How Healthy Corporate Culture Stops Whistle-blowers

How Healthy Corporate Culture Stops Whistle-blowers

The word whistle-blower can trigger many different feelings for Americans. Much of the nation has very dichotomous feelings about whistle-blowers, either lauding them as heroes, or vilifying them as saboteurs. Individuals at the center of these whistle-blower stories are cast in different roles depending on the route that external media decides to take. While spectators decide for themselves whether the whistle-blower had good intentions or otherwise, the real question we should be asking is what kind of corporate culture within their organization allowed these events to transpire?

Whistle-blowing is not to be confused with “leaking,” another term that often appears in these narratives. In short summation, whistle-blowing is actually defined under the Whistle-blower Protection Act, describing a disclosure of information that an employee “reasonably believes” demonstrates “a violation of law, rule, or regulation; gross mismanagement; a gross waste of funds; an abuse of authority; or a substantial and specific threat to public health and safety.” These actions amount to misconduct, and are actionable. “Leaking” describes the act of indiscriminately releasing company information, regardless of whether or not that information constitutes some degree of ethical violation. The term “leaker” can also be ascribed to a legitimate whistle-blower in order to discredit them.

In reality, it is a myth that most whistle-blowers are “snitches” who go directly to external sources like the press or watchdog groups to report their organization’s problems. In most cases that have been denoted as “whistle-blowing” there are documented attempts by the whistle-blower to try and resolve the issue within their corporation or organization. It’s when those attempts to resolve the issue internally are exhausted that whistle-blowers often find themselves without recourse, and go to the media in order to get their story out there.

This is why those who work in corporate ethics and corporate compliance recommend a healthy corporate culture in order to prevent whistle-blowing from occurring in the first place. Healthy corporate cultures promote a climate of excellent communication in the pursuit of a common goal (usually outlined by a corporation’s established values or mission statement). When an issue is brought to the attention of leadership, and they are inspired by a company’s mission statement to do something about it, that is where true corporate progress occurs. The effects of a healthy company culture can actually be cyclical. When an employee reports an issue or misconduct to leadership, they might expect to receive some push back. However, when that employee is carefully heard, and taken seriously, it can foster a sense of value in the workforce, as they now know they are agents who can effect change. This inspires a higher level of engagement in employees, which leads to higher rates of productivity, which in turn leads to happier leadership, who are then more inclined to reward employees for their hard work. That all increases morale on behalf of the entire workforce, leading to a healthy company culture.

When the goal is teamwork and collaboration, there is no need to turn to external sources to shed light on an issue. A healthy company culture will create a climate where internal issues can be discussed and resolved through teamwork—not through media attention and public outrage. Whistle-blowers are not heroes or villains, depending on who you believe, but rather a symptom of dysfunction within a corporation or organization that cannot afford to be ignored.

Investigating Executives & White Collar Crime

Investigating Executives & White Collar Crime

Don’t let executive misconduct ruin your corporation…

When it comes to running a business, the executives who are the visionaries and decision-makers that shape a company should always remain above reproach. White collar crimes have the potential to pull a business up from the root with devastating consequences. Unfortunately, Americans know from media coverage and social media that there’s few things we are more attracted to than stories about high-ranking officials and the misconduct that negatively impacts their businesses—both in profits and in public relations.

Many will be familiar with the recent news of Amazon CEO Jeff Bezos’ high-profile divorce following allegations of infidelity, in which his ex-wife became the richest individual in history by virtue of divorce proceedings. The fallout from executive misconduct can leave a trail of legal fees, government sanctions, violations, and public relations-related crises that can devastate a company from the top down.

