Teaching your employees to think like hackers

What's the image that pops into mind when you think of a hacker? 

It doesn’t sound like someone you’d want anywhere near your organisation. But while the public perceptions of hackers may remain rooted in Hollywood clichés (the basement-dwelling loner in a hoodie who’ll start World War III for a half-decent pay day), forward-thinking companies are now using a hacker mindset to make their data more secure and their staff more cyber-savvy. Australian universities even offer programmes that teach executives how to think like hackers, while Britain’s tax service has spent a small fortune on hacker training. 
 

Thinking like a hacker 

The “know your enemy” approach could work wonders for your organisation, and instilling it can be easier than you think. The hacker philosophy is based on challenging assumptions about technology; they don’t simply accept what they’re told. They are – as other definitions of the word underline – “enthusiastic and skilful” computer users. They are persistent, curious and creative. They believe every digital system has a weakness, and they’re usually right. 
 
Old models of cybersecurity view an organisation’s workforce as a body to be protected by firewalls, trained in basic email security and managed via access privileges. But the people at your organisation can be so much more than that if you train them to be your eyes and ears, to think and to question.  

To see your defences from the eyes of your opponent is what sports teams do when they map out opposition tactics. It’s what Sun Tzu proposed when he famously said that “To know your enemy, you must become your enemy.” And it’s what your staff can do when you teach them to think like hackers. Hands-on training and creative initiatives can help them spot the vulnerabilities cyberattackers will seek to exploit. But what initiatives can you put into action to cultivate the hacker-like awareness in your staff? 
 

Schedule hackathons to build a creative mindset 

Hackathons offer a great opportunity for teams to step out of the day-to-day grind to collaborate and problem-solve. Hackathons have produced concrete gains for companies – Hasbro famously produced 45 toy products from one, while the GroupMe messaging app resulted from another. But Hackathons aren't just for coders. They don’t have to result in an end product – or even to be related to your business – to bring rewards. For many organisations, the aim is simply to give employees the time and space to observe, try new ways to solve problems and stretch their minds.  

 
Gamify cybercrime 

Another way to get staff to think differently is to either set up competitions, or run a full mock cyber incident. Google Gruyere is a codelab set up for bug hunting, and applications such as Root Me and Hack This Site offer hacking challenges. Games can focus on employees with coding experience, or be more widely set up to test non-technical staff’s understanding of risk. These approaches are a great way of stopping cyber training becoming a box-ticking exercise. Instead it produces a fun, inclusive session that encourages everyone to think on their toes – and be as ingenious as a hacker.  
 

Share findings to create a cyber-resilient culture 

Sharing news and analysis across teams is a great way to build wider understanding and involvement. It’s a silo-busting tactic that can be especially relevant for cybersecurity teams. 

Rather than simply reporting back to the company via a few limited metrics, major incidents should be the cue for discussion with wider employee groups, especially those affected by the incident. Answering basic questions about why the incident happened and how was it fixed, plus offering a Q&A for those who want to learn more, can underline the importance of your work, and bring home how criminal hackers threaten your organisation. “White-hat” hacking, also known as ethical hacking, is at the heart of penetration tests, and pen test reports offer another opportunity to open up discussion about your company’s systems and policies. 
 

Team up on the problem 

Encouraging employees to work across departments and teams is a key part of encouraging a curious, hacker-like mindset. Fresh eyes can gather different insights from the same dashboards, while a wider understanding of different departments’ processes and goals can help your cyber team anticipate problems and find effective solutions to vulnerabilities. 

This is especially relevant when cyber and product teams collaborate effectively on creating or implementing new products. In some cases, weaknesses may result from crucial gaps in different systems or processes. Rather than simply being tied off and handballed to the IT department, such vulnerabilities can be the impetus for a cross-departmental approach to solving the issue. 

External experts and consultants who make it their business to be across the latest trends can be a real asset, too. Their insights can detail new threats, as well as the risks and potential of new technologies.
 

Teaching your employees to adopt a hacker’s mindset 

Encouraging a hacker mindset in your employees may seem counterintuitive, but it’s one of the best ways to build cyber resilience in your organisation. Helping your team think like white-hat hackers means going beyond basic training and encouraging a more flexible, creative mindset via collaboration, games and events. These activities should help staff see risk from a new angle, helping them understand where cybercriminals may be coming from – and how to beat them at their own game.