successful information security strategy is dependent in equal part on technology, processes and employees. IT security and employee awareness with regard to this issue are sub-areas of information security. A company may well have the right technology at its disposal, but if processes are not run properly or employees do not use the technology correctly, vulnerabilities are inevitable. That is why it is important to sound out vulnerabilities on an ongoing basis.
Baloise carries out multiple penetration tests Group-wide on an annual basis. These hacker attacks are conducted by an independent, reputable company and their “good” hackers. The aim is to identify security gaps in Baloise’s IT infrastructure ahead of time and to implement security measures. This is not something we leave to chance. The approach is defined Group-wide in a multi-year plan and standardised from the planning to the elimination of vulnerabilities. A penetration test is concluded with an extensive report.
Carrying out regular penetration tests on our IT systems and applications makes these more secure on a continual basis – guaranteeing the best possible protection for our customer data.
Good hackers, often referred to as “white hat hackers”, approach a penetration test just as bad hackers, also referred to as “black hat hackers”, would. They start by collecting information about the system or the application that they want to attack or test. This stage is called “reconnaissance”. It is not unusual for them to contact employees of a company directly (e.g. via email, phone, etc.) in order to obtain the relevant information (the keyword here is “social engineering”).
The information obtained during the “reconnaissance” is then analysed to find any potential vulnerabilities. Technical tools also feature in the pentesters’ repertoire here. If white hat hackers find vulnerabilities, they try to exploit these. Each vulnerability, be it in the operating system, in the application or in the source code, is uncovered using this systematic approach.
Unlike black hat hackers, who would use the vulnerabilities uncovered to broaden the attack and pursue this with criminal intent, the security experts enlisted analyse the potential vulnerability and deliver a detailed report. Our IT department can use the results to close the gaps uncovered, thus better equipping us for the future.
Hacker attacks can have serious consequences for any company and thus negative effects on the company’s various stakeholder groups. Since a hacker attack can be performed with just a little know-how and a few Francs, it is enormously important that we carry out these penetration tests on a regular and standardised basis and close any security gaps identified immediately.
It is not just the information systems in a company that are vulnerable to potential hacker attacks. Any device connected to a communication network via cable or wirelessly, such as an “Internet-enabled” coffee machine, a Thermomix or a baby monitor, can be hacked. Hacking into these does not always require the unintentional assistance of an employee, the mere presence of a weakness in an application, an IT system or a configuration error will suffice.
Whether working together with white hat hackers, employees or within IT – information security is a team affair – and it plays an essential role in allowing us to offer our customers added value both now and in the future.