Thought to be coined in 1932, the phrase “white collar crime” now refers to a spectrum of frauds and other crimes committed by high-ranking executives and officials. The most common characteristics of white collar crime contain aspects of deceit, concealment, or violation of company policies and/or state and federal law. The motive is financial, with executives skimming off the top of a company’s profits for their own use. These crimes are sometimes thought of as “victimless crimes,” with no regard to how the fallout from a fraud or scheme can impact the company, and therefore the families of its employees. The types of fraud include, but are not limited to:

  • Bank fraud
  • Blackmail
  • Bribery
  • Cellular phone fraud
  • Computer fraud
  • Counterfeiting
  • Credit card fraud
  • Currency scheme
  • Environmental schemes
  • Extortion
  • Forgery
  • Health Care Fraud
  • Insider trading
  • Insurance fraud
  • Investment schemes
  • Kickbacks
  • Larceny/theft
  • Money laundering
  • Racketeering
  • Securities fraud
  • Tax evasion
  • Telemarketing fraud
  • Welfare fraud
  • Weights and measures

Corporate fraud and white collar crime of this nature remain one of the Federal Bureau of Investigation’s top priorities when it comes to identifying and indicating perpetrators. While involvement by government agencies may seem like the end of the line, there are ways companies can get out in front of executive misconduct by hiring a private investigator to investigate these matters.

Private investigators have a unique reputation as slick operators who fly under the radar, but they are invaluable professionals to companies in the throes of a corporate crisis because they are independent and objective. Objectivity is the priority when dealing with executive misconduct and white collar crime, as any allegations or evidence presented against the executive must be presented by an individual with no stake in the outcome of the investigation. Private investigators are independently contacted by a business or corporation to investigate the alleged executive misconduct, and can gather evidence and collect witness statements without the air of bias. Because private investigators are independent contractors, there is no fear of reprisal on behalf of coworkers and other employees at the company. This leaves no lead discounted or ignored. They can investigate employees at all levels, and determine how (if at all) the executive is receiving assistance in their fraud from subordinates. One of the most attractive qualities in a private investigator is that their objectivity makes them crucial witnesses in any legal proceedings that may result from the investigation.

Businesses and corporations should never be beholden to CEOs, presidents, and other high-ranking executives who behave badly. Executive misconduct and corruption are like aggressive weeds that must be pulled from the root in order for businesses to flourish. When it comes to rooting out bad leadership, consider hiring a private investigator to navigate a tricky investigative path that can end in quality operations and peace of mind for businesses large and small.

If you have a corporate crisis like executive misconduct, we can help. Call Lauth Investigations International, a family-owned-and-operated investigative firm with over 30 years of providing successful solutions to clients in Indianapolis and throughout the nation. Call 317-951-1100 for a free consultation, or to learn more about our services, please visit our website.

BACKGROUND CHECKS

BACKGROUND CHECKS

Rooting Out Thieves in the Workplace 

It is estimated 30% of employees steal from their employer.

It is estimated 30% of employees steal from their employer.

Most of us have dealt with a thief during our lifetime. Devious and sneaky, some thieves behave as if stealing is an art. It is usually a theft exposing them; however, many times, they can strike numerous times before getting caught. When theft happens in the workplace, it can not only be a costly lesson but the cause of a business failing.

An estimated 30% of employees steal from their workplace affecting all types of businesses. For instance, if you are running a restaurant with $1 million sales annually, at only 4% theft within the company, your company would be losing $40,000 a year!

Employee theft costs U.S. businesses over $200 billion in annual losses. Not only are companies trying to prevent the public from stealing items, inventory, assets, and ideas from a business, they must also combat thieves on the inside. Unfortunately, 75% of employee-related crimes go undetected.

Theft can take many forms, such as: stealing money, embezzlement, unauthorized use of business or customer identity, and theft of intellectual property, such as cases of patent or trademark infringement.

Combating Theft is Knowing How Employee Theft Occurs.

Cash

Employees who have access to a cash register is the most common way employees steal from companies. If unsecured, petty cash drawers or boxes, can be an easy target for thieves.

In addition, an employee can quote a higher price than the actual price of an item and keep the difference at the point of sale.

