October is an important month for cybersecurity at Facebook. Not only is it National Cyber Security Awareness Month — it is also the month when the social network holds Hacktober, its annual, monthlong initiative to build and maintain a security-aware culture. Director of security operations Jennifer Henley shared tips for other companies looking to duplicate Hacktober in a note on the Facebook Security page.
On Hacktober in general, she wrote:
Hacktober is based on a set of core principles that we still follow today. First and foremost, all employees should feel comfortable talking about security and raising potential concerns without hesitation, even if their role in keeping our company safe may not be so obvious. Second, employees should know the people who work on our security teams and understand their role in protecting people on Facebook and making the internet a safer place overall. Finally, security awareness can be fun instead of scary. We figure if we can create an interactive and fun environment around security, people will learn important security lessons and their retention will carry throughout the year.
Henley also offered the following suggestions:
Organization and Branding
These elements make up the foundation of Hacktober. In order to build a culture of security throughout the year, people need to understand why it is important and how it affects everyone.
Communication: For a companywide awareness effort to be successful, early and frequent communication is key. You can start by explaining the mission, goals and plan for the month. We found that encouraging people to stop and take the time to think about risks is effective. Also, give recognition to those who report suspicious activity because it will inspire others to step up and do the same.
Design: Each October, Facebook campuses are covered with posters bearing our distinctive “Hack-o-lantern” designs, and our internal groups fill up with posts about Hacktober. Creating a unique identity for your awareness effort helps people identify it and find ways to get involved.
Partnerships: The National Cyber Security Alliance is a great partner for security awareness work. It creates a new security theme each week during October, which can help guide your awareness activities. The NCSA website offers great ideas and content to cover throughout the month.
Even though security is a serious issue, we include some fun components in our Hacktober planning to promote enthusiasm and excitement throughout the month.
Large company gatherings: Get people socializing and discussing online security outside of the office. We invited families to a safety-themed movie and pumpkin carving night at Facebook headquarters to learn and have fun together. Before the movie, we distributed educational material and let people talk to members of our security and safety teams to answer their questions about keeping their families safe online.
“Swag”: Hacktober memorabilia like T-shirts and stickers is wildly popular at Facebook. You only get one if you report suspicious activity or uncover one of our hacks, so people work hard all month to get one of these coveted prizes. Seeing people wearing Hacktober T-shirts, along with the other themed stickers and posters around our campuses, gives our employees visual reminders about security awareness.
It’s easy to forget about online security in your day-to-day life and work environment unless you can feel it directly from your own experience. That’s why we stage real-world security scenarios for our employees to help raise their awareness and spark conversations about how to detect potential security threats. We aim to make these simulations, or “hacks,” understandable to our entire employee base, regardless of which job they perform at the company.
Spear phishing emails: These individually targeted scams are the most common method for people to break through company defenses across industry. Malicious actors craft these messages with the purpose of obtaining personal data that can be used to bypass certain security systems. Companies can work with their internal teams to simulate spear phishing emails and encourage employees to learn how to spot these attacks.
Malicious email attachments: Email attachments can contain software that attacks the computer system of whomever opens the email. This is a common attack that has compromised many companies, even the most sophisticated employees. Simulating these malicious emails helps employees get better at identifying suspicious ones and reporting them to the right place.
USB drop: Malware on USB (universal serial bus) drives has the power to take over a computer, alter files installed from the drive and potentially much more. One of our most popular activities involves scattering USB drives with fake malicious executables around the office. From this exercise, employees learn to think twice before plugging an unknown drive or device into their computer.
To effectively build awareness, we recommend including educational components for employees to understand security topics and threats in greater depth.
Internal talks and workshops: Your internal security team is a great resource. You can design activities to help your employees get to know security team members, their roles and the threats facing your company. For example, we host events throughout the month called “Beers and Breakage,” which are internal talks hosted by members of the security team or partners from other areas of the company who work on security projects. They often cover new security tools or integrations. We also run workshops to teach people how to avoid falling for “social engineering” scams where scammers attempt to get them to reveal sensitive information.
Capture-the-flag competitions: CTF competitions are becoming more visible within companies, universities and security conferences as effective learning tools for technical employees. A CTF is a six- to eight-hour computer security competition that encourages players to solve security puzzles in a safe and controlled environment. Players learn both offensive and defensive security skills with challenge levels that represent real security issues found in networks and systems.
Hands-on activities: Our employees love being actively involved because they can put what they learn into practice. Our “How to Lock-Pick” sessions fill up quickly and give any employee a fun and simple way to get introduced to the security mindset of taking something apart.
Readers: Would you like to see your companies implement some elements of Facebook’s Hacktober?