Phishing for the big fish: Why employers should think like a hacker
6 min read
21 August 2018
Companies have increasingly been victims of cyber crime, which can prove expensive and detrimental to reputation. One way to mitigate against this risk, DeltaNet's Darren Hockley suggests, is to think like a hacker.
Industry giants like JP Morgan Chase, Sony Pictures, Yahoo! and Home Depot have experienced debilitating cybersecurity attacks in addition to hundreds of SMEs. The thought that hackers won’t bother with smaller firms simply isn’t true. In fact, SMEs make for easier targets because of a lack funds and expertise to improve security.
Another misconception is that it’s only the responsibility of a few to “hold the fort”, when in fact it is everyone’s responsibility to do their bit and flag any suspicious activity. This has never been more important, at a time when UK firms are attacked online every two and a half minutes!
Employers and employees can have the upper hand if they are trained to think like hackers. By putting yourself in their shoes you’ll be able to understand the various tactics that they use.. As with many things in business, this approach should come from the top down, with measures in place to help each and every employee hold their own in the war against cybercrime.
How do hackers think?
In order for employers to think like a hacker, they need to know the basic hacker habits and attributes. Despite the entertainment industry’s sensationalisation of cybercriminals in media, they can actually be considered some of the most innovative opportunists of the digital era.
Think about it: hackers are fully versed in the abilities and limitations of technology, they understand the ins and outs of software and computer programmes and are creative problem solvers.
They’re also resourceful and persistent, not to mention good at manipulating people into giving them access to sensitive information.
Hackers tend to work in two stages: exploration and exploitation. The first includes scouting to learn as much about their next victim as they can. This will help them understand what tactics they need to employ to get access to data. The second stage involves testing a business’s systems in order to find a weak spot.
This is why it’s crucial for employers and employees to identify and test vulnerabilities within their own system. Everyone must have a better understanding of the ways they could be subject to hacking practices. Web developers have a particularly important role to play as they can be taught how to carry out penetration testing. If budget allows, it may even be worth paying for a professional to do this.
How can you train employees to think like a hacker?
Given all of the above, alongside the knowledge that employees are particularly vulnerable to social engineering tactics, it’s important for employers to have appropriate training and opportunities for further learning around cybersecurity in place. Here are a few things you can do:
1. In-house training
This suggestion may seem obvious, but some employers forget to utilise their own resources to prevent hacker attacks. For example, have your IT department hold a session for employees around proper password set-up and protocol, or how to determine phishing emails from spam.
According to the UK government, less than 35% of workers follow the latest password safety guidelines to keep up with advancing hacking capabilities.
2. External training
If you’re lacking expertise in cyber security, you may wish to invest in eLearning as a way of providing more structured and industry relevant training. One of the biggest advantages of online platforms is that they can be accessed by staff anywhere, anytime. This type of training can help to provide a holistic and well-rounded view of an employee’s responsibility.
Employers should encourage staff to attend relevant industry events, “hackathons” and other competitions to better their knowledge and skills. Event participation also allows employees to get out of the office and constructively and creatively solve problems. Anything they learn on the day can then be shared with peers through “lunch and learn” or other training sessions.
The overall idea is to have staff shift gears and think outside of the box, whilst also becoming more aware of the risks in their own office environment.
In order to prevent you and your business from being hacked, you have to think like a hacker yourself. It doesn’t matter if you’re a big fish or little fish in your industry’s pond; hackers are phishing for you. With a mix of events, in-house and external training, and management vigilance, you can stay better protected against cyber threats.
Darren Hockley is MD of eLearning provider DeltaNet International. The company offers a wide range of courses for businesses including training on data protection.