If employees have access to credit card information or checks, theft can happen as easily as sticking a few checks inside a folder, costing the owner thousands before it is detected.

Checks and Fraud

Most banks do not verify a signature on a company check making it very easy to sign and cash a check.

Credit card fraud is a number one threat to companies and consumers because most credit card holders admittedly do not check each line item on their credit card statement.

According to the U.S. Small Business Administration (SBA), companies with less than 100 employees, lose approximately $155,000 as a result of fraud each year, a much higher rate than large companies.

Payroll

Employees may often perform actions and falsify records for work they didn’t do, such as requesting reimbursement for travel and other expenses unrelated to work. Employees may also set up fake payroll accounts for workers who have been terminated or retired. Creative thievery abounds.

Time Sheets

Time theft or “Buddy Punching” is a very popular way timesheets may easily be falsified. Individuals complete this theft by having one employee punch another employee in or out for the other.

Excessive breaks, malingering, surfing the Internet, chatting with employees or taking personal phone calls are other ways time theft occurs. While some of these things may not at first be thought of as stealing, all these actions, or inactions, can affect the bottom line and be taking advantage of an employer.

Vendor Accounts

Thieving employees will set up fake vendor accounts, submit phony invoices and issue checks for the false vendor. These checks can then be signed over to themselves and deposited. In addition, a variation would be paying a vendor $500 and writing a check to themselves, expensing the entire $500 to the vendor.

Merchandise

Loss of inventory can happen in the merchandise distribution process but can also happen before merchandise is made available to the public. Many times, employees will take items from a warehouse or newly arrived items before they are scanned into inventory software. Employees have even been known to steal entire shipping trucks containing merchandise headed to their employer’s company.

Supplies

Some employees steal smaller items such as typical office supplies, but furniture and equipment are not off limits for a thief.

Information

Many employees steal information to benefit themselves or a competitor. Types of information include: office memoranda, proprietary products, customer lists and/or other confidential data. Theft can occur by email, printing, or copying information to a flash drive or cell phone, or simply carrying it out in a purse or folder.

Sometimes, theft can be subtler, such as luring customers away, purposefully providing poor service, even spreading rumors to damage a company’s reputation and cause a down-turn in business.  All are considered losses.

While there are ways to combat theft within your company, ultimately identifying the thief before they are hired is the most effective way to reduce the occurence of theft.

The SBA recommends:  “One of the first steps to preventing fraudulent employee behavior is to make the right hiring decision.”

Background checks are a good practice for any employer, large or small, especially for those employees who will be handling cash, high-value merchandise, or have access to sensitive customer or financial data.

For over twenty-years, Thomas Lauth of Lauth Investigations International has been working nationwide and helping educate employers on methods used to combat theft.

“The first and most effective way to address theft in the workplace, is to conduct an extensive background check,” says Lauth. “A background check can provide insight into an individual’s behavior, character, and integrity.”

Which Types of Background Checks Should You Conduct?

According to the U.S. Chamber of Commerce, upwards to 30% of business failures are caused by employee theft. Thus, conducting effective, extensive background checks helps to mitigate your risk of hiring objectionable or even dangerous employees.

Not all background checks are the same. As you build a profile of your future employee, there are several kinds of background checks you should consider. For example, a criminal background check is different than checking on an individual’s credit score or military service, these require consent. A criminal background check does not require consent; however, some states have laws restricting how you use the information collected during a criminal background check.

Private investigation firms like Lauth Investigations offer complete background checks while helping you comply with the law.

Protecting Your Legal Liability with Background Checks

Smaller businesses often forego background checks for two reasons: 1. A false sense of trust and security developed by business owners working too closely with employees. 2. Most businesses do not understand the legal liabilities associated with the failure to conduct employee screening and background checks.

Any business where employees provide a direct service and interact with customers, such as contractors or daycare providers, is liable if an employee does harm to a customer and the employee has a history of wrongdoing.

A company, big and small. may not recover from this kind of lawsuit.

Choosing the Right Company to Conduct Background Checks

Protecting the interests of your workplace and customers while reducing potential liability is of utmost importance; therefore, it is vital to select a company you can trust to conduct the background screening both efficiently and thoroughly.

While employers can do some background checking of their own, working with an experienced and reputable company can ensure the reliability and thoroughness of the background screening.

Purchasing instant public records found online is not appropriate for conducting potential employee background checks. Most certainly if your hiring decision is based on tpublic record data, your company could land in hot water.

Most public databases do not fact check, clean up or refresh their data providing completely different information than received from an investigative firm experienced in conducting professional, legal and full background screening.

Private investigators have access to databases that can definitively determine if a potential employee has a criminal background.

Private investigators have access to databases to determine if a potential employee has a criminal background.

 

A reputable company providing background screening services will ensure the information you receive is current and accurate.

If a hiring decision is made based upon information found in the background check, in most cases, the company must inform the potential employee of the source used to obtain the information for the background checks (which is where using public databases can get your company in legal trouble).

What can you expect from a professional background check? According to Lauth, it’s all in the details and you pay for what you get. If you want detailed, accurate information, you will choose a Private Investigation Background Search.

Unlike a personal background search using public databases, private investigators have access to several databases providing a variety of information.

  • Employment history: This search will bring up employment records to include all positions held, making it easier to find discrepancies in a resume. It will also include salaries associated with the positions.
  • Academic and professional affiliations: Qualifications to include academic history and certification, even if the person did not complete the program.
  • Criminal records: Including a detailed outline of all criminal activity from traffic warnings and tickets to arrests and convictions. Also, these include jail time served and fines paid.
  • Financial Standing: Reflects all liens, judgments, bank accounts, current and previous property ownership, repossession of vehicles or other personal property, NSF checks and bankruptcies.

In addition to the typical information received through a personal background check, a private investigator will include:

  • Worker compensation claims an individual has filed. This can help determine the character of an individual by looking at the number of claims they have filed which could reveal a person is dishonest and fraudulent.
  • Ascertain causes of accidents or any criminal activity. DMV reports will show accident dates and basic information but do not reflect the cause. Private investigators can provide the cause behind the accident and whether criminal activity was involved.
  • Information on business and personal partners.
  • Analysis of all findings.

Relying on an Internet search is risky. A professional background screening will be more in depth than simply entering a name in a database. When a company’s future is at stake, the only way to go to obtain concise information needed to make informed decisions is a professional, private investigations extensive background check.

 

Intelligence in Business (OSINT)

Intelligence in Business (OSINT)

By: Kym Pasqualini, Feature Crime Writer for Lauth Investigations

Open-source intelligence (OSINT) is the collection of data from publicly available sources to be used in the context of intelligence. Within the intelligence world, the term “open” refers to overt, meaning sources available publicly, opposed to clandestine or covert sources.

OSINT is not a new concept. It has been in use for decades. However, with the arrival of instant communication and fast information transmission, a significant amount of predictive and actionable intelligence can now be obtained from unclassified public sources.

OSINT should not be confused with public intelligence or open-source software.

The U.S. Director of National Intelligence and the U.S. Department of Defense (DOD) define OSINT as information produced from publicly available information collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.

In short, open source acquisition involves procuring written, verbal or electronically transmitted material that can be obtained legally without any type of clandestine collection techniques.

Background of OSINT

OSINT’s originates with the pre-Central Intelligence Agency (CIA). The formation of the 1941 Foreign Broadcast Monitoring Service (FBMS) was born during World War II and evolved into the 1967 Foreign Broadcast Intelligence Service (FBIS), the predecessor of the Open Source Center of today.

Acquired by the CIA in 1947, FBIS emerged as the only recognized service organization trained and equipped to monitor and process foreign broadcasts for the benefit of all government agencies needing the service.

Coverage worldwide, to the extent it exists today, was beyond the dreams of those who lived in that era.

In 2005, following the 9/11 attacks, the Director of National Intelligence Agency, Porter J. Goss, announced the creation of the DNI Open Source Center. The Center is designed to collect information available from databases, radio, television, video, geospatial data, photographs and commercial imagery.

OSINT Information Flow Categories

  • Media to include newspapers, obituaries, magazines, television, and radio worldwide.
  • Internet includes, but not limited to, online publications, discussion groups, blogs, citizen video (user created content and video), Facebook, YouTube, Twitter and other social media websites.
  • Commercial Data includes commercial imagery, industrial and financial assessments and databases.
  • Grey Literature: patents, working papers, business and corporate documents, newsletters, technical papers, and unpublished works.
  • Professional and Academic publications obtained through journals, symposia, academic papers, journals, theses, and dissertations.
  • Public Government Data: telephone directories, press conferences, websites, speeches, budgets, hearings and other public government reports.

There are various disciplines of OSINT and the methods and applications are almost endless.

The New OSINT

Ten years ago, open source information was scarce; however, in recent years OSINT has taken on an entirely new meaning.

Back in the day, people were primarily found by searching a phone book. Today, people are increasingly comfortable with sharing their personal information and a treasure trove of information for those who want it.

social network flowchart

 

According to Statistica, it is estimated there will be 2.77 billion social network users around the globe in 2019. Social media has become an excellent and consistent source of information.

While, decades ago the problem was shortage of open source information, the biggest difficulty now, is filtering through an overabundance of information.

Some examples of OSINT resources are:

  • Internet directories containing personal information, residences, relatives, demographics, employment, contact information.
  • Social networking sites provide personal information, friends, family members, interests, photographs, videos, and activities.
  • Online reviews provide interests, purchases, activities and lifestyle.
  • User contributed information could be a blog, hobbies, opinions, and expertise.
  • Academic sites provide information related to education, business conferences, associations, and academic papers.
  • Company websites have personnel listings, backgrounds, location, duties, services, and contact information.
  • News sources provide topical information, reports, events, personal history, obituaries, and contact information.
  • Government sources provide personal information, criminal background, court activity, minutes, locations, demographics, tax records and other financial data.

Social Media Monitoring and Geofencing

Companies like Echosec, based in Victoria B.C., offers a web platform to draw what is called a “Geofence” allowing users to pinpoint a location of interest on a map and obtain information within selected parameters, then filter searches by keyword, hashtag, or username within the geofence.

Geofencing

Echosec’s real-time social media mapping connects virtual communities to real-world locations and gives new meaning to Geographic Information System Mapping (GIS). A powerful research tool combining GIS and OSINT.

 

This is becoming a popular method of analysis for retail, branding, journalism, private investigation, and finance, collecting what Echosec calls “hyperlocal insights” for better business and breaking news stories.

Google, Yahoo, Bing and other traditional link-crawling search engines do not typically access the information professionals using OSINT research techniques and resources can provide.

Embracing Geolocation

Geolocation is one of the most valuable resources used today. For example, videos and photographs shared publicly often contain information where the photographs originated.

Texting

Most of us post pictures of ourselves and our friends, tagging each other during a vacation at the beach or out on the town. A geotagged picture is a post that attaches a “geotag” which is the physical location to the post. It allows users insight to their followers, where they are, and what they are doing.

Social media and Geo-location monitoring of open-source information has been more frequently used by law enforcement and private investigators to conduct investigations. Whether a missing person investigation or background check, basic and even critical investigations can benefit from OSINT.

For example, a person is reported missing and frequently posts photographs on Snapchat, Instagram and Facebook. Investigators can access the geotags and see where the person was last and often see who they were with, allowing the investigating agency the ability to immediately expand their investigation.

Open Source Private Investigations

Many private investigators are now specializing in open-source intelligence and social media investigations, referred to as Social Media Intelligence (SOCMINT). While much of the information is available publicly, there are many reasons why an individual would choose to hire a private investigator.

Private investigators have become experts in the field of open-source intelligence investigations.

Private investigators have become experts in the field of open-source intelligence investigations.

Simply, private investigators know how to search, where to search and what to search for, making hiring a private investigator a more efficient choice. Private investigators know if the information is online, in a state repository, library or the courthouse.

Information that can be obtained includes but is not limited to the following:

  • Voter registration
  • Bankruptcy records
  • Corporate records
  • Property records
  • Probate records
  • Divorce records
  • Marriage records
  • Court records
  • Criminal records
  • Due diligence
  • Business information
  • Financial information

Whether a private individual or a business, obtaining the right information often leads the investigation in a specific direction. Private investigators of today are the next-generation of private intelligence providing services such as:

  • Fraud Investigations
  • Competitive Intelligence
  • Counterintelligence
  • Intelligence Collection
  • Internet Investigations
  • Email Tracing
  • IP Investigations
  • Financial Investigations
  • Asset Investigations
  • Pre-investment Investigations
  • Difficult to locate
  • Missing Persons
  • Background Investigations

Knowing when to use a private investigation firm can help hasten an investigation. The service of these firms can make life easier because it requires more than just knowing how to use the Internet. And when all resources are exhausted, a good old “gum shoe” detective can investigate – boots on the ground.

Protecting Your Business with OSINT

Thomas Lauth of Lauth Investigations International uses his nearly 20 years experience working with both private and business sectors. “Open-souce Intelligence or OSINT isn’t a common term used in the business world; however, I can assure you it is a dynamic method of information gathering for businesses in this day and age,” said Lauth.

(Open-source intelligence is being used more frequently to protect company’s information.)

The importance of OSINT is business can’t be exaggerated. It is a matter of gathering intelligence from publicly available sources and analyzing that information for connections and actionable intelligence that would not be normally publicized. In fact, there may be information about your own company available publicly that can make it easier for someone who is considered an “insider threat” or conducting a social engineering campaign to obtain proprietary or damaging information.

“Conducting periodic OSINT for your business, assessing the risks, and addressing vulnerabilities can save a company from failure,” add Lauth. “It is a recommended and necessary action item for all successful businesses.”

OSINT is contained in company websites, reviews, Google searches, along with newspapers, geo-location data within images, company reports and other publicly available data. Often overlooked is social media. Companies and employees often provide more information to hackers or “insider threats” than realized.

Criminals can exploit easily obtained information to conduct scams or a social engineering campaign against a business. In fact, criminals use OSINT too – only for their own devious purposes.

To exploit weak links, criminals or “black hats” can spend weeks, even months researching employee email addresses, current projects, employees that manage money and monitor their social media. They will even study the way employees communicate with each other, gathering the information to create convincing phishing scams and social engineering attacks.

The information collected to conduct these criminal activities is not obtained by hacking into the company, it is obtained by gathering publicly available information.

“The trick is to stay one step ahead of the criminals,” said Lauth. “When working with clients, we ensure we identify vulnerabilities and the process is conducted effectively, efficiently and confidentially.”

The bottom line, by exercising due diligence, using OSINT, and reviewing your own publicly available information, you can protect yourself and your company.

 

CAN HACKING BE ETHICAL?

CAN HACKING BE ETHICAL?

Written By: Kym Pasqualini, Feature Crime Writer for Lauth Investigations

(Penetration testing, intrusion testing and red teaming are some of the terms used for ethical hacking.

Penetration testing, intrusion testing and red teaming are some of the terms used for ethical hacking.

The word “hacking” almost always has negative connotations. It seems the mention of Chinese hacking, Russian hacking, or DNC hacking receives constant mention in our 24-hour news cycle.

