Share this article on:
Richard Marr from Okta explains why promoting a hacker mindset among employees would strengthen an organisation’s cyber resilience.
A recent joint report co-authored by the Australian Cyber Security Centre (ACSC) has warned of the increased threat of ransomware attacks. The report strongly recommends user training including phishing exercises among some of the actions organisations can take to protect against ransomware immediately.
While training remains an important pillar of ransomware protection, it needs to do more than teach employees how to identify suspicious links and attachments. Organisations need to move away from security awareness training as a checkbox, and design programs that help employees develop a “hacker mindset”.
Hacking for good
Social engineering attacks have gotten more sophisticated, but most still rely on using emotion to trick people into divulging sensitive information. Humans are emotional creatures, so any hope of mitigating phishing has to start and end with people.
When we hear the word “hacking”, the sinister visual that comes to mind is usually of an evil dude in a hoodie doing bad things to computer systems, like swiping sensitive data to sell on the dark web. These days, ethical hackers look for vulnerabilities within systems, applications and companies within legally agreed upon constraints, with the intent of sharing findings with the company to make the system or app better.
Hackers have been fighting the rising threat of cyber crime in Australia, with professionals hired by organisations to find weaknesses in their security. In 2021, the Australian Bureau of Statistics enlisted ethical hackers to pressure test the census following a number of attacks on its digital system in 2016. To safeguard the system, the ABS engaged skilled private sector cyber security practitioners in the lead-up to the census to test the system for vulnerabilities with DDoS attacks of their own.
In 2019, Auth0 launched a private bug bounty program to further reinforce its emphasis on security and ensure that its customers are protected from any vulnerabilities. The specialised program allows Auth0's security team to partner with selected researchers from around the world to source potential vulnerability discoveries in exchange for monetary rewards.
Exploring the hacker mindset
Developing a hacker mindset means invoking a sense of curiosity about how security works, so employees can take an active role in ensuring it.
The four characteristics of this mindset are surprisingly common and can be found across many professions and many existing functions within the organisation:
Teaching someone to write a phishing email is much more engaging than showing them one. Monthly phishing campaigns that encourage employees to practice detecting and reporting these attacks are particularly effective – especially if you gamify and reward participation.
As organisations consider user training, they can step up their cyber security efforts by inspiring their leaders and workforce to embrace the hacker mindset. Encouraging diversity in how they approach problems will help organisations identify the gaps and where they need to take action to ward off potential threats.
Richard Marr is the APAC CIAM lead at Okta.