Given the frequency with which hackers empty bank accounts, steal identities and wreak general mayhem, it may seem a little odd that they have a public representative. But Keren Elazari, a US-Israeli security researcher and informal ambassador for the global hacker community, is adamant that hackers are an essential force of good.

Her TED talk (with 600,000 views) posits that hackers are the immune system of the internet and play a critical role in society. She researches bug bounty programs – a monetary rewards system for hackers who discover security holes in software – and the value they create in the software industry.

The power of hackers in society is expanding as the world becomes more digitised. The number of devices connecting to the internet, from thermostats to servers, surpassed the number of humans on Earth four years ago. Today the ratio is 12 billion devices to 7.5 billion people – and within two years the ratio will be four to one. “We are already the planet of the machines,” Elazari says. 

Many of these devices, which collectively make up the “internet of things”, have poor defences against malicious attacks as the manufacturers are not interested in the consequences of a network breach. Elazari has worked with very large companies and government agencies in the US and in Israel, helping them understand how to address this problem.

One of those large companies was PwC in Israel, 15 years ago. The business world was then adjusting to the new Sarbanes-Oxley rules and the Big Four found themselves knee-deep in security audits. Deloitte and EY now have some of the biggest security consulting divisions in the world, Elazari says. The issue is so important that chief security officers report directly to the CEO and board.

At a certain size, especially if you’re in the financial industry and dealing with customer data, I think it’s irresponsible not to have a security manager.

“At a certain size, especially if you’re in the financial industry and dealing with customer data, I think it’s irresponsible not to have a security manager,” Elazari says. If a company has an IT department, it should consider adding a security team. 

Hire a hacker you can trust

How do you hire a hacker you can trust? Elazari recommends prospecting at IT security conferences where experts are willing to have conversations in the open, not in encrypted online chat rooms. The most desirable skills are digital forensics and incident response that uncover attacks. 

Technology can supplement these skills but can’t replace them.

Companies with 20 or fewer employees that can’t afford a security researcher should partner with larger organisations to protect their data, Elazari says. An easy step is to use cloud software, where the software company is responsible for security.

What are the first principles this white-hat hacker recommends for defending accounting firms? 

“Before buying anything, I would get the operating systems to the latest and greatest versions and make sure you update them regularly,” Elazari says. This includes not just PCs and laptops but mobile phones, routers and any other hardware connected to your network.

Elazari suggests developing a habit to ensure all devices are up to date once a month. Turn on automatic updates for operating systems (on Mac and PC) as well as for Flash and Java apps, two popular entry points for hackers.

The Windows operating system attracts most of the attention from malware attackers as it’s the world’s most popular operating system for desktop computers with an 80% market share. However, Windows 10 is far more secure than its predecessors.

“I have to hand it to Microsoft; their security team do a lot of proactive research and they push out updates that will prevent a lot of the attacks,” Elazari says. “Microsoft have visibility to more than 1 billion computers around the world. They can usually create a signature to stop attacks.” 

Criminal hackers are looking for the low hanging fruit – there are plenty of companies still running 16-year-old copies of Windows XP that are no longer supported. 

Elazari also recommends spending money on software to protect endpoints – security terminology that refers to any device operated by a user, such as laptops and desktops.

Encryption

Another suggestion for staff who travel frequently is to use a VPN service for connecting to public networks. VPNs – virtual private networks – create an encrypted tunnel between a user’s device and the online service or server they want to access. “If you’re connecting to your cloud-based accounting software, that’s where you want to have the additional layer of encryption and protection,” she says. She also recommends a VPN for users with customer data on their laptops.

Elazari doesn’t recommend products from particular software companies to avoid accusations of bias in her work as a researcher. However, she urges businesses to consider the status and origin of the company that makes the software.

“It does matter who is behind your security product. It’s preferable to have a company that you can trust, ideally one that has a local representative in your country.” As she carefully puts it, “global geopolitical issues” play a role here: technology companies and even the US National Security Agency have been caught building secret “backdoors” into their software that can give outsiders full control of a device. Russian software firm Kaspersky’s antivirus programs have been banned by US government agencies and described as “malicious” in a European Union report.  “When we install a security product that will hopefully protect us from threats, we want to make sure that we’re not introducing a fifth column to our organisation,” Elazari says. 

Sholto Macpherson is a technology journalist specialising in accounting software.