Ethical hacking is also referred to as penetration testing, intrusion testing and red teaming, coined by the government during the 1970’s when they first hired ethical hackers to break into the United States government’s computer systems to test for vulnerabilities.

It is estimated “hackers” cost the United States more than $445 billion annually.

In a Fortune article “Data Breaches Now Cost $4 Million on Average,” according to IBM’s security division, the cost of a breach per incident has risen to $4 million, up 29% since 2013. “We’re now in a mode where these attacks are going to happen even to people that are well prepared,” said Caleb Barlow, a vice president at IBM Security.

Hackers cost the US government and corporations billions annually.

Hackers cost the US government and corporations billions annually.

According to Fortune, hackers and cybercriminals cause most breaches, and more than half of data exposures are caused by malicious attacks; the rest are caused by mistakes or glitches.

Ethical hacking is a growing profession utilized by the United States government, technology companies and other institutions.

In the field, experts refer to three major types of hackers:

  • White Hats: Security professionals or “ethical hackers” who use their expertise to strengthen a network and secure it from criminals.
  • Black Hats: Malicious hackers or “crackers” who use their skills for malevolent purposes. White hats work to protect computer structures from the Black Hats.
  • Gray Hats:Iindividuals who become white or black hats depending upon the circumstances and generally proclaim being an ethical hacker.

Many large corporations, such as IBM, employ teams of ethical hackers to keep their IT systems secure.

Why Ethical Hacking is Important

With every breach reported in the media, the need for more effective information security is becoming increasingly evident.

New technologies such as cloud computing, IT outsourcing, and enterprises must adjust their security practices and policies to combat the threat of malicious hacking. To combat threats, ethical hacking is rapidly gaining attention as an essential security practice to be performed on a regular basis.

In a public white paper entitled, “The Importance of Ethical Hacking: Emerging Threats Emphasize the Need for Holistic Treatment,” by Frost & Sullivan, it discusses top technical concerns and the role of ethical hacking in an enterprise architecture.

“The increased sophistication and success rate for recent cyber-attacks is directly related to the shift in the attacker profile, indicating that nation-states and large criminal organizations are funding well organized, highly motivated, and well-trained teams of programmers,” said Chris Rodriguez, Analyst for Frost and Sullivan. “The elevated threat landscape therefor, urgently dictates the need for a comprehensive, real-world assessment of an organization’s security posture,” said Rodriguez.

Ethical hacking provides objective analysis of an organization’s security stance for organizations of any size. Ethical hacking has become a mainstream service, as companies of all sizes pursue expert, objective, third -party analysis.

What is an Ethical Hacker?

Ethical hacking is an ambiguous term used to describe hacking performed by an individual or organization to help penetrate or gain access to identifying potential threats on a computer or a network infrastructure. In short, ethical hackers are simply computer programmers who use their skills in a constructive manner.

Ethical hackers can attempt to bypass security systems to isolate weak points malicious hackers could exploit. In the effort to eliminate or reduce potential criminal hacks, the information gained by the ethical hacker is then used by the company to make improvements to security.

Hacking LockSome may say there is no such thing as an “ethical” hacker. Simply “hacking is hacking” but the most notable hackers are known publicly as cybercriminals or computer criminals because of the damage they inflict on companies and individuals nationwide.

A highly publicized hacking incident where personal information is compromised can damage a company or organization for years.

A cybersecurity professional can have a range of expertise, anywhere from maintenance, administration, architecture, forensic investigation of secure networked systems that are increasingly necessary for the sake of operation of businesses, nonprofits, governments and medical, and educational institutions.

Even training is offered by the International Council for E-Commerce Consultants (EC-Council). The Certified Ethical Hacker (CEH) exam is made up of approximately 125 multiple choice questions and costs about $500 with additional IT certifications available. Training is entirely voluntary.

