Ethical Hackers as Educators


Ethical hackers are especially well-positioned to use their knowledge of attack techniques to educate people, according to Zoë Rose, a white-hat hacker based in the UK. On the CyberWire’s Hacking Humans podcast, Rose explained that since she knows what makes people fall for social engineering, she’s able to inoculate people against these attacks.

“I've found that the biggest thing is because I understand how to manipulate or influence a consumer into clicking my links or downloading a document, et cetera, I can understand how to correct that behavior,” she said. “So I focus in on these key human behaviors and I look at how to change them.”

Rose said organizations often make the mistake of thinking that phishing tests should be carried out without their employees’ knowledge. While this can give you an accurate picture of how vulnerable your organization is, it focuses on the employees’ failings rather than working with them to identify attacks.

“Unfortunately, a lot of times, phishing is looked at - well, let's trick the users, let's manipulate them and point out how they're failing, versus saying, well, actually, let's announce that we're going to have a phishing campaign so that people are already aware and they know they should actively be looking,” Rose explained.

The best approach is to be open about these techniques so that employees immediately become more alert and can learn from the entire process. Rose said phishing simulations should illuminate what employees can do to improve their security, rather than focusing on what they did wrong.

“So you're not just saying, oh, you failed,” Rose explained. “You're saying this happened and this is how you protect yourself in the future....And the reason that whole positive point of view – that is so vital – is because if you want people to do nothing, you talk about the negatives and you scare them. But if you want them to actually take action, that's when you talk about the positive and reinforce that they can do it and empower them.”

Realistic phishing simulations will change how your employees think about security. Simply being aware that they’re being targeted by phishing emails will make them scrutinize their inboxes more carefully, even if they know the people sending the emails don’t mean any harm. New-school security awareness training can build a culture of security within your organization so that your employees can defend themselves against real phishing attacks.

The CyberWire has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews