Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

How to lift cyber security by building a hacker mindset among employees

Richard Marr from Okta explains why promoting a hacker mindset among employees would strengthen an organisation’s cyber resilience.

user iconRichard Marr
Fri, 11 Mar 2022
Richard Marr
expand image

A recent joint report co-authored by the Australian Cyber Security Centre (ACSC) has warned of the increased threat of ransomware attacks. The report strongly recommends user training including phishing exercises among some of the actions organisations can take to protect against ransomware immediately.

While training remains an important pillar of ransomware protection, it needs to do more than teach employees how to identify suspicious links and attachments. Organisations need to move away from security awareness training as a checkbox, and design programs that help employees develop a “hacker mindset”.

Hacking for good

============
============

Social engineering attacks have gotten more sophisticated, but most still rely on using emotion to trick people into divulging sensitive information. Humans are emotional creatures, so any hope of mitigating phishing has to start and end with people.

When we hear the word “hacking”, the sinister visual that comes to mind is usually of an evil dude in a hoodie doing bad things to computer systems, like swiping sensitive data to sell on the dark web. These days, ethical hackers look for vulnerabilities within systems, applications and companies within legally agreed upon constraints, with the intent of sharing findings with the company to make the system or app better.

Hackers have been fighting the rising threat of cyber crime in Australia, with professionals hired by organisations to find weaknesses in their security. In 2021, the Australian Bureau of Statistics enlisted ethical hackers to pressure test the census following a number of attacks on its digital system in 2016. To safeguard the system, the ABS engaged skilled private sector cyber security practitioners in the lead-up to the census to test the system for vulnerabilities with DDoS attacks of their own.

In 2019, Auth0 launched a private bug bounty program to further reinforce its emphasis on security and ensure that its customers are protected from any vulnerabilities. The specialised program allows Auth0's security team to partner with selected researchers from around the world to source potential vulnerability discoveries in exchange for monetary rewards.

Exploring the hacker mindset

Developing a hacker mindset means invoking a sense of curiosity about how security works, so employees can take an active role in ensuring it.

The four characteristics of this mindset are surprisingly common and can be found across many professions and many existing functions within the organisation:

  1. Curiosity: Anyone engaged in ethical hacking or “hacker-like” behaviour is curious about how things work. If they push the red button, what happens? If they send just the right packet, can they break into the system? If they ask the right set of questions when they call the front desk, can they get an executive’s email address?
  2. Creativity: Different people define creativity differently. Some employees may not want access to the code base when helping to test an app or platform. They prefer to approach it from the way the user might encounter it in the wild. This constraint increases the ability to come up with interesting approaches, forcing creativity.
  3. Respect for diversity of thought: Thousands of minds make all the apps and sites we use to get food, learn, access healthcare, and make sure we have enough funds to shop at our favourite retail sites. Different people approach problems differently. This makes diverse teams more effective at securing sites and defending the organisation against attacks.
  4. Tenacious: Ethical hackers and malicious actors strongly share the characteristic of stubbornly not giving up. Code is written by humans, so it’s fallible and vulnerabilities are inevitable.

Teaching someone to write a phishing email is much more engaging than showing them one. Monthly phishing campaigns that encourage employees to practice detecting and reporting these attacks are particularly effective – especially if you gamify and reward participation.

As organisations consider user training, they can step up their cyber security efforts by inspiring their leaders and workforce to embrace the hacker mindset. Encouraging diversity in how they approach problems will help organisations identify the gaps and where they need to take action to ward off potential threats.

Richard Marr is the APAC CIAM lead at Okta.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.