What it means to be an ethical hacker with Glenn Wilkinson

want me to help them secure their businesses, via their online presence or their physical security. From their staff to their servers, everything in between, anything that holds data or transmits data.

“The analogy I sometimes use is that it’s like hiring an ethical burglar and asking them to come and check your home security. Because generally, the mindset that a burglar has, or the mindset that a hacker has, is a bit more inquisitive than the person who sets up the security. So, the person who instals the home alarm, or possibly sets up security at a company, the way they think is sometimes a bit more defensive, a bit more mundane.

“As an ethical hacker, what largely drives you is curiosity. So, there’s this thing in front of you, this barrier that’s stopping you getting some interesting information, how can I go around the edge or dig underneath or climb over the top to try and get to that information?

“It’s often not as glamorous as you might see in the Hollywood way. Generally, if I’m asked to test a bank’s security, it generally involves about four days of metaphorically banging your head against the wall, trying to find those weaknesses; maybe it’s an outdated server somewhere, maybe you can trick an employee to click an email link.

“If you think about an organisation, it’s like a piece of candy – it’s hard on the outside, soft and squishy in the middle. Once you crack the outside and get to the inside, then generally the data just pours out and very quickly, you get access to everything that’s precious to that organisation.”

How can businesses identify potential cyber weaknesses in their organisation?

“If you’re a business and you’re trying to identify cyber risks that might let criminals or hackers in your organisation, there are all kinds of things that you can do. Generally, I would say there’s no silver bullet, there’s no one product or magic thing – no matter what vendors tell you –that will solve this.

“But, generally speaking, a layered approach is good for cybersecurity, for home security, for life. If you diversify what you’re doing, you stand a better chance if one system fails. Experts might try and tell you things like segmenting the network, things like zero trust, making sure your software is up to date.

“There are all kinds of solutions these days, there’s lots and lots of little things you can do as an organisation.

Generally, that layered approach, that’s quite good. I’d say if you’re watching, listening or looking for two or three things that you should do, keep your software up to date. If there’s a vulnerability and your server software or your client-side software isn’t up to date, hackers can take advantage of it.

“Make sure to use password managers, because if you’re forcing your staff to remember 20 different passwords and change them every month, that doesn’t work out well for anyone except the hackers. If you only remember one password to unlock the password manager, that’s quite a secure approach. Make sure to pick a good password for your one password.

“What I like to do is use these things called ‘canary tokens.’ Essentially, you embed a little bit of information in Word documents, Excel documents or PDFs, and you leave these files lying around like trip wires. So, it’s kind of like leaving confidential files at home, a piece of paper that says, ‘top secret,’ and you put a little vial of ink next to it so if someone picks it up, the ink spills. Then you’ll know that someone’s been there.”