How to Duplicate Facebook’s Hacktober

October is an important month for cybersecurity at Facebook. Not only is it National Cyber Security Awareness Month -- it is also the month when the social network holds Hacktober, its annual, monthlong initiative to build and maintain a security-aware culture. Director of security operations Jennifer Henley shared tips for other companies looking to duplicate Hacktober in a note on the Facebook Security page.

Hacktober2014650October is an important month for cybersecurity at Facebook. Not only is it National Cyber Security Awareness Month — it is also the month when the social network holds Hacktober, its annual, monthlong initiative to build and maintain a security-aware culture. Director of security operations Jennifer Henley shared tips for other companies looking to duplicate Hacktober in a note on the Facebook Security page.

On Hacktober in general, she wrote:

Hacktober is based on a set of core principles that we still follow today. First and foremost, all employees should feel comfortable talking about security and raising potential concerns without hesitation, even if their role in keeping our company safe may not be so obvious. Second, employees should know the people who work on our security teams and understand their role in protecting people on Facebook and making the internet a safer place overall. Finally, security awareness can be fun instead of scary. We figure if we can create an interactive and fun environment around security, people will learn important security lessons and their retention will carry throughout the year.

Henley also offered the following suggestions:

Organization and Branding

These elements make up the foundation of Hacktober. In order to build a culture of security throughout the year, people need to understand why it is important and how it affects everyone.

Communication: For a companywide awareness effort to be successful, early and frequent communication is key. You can start by explaining the mission, goals and plan for the month. We found that encouraging people to stop and take the time to think about risks is effective. Also, give recognition to those who report suspicious activity because it will inspire others to step up and do the same.

Design: Each October, Facebook campuses are covered with posters bearing our distinctive “Hack-o-lantern” designs, and our internal groups fill up with posts about Hacktober. Creating a unique identity for your awareness effort helps people identify it and find ways to get involved.

Partnerships: The National Cyber Security Alliance is a great partner for security awareness work. It creates a new security theme each week during October, which can help guide your awareness activities. The NCSA website offers great ideas and content to cover throughout the month.

Fun

Even though security is a serious issue, we include some fun components in our Hacktober planning to promote enthusiasm and excitement throughout the month.

Large company gatherings: Get people socializing and discussing online security outside of the office. We invited families to a safety-themed movie and pumpkin carving night at Facebook headquarters to learn and have fun together. Before the movie, we distributed educational material and let people talk to members of our security and safety teams to answer their questions about keeping their families safe online.

“Swag”: Hacktober memorabilia like T-shirts and stickers is wildly popular at Facebook. You only get one if you report suspicious activity or uncover one of our hacks, so people work hard all month to get one of these coveted prizes. Seeing people wearing Hacktober T-shirts, along with the other themed stickers and posters around our campuses, gives our employees visual reminders about security awareness.

Building Awareness

It’s easy to forget about online security in your day-to-day life and work environment unless you can feel it directly from your own experience. That’s why we stage real-world security scenarios for our employees to help raise their awareness and spark conversations about how to detect potential security threats. We aim to make these simulations, or “hacks,” understandable to our entire employee base, regardless of which job they perform at the company.

Spear phishing emails: These individually targeted scams are the most common method for people to break through company defenses across industry. Malicious actors craft these messages with the purpose of obtaining personal data that can be used to bypass certain security systems. Companies can work with their internal teams to simulate spear phishing emails and encourage employees to learn how to spot these attacks.