Employees Need a Hacker’s Mindset to Fight Cybercrime’s $6 Trillion Price Tag


For eye-popping business stats, look no further than cybersecurity. CSO predicted cybercrime damage costs will total $6 trillion and cybersecurity spending will exceed $1 trillion by 2021.

It’s not just that companies must be hyper-vigilant in a hyper-connected world where innovations like the Internet of Things (IoT), artificial intelligence (AI), and blockchain stream data everywhere from multiple places. They also need to foster open collaboration for agile product and service development that meets skyrocketing customer expectations. The security department can’t do it alone.

Justin Somaini, Chief Security Officer at SAP, said companies need to drive a culture of transparency and education around security from senior executives to hew-hires.
Somaini said companies need to drive a culture of transparency and education around security from senior executives to new hires.

“The sophistication of attacks has dramatically increased over the past decade to the point where it’s incredibly challenging, even for most astute security person,” said Justin Somaini, chief security officer at SAP. “Security has a huge role putting in mechanisms to preventing breaches from reaching employees. But no solution is 100 percent, which is why employees have to be in a partnership and accountable mode with security.”

The unending cascade of security breaches also poses a real risk that employees become inured to cybercrime. Ongoing education and training can help thwart this.

“Companies have to embed security into the DNA of every employee because there is a critical impact to customers or other employees if they fail,” said Somaini. “As they service customers, it’s incredibly important for employees to be aware of the threats and actively engaged in protecting data and transactions.”

Teaming Up for Hacker’s Mindset

One example of how companies are boosting security awareness among employees was SAP’s Capture the Flag event, held during the organization’s recent global cyber-month. The participant’s mission was to infiltrate a gamified 3D campus of an energy company, steal confidential documents, and shut down an energy reactor. The 14 winning teams included employees from Hungary, Bulgaria, China, Germany, and India who captured the most flags by solving more than 100 security-related challenges.

Admittedly a competition, the exercise was just as much about rallying the widest range of employees to work together around security. Fifty percent of participants teamed up to compete, joining live chat forums to share ideas and advice with individual players, as well as 10 mentors selected from last year’s winners. Interestingly, discussion topics often went beyond hints and explanations on solving the event challenges to larger security issues.

Companies have to embed security into the DNA of every employee: training programs can give everyone a #hacker mindset

Security is Everyone’s Responsibility

Incorporating hacking – arguably the sexiest part of security – into a training exercise that included augmented reality from HoloLens injected a significant fun factor into a deeply engaging competition. Indeed, employees worldwide were willing to devote about 40 hours beyond their day jobs to win. One of the crucial learning elements was having mixed teams of experienced “hackers” and “coders,” paired with people designated as “smart” participants with skills outside of security and coding.

Yordan Kanov, a developer at SAP based in Bulgaria, said he wanted to increase his knowledge of security while socializing with other employees.

“The challenges represented the many ways organizations can be attacked including web, reverse engineering, cryptography and network forensics,” said Kanov. “For example, even as a security expert, it’s impossible for me to know everything about all different attack vectors. By collaborating with other participants who had different skills, I gained new knowledge that I’ve applied in my daily security testing work.”

Maximilian Butterer, a Germany-based SAP developer with expertise in encryption and Java Script, also appreciated how the challenge opened his eyes to fixing vulnerabilities he hadn’t considered in completely new ways.

“We often find answers when explaining problems to others who have a totally different point of view, which is exactly what happened,” said Butterer. “Each of us sparked ideas based on our respective areas of knowledge, using our various skills to find solutions.”

A Passion for Security

The event was part of SAP’s ongoing security education program that includes in-the-moment warnings to prevent phishing, monthly security tips, human firewall webinar sessions, and a security summit. The highest percentage of participants, (almost 70 percent), were non-engineers with no coding experience. Pairing them with coders and developers mirrored real hacking situations.

Like other employees, Bea Borsika Bessenyei, an intern at SAP Hungary Product Support, brought a healthy curiosity to her role as the “smart” participant on her team that came in third place.

“I really liked how we supported each other in real-time, and that the challenges were quite difficult,” said Borsika. “The competition showed me the full picture of what security means, even beyond human issues and coding, and how we all have to pay attention to it in many ways, and what we can do about it. It was great to learn from other people who are as passionate about security as I am.”

Follow me: @smgaler