Facebook Uses ‘Trick or Treat’ to Test Employees’ Cybersecurity Savvy

The company refers to the month of October as 'Hacktober'
October 4, 2018 Updated: October 5, 2018

October is National Cyber Security Awareness month, a time that the management at Facebook takes very seriously, but implements it in a very not-so-serious way.

For more than seven years, the month has been known at Facebook as “Hacktober,” a time when the cybersecurity team plays a month-long game of “trick or treat” with employees to see how prepared they are to defend themselves against cyber attacks.

The team will send phishing emails or rogue authentication pushes and leave USB sticks around with fake malware on them to see who falls for the “trick.” Those who fall for it get training, while those who aren’t fooled get treats in the form of Hacktober schwag: stickers, shirts, hats, and magnets.

Aanchal Gupta, the director of security at Facebook, said the company used to teach employees about cybersecurity by setting up required training once in a while. After the training sessions, a survey of the participants found that attendees either didn’t find the training interesting or they didn’t retain much of what was in it.

Aanchal Gupta at Borderless Cyber
Aanchal Gupta, the director of security at Facebook, speaks at the 2018 Borderless Cyber conference in Washington on Oct. 4, 2018. (Samira Bouaou/The Epoch Times)

“Because it was just something they heard once, and they’re like ‘OK, this is a checkbox requirement. I’m going to do it, [and then] forget about it,'” she said at the 2018 Borderless Cyber conference on Oct. 4. “So, we switched gears and we came up with this idea of Hacktober.”

There are other activities that focus on cybersecurity during the month as well, such as fireside chats with outside experts, a hands-on lock-picking class, and tours of the company’s global security operations center.

The company started a closed “Hacktober” Facebook group, where employees can post questions, give feedback, or just talk about current security threats. Playing on that hacker culture, Facebook also holds capture-the-flag competitions, which are computer-based competitions that “allow people to practice securing machines and defending against mock cybersecurity attacks,” wrote Betsy Bevilacqua, the former head of information security programs and operations for Facebook, in Harvard Business Review.

At the end of it all, Facebook throws a Hacktober-themed happy hour to cap off the month.

“So, making it overall like a celebration … making it really positive for everyone,” Gupta said.

A Culture of Cyber Security

As a company, Facebook faces some unique challenges when it comes to cybersecurity. In addition to its Messenger app, Facebook owns photo-sharing app Instagram, messaging app Whatsapp, and virtual-reality headset company Oculus.

Each has a different infrastructure with different codes and different weaknesses, and, therefore, require different treatment.

Three things that Gupta applies to all the platforms, however, are empowering users, engineers, and the security community to help keep the platforms safe.

For users, that means teaching them about things like two-factor authentification and security keys, so that they can be proactive in protecting their accounts. For engineers, it’s about working with them to make security something that helps them do what they are doing without slowing them down. And for the security community, that means collaborating and sharing information on threats.

Some of the ways Facebook does the latter is through its so-called bug-bounty program, which pays people for finding security vulnerabilities, and its Internet Defense Prize, which was started in 2014 to reward people and groups that are working to make the internet safer for everyone. This year, Facebook gave out $200,000 in for its Internet Defense Prize to three groups.

Facebook’s bug-bounty program has paid out about $6 million to some 900 researchers from 100 countries who have reported bugs over the last seven years, according to Gupta.

“Make a stronger security community,” she urged attendees at the conference. “Whether you get out there and talk about the work you are doing, sharing your tools, sharing your learnings—all that will help us build security.”

Borderless Cyber USA is an executive-level conference series that began in 2015 to bring together public and private sector cybersecurity experts to evaluate, debate, and collaborate on best practices and solutions to issues around cybersecurity. The organizers of the conference are The World Bank, OASIS Open Consortium, Institute for Critical Infrastructure Technology, and Georgetown University. The Epoch Times is a media sponsor for the 2018 conference, which runs from Oct. 3-5 and is held at the The World Bank Group building in Washington.

Follow Holly on Twitter: @HollyGailK