You know that look in an employee’s eye when you announce the call to cybersecurity awareness training. They already work in IT or know a lot about computing. They also let you know they already know all about security. The complaints continue. The thought of sitting through some boring classroom sessions with other employees, going over boring things, leaves them cold.
However, what if that training actually gave your employees new skills and doing it was fun too?
The latest view is that teaching interested employees to hack might be a great way to strengthen your cybersecurity posture. It is a win-win for cybersecurity awareness training.
Hacking your company?
Cybersecurity skills come in many flavors, and one of the spiciest is the ability to hack. This may seem like a risky thing to do: What if those very skills were used against your organization? Are you just enabling a whole new set of insider threats?
The chances are that people who might maliciously hack their own company are already skilled in that area or in contact with those who are. You don’t need to learn how to hack to be part of a cybercriminal hacking ring. This was recently exemplified by reports that ads were found on the darknet recruiting bank employees; cybercriminals offered salaries to employees who colluded in illegal bank account access.
Offering employees the chance to learn how cybercriminals think and how their techniques work does not equal creating a criminal mind.
If you offer your staff a training package that includes hacking 101 skills, you will help them improve their skill sets and give them the knowledge needed to counter cyberattacks.
You should remember, however, that cybercriminals hack humans as well as systems. When you train your employees how to hack, bear this in mind. Cybercrime is often a complex process that has many moving parts. As such, you must train your employees about the human factors in hacking. Teaching your employees to hack is as much about techniques such as surveillance and phishing as it is about finding exploits in web apps.
Benefits of training employee hackers
Once you decide to teach your employees to hack, you will reap certain benefits. Here are just five reasons why you would train your employees to hack.
Think like a hacker
Cybercriminals are uninhibited in the way they think. This is their secret weapon. Unlike the rest of us, they will try every trick in the book and more. To counterbalance the use of manipulative social engineering used in many cyberattacks, we need to teach employees to think like a hacker.
Using training that includes hacking techniques and tactics will teach employees to stop thinking about cybersecurity along the usual lines. Instead, they’ll start looking at alternative pathways to breaking into IT systems and stealing data.
Find the gap
By providing training for your employees in hacking techniques, you are creating your own ethical penetration test team. You may find that employees, especially those that excel in the area, may find vulnerabilities in your systems and business processes you were not aware of. You should also consider adding incentives, like prizes, to help in this aspect of teaching hacking to employees.
Closing the skills gap
There is a distinct lack of specialist security staff around at present. A recent study from (ISC)2 found that 65% of organizations felt there was a shortfall of skilled cybersecurity staff. By training your staff in new skills in the cybersecurity area, you are helping your business to stay ahead of the skills gap.
An opportunity in diversity
Diversity is still an issue in both IT and cybersecurity, with only around 20% of skilled security professionals being female. I explored this issue in 2019, concluding that having a diverse team in cybersecurity is a bonus.
Using a training program that offers cybersecurity hacking skills, you should ensure that it is inclusive and actively engages with female and ethnic minority staff members. In doing so, you will help to create a more balanced approach to your own cybersecurity strategy by engaging everyone.
Working on a funday
Hacking can be fun. It is about the hunt, the chase, being a general clever thinker, finding patterns and trends. Even the most unlikely candidate for your ethical hacking training may well turn out to be the best. If you add an element of fun into the initiative, you may open up a whole raft of opportunities for your employees and your company.
In an interview by Infosec Magazine with Kris Martel, CISO of Imagine IT, Kris pointed out that adding fun to a cybersecurity awareness program can make it more effective. Martel suggests using challenges such as running surveillance on employees, to create highly targeted spearphishing emails to catch even the most cyber-savvy staff member. The challenges he talked about often last weeks and even months and keep the game of cybersecurity hacking going.
Hack your way to cybersecurity success
Cybercriminals are in their element at present. Never before in history has cybercrime paid so well. With revenues of around $1.5 trillion a year for the criminals behind cyberattacks, it is unlikely that data breaches and general cybercrime will disappear anytime soon.
Having an educated, well-informed and motivated workforce can be highly beneficial when it comes to having a sound cybersecurity posture. Your employees can make your company more cyber-safe by being more security aware. And hacking skills can be a useful part of a cybersecurity awareness training package. But it must be done well, made to be a fun exercise and even have rewards built in. If you do this well, your business, as well as your employees, will benefit by reducing your company and their own cyber-risks.
- Dark Net Recruitment is Turning Employees into Malicious Insiders For-Hire, Infosecurity Magazine
- (ISC)² Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide, (ISC)²
- HYPER-CONNECTED WEB OF PROFIT EMERGES, AS GLOBAL CYBERCRIMINAL REVENUES HIT $1.5 TRILLION ANNUALLY, Bromium