack into their own networks?
One reason could be as simple as this: because they can. Good IT professionals have the skills to hack into any system, and the Absolute report found that IT professionals are notoriously bad about following security protocols, with nearly half of the respondents admitting that they knowingly circumvented their company’s security policies.
“There have always been multiple reasons for hacking systems, and they often start with curiosity about how a system works, and how to get that system to do more,” said Todd Inskeep, advisory board member to the RSA Conference. “In this sense, ‘hacking’ really means “poking around systems to get something done, maybe in a new and creative way’ to some techies.” Inskeep referred to this as “grey hat” hacking; some techies are very curious and may be looking to better understand the company’s systems.
Secondly, Inskeep added, some people hack for fun, which could include demonstrating technical skill or embarrassing someone else. “In some companies, the culture might support this kind of curiosity, while in others it might be grounds for dismissal,” he added.
It is also quite possible that these insider hackers are infiltrating the corporate network for the same reason cybercriminals do; they are looking to purposely cause harm or steal data for their own gain. “I’m fond of saying that even Mayberry RFD had a few criminals, and any organization may have some people looking for opportunity,” said Inskeep.
Yet, your company needs IT professionals to hack the network. According to Andrew Storms, VP of Security Services at New Context and a 20-year veteran of the security industry, the best security professionals will constantly try to break into their own networks to ensure their organizations are secure.
“Good security professionals will institute companywide practices such as phishing staff or trying to brute force attack their own company executives,” Storms said. “Why? How many times have you locked your car door and then tried the door handle to make sure it’s locked? It’s critical to create a culture where people are allowed to learn how to make the environment more secure, and there is no better way to start than by finding your own weaknesses before someone nefarious does.”
By hacking into their own system, IT professionals are able to understand their network infrastructure and find potential vulnerabilities. It also allows them to see if other employees are misbehaving or find lost data or institutional knowledge after employees have left the company.
“One of the most important jobs an ethical hacker has is to educate companies on how hackers can leverage their way into the systems,” security expert James Conrad told CIO Magazine.
Hacking isn’t necessarily a bad thing; it depends on what the goal of the hacker is. As Stephen Midgley, vice president, Global Marketing with Absolute Software said in a formal statement, “Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring.”