For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be?
Training Employees to Hack
For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.
Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.
“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.
Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.
Places Where Hackers Are Stealthily Stealing Your Data, cybersecurity, attacks
- ISO 27001 Lead Implementer
- ISO 27001 Foundation
- CRISC – Certified in Risk and Information Systems Control
- CISSP – Certified Information Systems Security Professional
- CCISO – Certified Chief Information Security Officer
- CyberSecurity Professional
- CyberSecurity Lead Implementer
- Cybersecurity Lead Auditor
- ISO 27001 Lead Auditor
(2019) #InfosecNA: The Benefits of Training Employees to Hack. Recovered on 25 November 2019 from https://www.infosecurity-magazine.com/news/teaching-employees-hack/