*Content includes branded mentions of our sponsor ZipRecruiter.
According to multiple recent studies, not only are company data breaches becoming more prevalent, but they're also getting more expensive. With such high stakes, finding the most effective way to prevent hacks is a critical task. One potential solution is to hire an ethical hacker.
This article covers what these white hat hackers do, why you might want to hire one and how to protect your company from data breaches by hiring an ethical hacker, either by posting a job listing or searching for a professional online.
Why would you need to hire a hacker?
Ethical hackers, or white hat hackers, are hired to help organizations identify and mitigate vulnerabilities in its computer systems, networks and websites. These professionals use the same skills and techniques as malicious hackers, but with the organization’s permission and guidance and with the goal of improving the organization from a security standpoint.
Even if your company has a highly competent IT department, there are good reasons to hire a hacker. First, ethical hackers are aware of the actual methods hackers are currently using — techniques that may not be on the radar of your company's IT professionals. Ethical hackers share the same curiosity as malicious hackers and will be up to date on current threats. Second, any established department can benefit from the approach of an outsider, who comes in with fresh eyes to see weaknesses you didn't know were there.
If you get pushback on hiring an ethical hacker, explain that the point of hiring one isn't to test the competencies of your IT department. Rather, it's an additional, temporary measure to build a secure infrastructure that can withstand whatever cyber threats malicious hackers might throw at it.
What does a professional hacker do?
Ethical hackers attempt to get unauthorized access to company data, applications, networks or computer systems — with your company's consent.
A professional hacker follows this basic code of conduct. They:
- Stay within legal guidelines, obtaining approval before attempting a hack.
- Define the project’s scope, so their work stays within your company's specified boundaries and doesn't venture into illegal territory.
- Report weaknesses, making your company aware of all vulnerabilities they discover during their hack and providing solutions to fix them.
- Respect your data and are willing to sign a nondisclosure agreement.
How can you successfully and safely hire a hacker?
Below are steps you should follow for hiring white hat hackers and avoiding black hat hackers.
Use a reputable hiring site or service
In your quest to find a hacker, you might think to turn to the dark web. After all, if television and films are to be believed, hackers — even reputable ones — work in the shadows. But what is the dark web, and is it safe to hire a hacker from it?
The "visible" layer of the web is the surface web — all public-facing websites that you can access through browsers like Chrome, Internet Explorer and Firefox. This is the internet everyone's familiar with, and it makes up only about 5% of the entire internet.
The deep web below the surface accounts for the vast majority of the internet and contains private data such as legal files and government databases. The dark web refers to sites that you can only access via specialized browsers and it’s where most of the illegal online activities occur.
The dark web is a dangerous place to find hackers for hire because you don't know who the person you're speaking to really is or whether or not they're a scammer. Also, since there is much more malicious content, it’s also likelier your computer picks up computer viruses using the dark web.
For this and many other reasons, it’s not advisable to look for an ethical hacker on the dark web. Instead, use professional organizations that have directories of certified ethical hackers, or hire a vetted professional from a cybersecurity firm.
Be cautious and make sure the hacker has legitimate experience
Look for a hacker who has a solid understanding of the software or systems you need them to hack. They should also be able to show familiarity with the tools they'll need to carry out their attacks. You want someone with experience, but keep in mind that veteran white hat hackers will be more expensive.
When hiring a hacker, consider both the depth and breadth of their skills. Some hackers only perform surface-level attacks but have a wide variety of capabilities (things they can hack). Other professional hackers are specialized and focus on specific kinds of advanced attacks.
For example, if you need professional hacking of your applications, find someone with experience in that. If you want to test the security of your company’s cell phones, hire a cell phone hacker. But if you want someone to test as many security systems and devices as possible, look for a generalist. Once a generalist identifies vulnerabilities, you can hire a specialist later on to dive deep into those weak points.
Do your research before you begin interviewing candidates such as checking out industry forums or even request reviews from a candidate’s past clients.
Perform a thorough interview and test their skills
Conducting a thorough interview is important to get a sense of a hacker’s abilities as well as their past experience. Here are some sample questions you can ask potential candidates:
- What techniques do you employ to find surface-level vulnerabilities?
- How do you ensure you've tried all possibilities for hacking into a system?
- Can you tell me about a time you successfully hacked into an advanced system for a company in our industry?
For technical questions, you could have someone from your IT department come up with more precise queries, conduct the interview and summarize the responses for any nontechnical members of the hiring team. Here are some guidelines for technical questions that your IT people can dig into:
- Is the candidate proficient with the Windows and Linux operating systems?
- Do they understand both wired and wireless networks?
- Do they understand file systems and firewalls?
- Do they know how file permissions work?