Ethics

For hacking to be ethical, a hacker must abide by the following informal rules:

  • Permission to access the network to identify potential security threats.
  • Respect individual’s right to privacy.
  • Treat all data, material, and findings as confidential.

Ethics play a vital role in hacking and differentiating innocent activities from computer crimes. Hacking is ethical if the skills are used to enhance a network system. But the issue of ethics can be very risky when one does not know a person’s motivations. With no formal code of ethics or code of honor, this void creates external forces to determine how to respond when ethical predicaments arise.

An ethical hacker will ensure the client’s IT system is properly evaluated for security issues and vulnerabilities, while protecting sensitive, personal and confidential or proprietary information. While accessing an organization’s system, the respected ethical hacker’s integrity will guide the actions of the ethical hacker.

Security Risks

While ethical hacking presents advantages to increase security to protect IT systems and assets, any organization implementing ethical hacking must consider any negative impacts that may arise from the practice.

An ethical hacker is typically contracted to hack the organization’s system. Hiring outside is usually preferred to start from scratch and simulate potential external hacks.

While there is an advantage of ethical hacking because it supports the organization’s efforts to gain more knowledge about the IT Security by identifying vulnerabilities, the main disadvantage is it presents risks of information disclosure. An outsider could intentionally or unintentionally disclose a company’s proprietary information to outside parties.

A dark side always is present where dishonest people will attempt to exploit others. Some risks of working with ethical hackers include:

  • The ethical hacker using their skills to conduct malicious hacking activities.
  • Massive security breaches.
  • Potential the ethical hacker will place malicious code, malware, viruses or other potentially damaging things on a computer system.
  • Allowing company’s financial, banking, or other proprietary information will be accessed.

Working with an Ethical Hacker

Ethical Hacker

The benefits of working with an ethical hacker are obvious; however, many are overlooked, ranging from simply preventing malicious hacking to preventing national security breaches.

Before implementing any ethical hacking, an organization must ensure the ethical hacker understands the nature of the client’s business, computer or network system. This will help guide the ethical hacker in handling any sensitive confidential or proprietary information they may encounter.

The leadership in a company or organization must determine the sensitivity or confidentiality of the information involved. This will help ensure the ethical hacker does not violate laws, rules or regulations in handling sensitive personal, financial or proprietary information.

There are several guidelines to use when working with an ethical hacker:

  1. An ethical hacker should create a plan including: identifying all networks and components they will test; detail testing intervals; detail testing process.
  2. Require transparency while working with an ethical hacker, requiring all relevant information be reported while the system or network is being accessed. Transparency ensures the client to make immediate decisions and take necessary actions to maintain the security of the system or network.
  3. Establish target areas with written work agreements requiring the ethical hacker not to work beyond those parameters to minimize exposure of sensitive information. The ethical hacker should not access other areas on the computer or networks not specified in the agreement.
  4. Developing a non-disclosure agreement may be in order prior to contracting with an ethical hacker.

Legal Risks

There are legal risks to include lawsuits involving disclosure of personal and confidential information possibly leading to a legal battle involving the organization and the hacker if the work is not done properly. Also, if the hacker makes errors compromising the IT network or company security, it is possible to negatively impact the organization’s general operations and profitability.

With cyberspace growing exponentially over the last decade, complex legal issues have led to the birth of a highly specialized branch of law.  Cyber Law or Internet Law pertains to Internet and computer technology related offenses, especially copyright infringement and fraud that involve computers, software, hardware, and information systems (IS).

The Information and Technology Act, 2000 (IT Act) covers all types of cyber-crime, including hacking as provided under sections 43 and 66 which covers negligence and computer-related offenses.

Cyber Law prevents or reduces large-scale damage from cybercriminal activities by protecting information access, communications, privacy and intellectual property.

Ethical hacking is rapidly gaining attention as an essential business practice. Regardless of risks, companies large and small benefit from the work of ethical hackers by protecting a company’s most valuable data and protecting their bottom line.