Why you should teach your team to hack, phish and steal 

It may seem counterintuitive, but teaching your staff how to sabotage cyber security might just save your own business from security attacks.

Imagine your startup is responsible for managing people’s personal medical records. Your system is hacked, and those personal records are now in the public arena. It’s unlikely your company will ever recover from the reputational damage associated with such a breach.

Luke Thomas is head of technology at Comrad Medical Systems – a  Radiology Information System software provider in New Zealand and Australia – and shared the story of teaching his staff to hack at the recent Canterbury Tech Summit. 

Upskilling his staff in the workings of the dark web has tightened up security for the whole company, not to mention helping staff keep their personal devices as secure as possible outside work. Knowledge is power, and knowing how easy it is to infiltrate someone’s email, Facebook or bank account may be frightening, but it’s very useful to know.

“From a reputational perspective it’s imperative…understanding how to attack means you can defend far more effectively,” Thomas says.

You can throw all the money you like at firewalls and other protection measures, says Thomas, but just one staff member opening an email or clicking a link can derail your security as easily as opening the front door to a hacker and inviting them in.

A simple purchase of the domain name ‘IinkedIn’ (yes, that starts with a capital ‘i”) and a quick email round to the staff from a former employer and Thomas managed to dupe a large percentage of his own staff. Most believed the email to be genuine, while some even went as far as entering their credentials when asked.

A second run at the exercise proved staff still needed to take more care, so Thomas decided to teach them how to create a fictitious email and steal people’s credentials within 10 minutes.

The result? A whole lot more paranoid people, but a far safer network. 

‍

Keeping safe

Okay, so staff may now be too scared to open an email from their own HR department, but they are not opening the company up to a devastating cyber-attack either.

“It’s not so much knowing how it’s done, but knowing how easy it is to do,” says Thomas.

There are volumes of freely available software on the internet that would-be hackers and phishers can avail themselves of, so we all need to be vigilant. Anyone with a password of nine digits or less should immediately change it; these are too easy to hack with rainbow tables, a system used to crack simple passwords, Thomas says

The same goes for the (probably vast) majority of us who use the same password across multiple platforms, setting ourselves up for credential stuffing – when credentials are compromised because usernames and passwords have been reused across multiple services.

The only answer really is to use a password manager, unless you have the memory of Rain Man. It might be a nuisance to have a unique and hard to decode password for every single online platform you use, but the alternative is potentially a far greater headache.

Thomas’ exercise resulted in quantifiable advantages, he says. Staff don’t open anything remotely suspicious, they are quick to identify and report phishing risks, and they never enter their credentials when asked.

“Trust and empower your staff and they will do the right thing,” he says.

He also has a tip for developers: don’t treat security as an afterthought. Build security into systems rather than adding it on later, and ask yourself at every turn, ‘how can this be broken or compromised?’

‍