SINGAPORE: Fully aware of cybersecurity threats, AsiaLawNetwork has had to explore different IT security services and tools since it started in 2014 but found them difficult to implement, said Ms Cherilyn Tan.
In an interview with Channel NewsAsia, the CEO of the legal services platform shared that she also found the services provided by conventional cybersecurity vendors to be just "too clunky".
The length of time needed to deploy traditional cybersecurity services is also undesirable, Ms Tan said, especially as AsiaLawNetwork moves quickly and frequently to offer new services to its user base, which includes more than 1,500 lawyers in Singapore.
These cybersecurity vendors would also tend to just assign one or two of their employees to her company and this may not be enough to adequately monitor and secure the company’s IT system.
The company's platform matches those who need legal services with available lawyers and, given the sensitive details that might exchange hands on the platform, it is vital to safeguard it against vulnerabilities, the CEO explained.
She would be billed each time the vendors scan the system, even if it yielded nothing, she added.
Another bugbear was the lengthy, word-filled reports periodically generated by the IT security vendors.
“I’m already short of time, yet I still have to read through the whole report to see if there are vulnerabilities I need to fix?” Ms Tan pointed out.
These reasons also illustrated why she was happy to give a local bug bounty start-up, AntiHack.me, the chance to secure her business.
Ms Tan said she has been on the bug bounty platform since June this year, and is one of the early adopters of its service.
Every time AsiaLawNetwork wants to launch a new service, it will get AntiHack.me’s pool of more than 400 ethical hackers to find vulnerabilities before the service is rolled out. This was done, for instance, when the company wanted to deploy email authentication and two-factor authentication for its customers recently, she said.
Given that it’s a pay-as-you-use model, there is very little risk on Ms Tan’s end.
“We only pay when the hackers find something,” she explained, but declined to share how many bounties have been paid up or how many bugs found given that these are sensitive information for its clientele.
The reports generated by AntiHack.me are also easy to understand as these are in point form, screenshots and even videos - detailing how a hack can be performed step by step - allowing AsiaLawNetwork’s tech team to replicate and troubleshoot the vulnerability.
The bug bounty platform’s co-founder and chief technology officer Dexter Ng said in the same interview that he helped start the business because he hoped to change the way companies think when it comes to procuring cybersecurity services and tools, especially those with smaller tech budgets.
“Why should you pay for the process, when you should pay only for the results?” fellow co-founder and director Andy Prakash chimed in.
The two entrepreneurs started the business in the middle of last year, but only rolled out the bug bounty platform in May this year after taking six months to build it up and recruit hackers to its platform. There are currently 15 employees, with four full-time hackers on its payroll - although only one is based in Singapore.
The bounties for these hackers usually range from S$50 to S$5,000 depending on the severity of the vulnerabilities found, Mr Ng said. The hacker gets 80 per cent of the payout, while AntiHack.me will get the remaining 20 per cent, he added.
Bug bounty programmes are not new, with tech bigwigs Google, Apple and Microsoft among those who have embraced this method of augmenting their cybersecurity measures. Singapore’s Ministry of Defence, too, embarked on a bug bounty contest earlier this year and paid out US$14,750 in bounties to 17 of the 264 ethical hackers who participated. That exercise was conducted by US-based bug bounty platform HackerOne.
However, Mr Ng pointed out that not every company wants to open up their IT systems to these hackers, which is another perception that needs to be changed.
“When we go to pitch meetings and explain our business, they will say things like: ‘Please don’t hack us!’” the 30-year-old recounted.
Companies should realise they can address the vulnerabilities in their IT infrastructure by having the bugs in their systems exposed, he said. Bug bounties complement the existing cybersecurity tools and services a company already has in place, he added.
And AsiaLawNetwork’s Tan thinks that more companies should think about taking up cybersecurity services, whether by conventional service providers or otherwise.
She said if businesses like karaoke chain K Box had spent more time looking at their cybersecurity measures, they would be less susceptible to getting hacked. K Box had its database hacked into in 2014, which resulted in the personal details of 317,000 members such as their NRIC numbers and email addresses leaked online, and it was penalised S$50,000 by the Personal Data Protection Commission (PDPC) in 2016.
“For every business that has a digital element, especially those with customer data, I think it’s their responsibility (to look at their cybersecurity measures),” Ms Tan said.