- Do they have strong coding skills?
- Do they understand what motivates malicious hackers?
- Do they understand the value of the data and systems you're trying to protect?
When interviewing candidates, consider including a test of their skills as part of the process. For example, you can carry out paid tests of your final round of candidates that show their expertise with a specific coding language.
If it’s your first time conducting an interview, you should read up on how to interview someone, research candidates, create an interview structure and identify the right questions to ask.
Establish goals for their services
Establishing goals for hackers to meet is a good way to assess each candidate’s competency within a structured project framework while also giving them some leeway to use and develop their own (allowed) methods.
You should first identify the top security priorities for your organization. These should be the areas where you already know you could have weaknesses and areas you want to keep secure.
Follow that by setting up defined milestones in the project. Ideally, you'll tie each milestone to a payment to keep the candidates motivated.
Finally, impose as few rules as possible on the hackers. After all, malicious hackers won't have those rules, and you're trying to get as close to a malicious hack as possible. Let the hacker have as much free rein as they need, as long as they don't negatively affect your security systems, deteriorate your services or products or harm your relationships with customers.
There are three basic types of hacks you can ask online hackers to do:
- White-box engagements are when you give the hacker as much information about the target system or application as possible. This helps them find vulnerabilities quicker than it would typically take a malicious hacker.
- Black-box engagements are when you don't give any inside information to the hacker, which makes it more like what an attack would look like in the real world.
- Gray-box engagements try to simulate a situation where a hacker has already penetrated the perimeter, and you want to see how much damage they could do if they got that far.
Communicate exactly what you want a hacker to do
Decide what systems you want the hacker to attack. Here are some examples of different types of ethical hacking you could propose:
- A website attack, such as a SQL Injection attack
- A distributed denial of service (DDOS) attack, which is when a hacker uses a "zombie network" to overwhelm a website or server with traffic until it crashes
- A social media hack of your company's accounts
- A cell phone hack to see if your company's cell phones are vulnerable — a big problem if your employees store sensitive data on their company phones
- A corporate email hack to see if your employees can recognize phishing or other cyber attacks
Get a report of what they did
Request a report after the hacking exercise is completed that includes the methods the hacker used on your systems, the vulnerabilities they discovered and their suggested steps to fix those vulnerabilities. After you've deployed fixes, have the hacker try the attacks again to ensure your fixes worked.
Prepare for your results
Make sure everyone from your company who is involved in this process is ready to act quickly on the results. If there’s a committee that needs to read the report and make decisions, consider scheduling a meeting as soon as possible after receiving the report. Have everyone read the report and decide on next steps during the meeting. This will prevent the process from dragging out while your company remains dangerously exposed due to security weaknesses.
Where are ethical hackers selling their services?
Consider candidates with ethical hacking certifications, of which there are several, such as the Certified Ethical Hacker (CEH) certification from the International Council of E-Commerce Consultants (also known as the EC-Council).
You can start looking for hackers to hire on freelance sites like Upwork, Fiverr or Guru. Look for candidates who have reviews from their previous clients and at least a year of work history on the platform.
There are also specialized services that match hackers with people who want to hire them for small jobs. To use the service, you typically first post your job requirements. Then hackers send you proposals, and you choose one based on skills, availability and price. The benefit of a specialized service like this is that it screens hackers to keep scammers away. Employers can also post ethical hacking jobs on professional sites such as ZipRecruiter.
Professional hacking services
You can seek out candidates through a professional hacking firm. While this option tends to be more expensive, it should also make it easier to verify the hacker’s track record and references, ensuring you’re working with a trustworthy partner.
How to find out your hacker is trustworthy
There are two main ways to make sure you hire someone trustworthy. First, look for client reviews and, if possible, get references and call them. This can be time consuming but will provide you with direct knowledge of a candidate's ability and work history.
Second, search ethical hacker forums to find information about the hacker you’re considering hiring. There are many online forums to look at, so make sure you’re searching on legitimate websites.
How much do hackers charge?
According to ZipRecruiter, as of February 2023, the average salary for an ethical hacker is $135,269 a year, which translates to around $65 an hour. This could be used as a baseline to understand how much a hacker would charge for a job.
Costs for ethical hacking depend on the amount and type of work needed and your company’s size. Hacks that require more time and effort are understandably more expensive than simple jobs. That’s why it’s important to request a quote before committing to a hire.
Summary for how to hire hackers
To hire ethical hackers, you need to do research on qualified professionals, including background information like employment history. You should also identify your company’s security needs and focus on hiring someone with experience and skills in those areas. Establish clear goals and rules of behavior so that the candidates can work within a structured process. Finally, assess their performance before coming to a hiring decision.