Cyber-attacks are on the rise, with growing impact on companies’ finances, operations, customers, and reputations. None are immune to these threats, but it is possible to significantly improve our defenses by training our trusted people to think like a hacker—to cultivate the hacker mindset within our organization. In this article, I'll describe the actions we've put in place to achieve this at the SLB Montpellier Technology Center (MpTC).
To bring the hacker mindset to life, it's important to make employees understand the ins and outs of cybersecurity. We have raised awareness of threats, vulnerabilities, and potential consequences by providing our people with access to hacking platforms; enabling them to experience controlled attack scenarios, where they learn to think like cybercriminals. These platforms make learning much more stimulating by gamifying the experience. Now they recognize threats more easily and counter them more effectively.
Learning doesn't have to be limited to traditional training. We regularly organize capture the flag events—fun competitions where employees can apply their cybersecurity skills. We create cyber challenges in several categories (OSINT, Steganography, Hacking, Cryptography, Reverse Engineering...) and participants have three hours to solve these brainteasers as a team. It's a great opportunity for beginners to learn and collaborate while looking for creative solutions. These events are becoming increasingly popular because they encourage fervent collaboration. For a recent session, we had 50 participants crammed into a 20-person room with pizzas on every table and brains boiling.
We introduced a new cybersecurity newsletter format to provide employees with relevant and accessible information. The newsletter covers a wide range of topics like password best practices, real-life case studies of attacks, tools and techniques used by hackers. It aims to maintain a high level of awareness within the organization.
We have found that by adding a security challenge to each edition, we achieve a much higher reading and participation rate. These challenges allow employees to test and improve their skills while intensifying their passion for cybersecurity. We also offer prizes to the winners and ‘cyber-geek’ stickers for all participants.
A cybersecurity library has been set up in the cafeteria to provide a wide range of reference books. This promotes self-learning and encourages exploration of cybersecurity topics; there, there are plenty of titles to choose from, so everyone can find an appropriate book. It's clear that this cyber bookshop is a success, as I regularly see employees browsing through the books available while enjoying a coffee, and there’s a fast turnaround of books being out on loan, then returned to availability.
We regularly organize live “hacking sessions" that showcase the fascinating world of cybersecurity in action. During these sessions, we demonstrate the art of hacking using surprisingly affordable gadgets. These demonstrations not only reveal the vulnerabilities that exist in our digital landscape, but also emphasize the importance of robust cybersecurity measures. We aim to demystify the perception that hacking is exclusively the domain of high-tech experts and highlight the need for increased vigilance in today's world. Recently, we demonstrated BAD-USB attacks with and without physical access to the machine. We also showed an example of HDMI hacking using HackRF and TempestSDR to display the video stream remotely. The next session will demonstrate an attack to unlock a computer without the user password.
Finally, to broaden the security horizons of our employees, we offered a training kit in the art of lock-picking. This often-overlooked aspect of security helps them better understand locking mechanisms, which can also be applied to their overall understanding of security. A few months ago, our receptionist forgot the keys to his bike lock at home. He had practiced beforehand and managed to unlock it and get home. As well as making him proud, the situation showed him that all kinds of protection can be bypassed, and not just in the digital world.
All these actions have enabled us to identify people with a strong appetite for this field. We're pushing them in this direction to officially become the cyber security expert of choice for their project, and we want to train them so that they can carry out intrusion tests, maintain and improve cybersecurity pipelines, interpret the results and so on. Some of them are already in the process of obtaining certification in this field.
Cybersecurity is not just a series of defensive measures, but rather a dynamic culture, a mentality shared by every member of our company. At Montpellier, we have forged a unique path, cultivating digital resilience not just as a necessity, but as a competitive advantage. By investing in the initiatives I’ve described in this article, we've created an ecosystem where curiosity and vigilance are the drivers of security.
Our journey doesn't end here. We continue to train, educate, and identify cybersecurity champions within our teams.
In a world of constantly evolving threats, cultivating a culture of cybersecurity is not just a necessity, it's our differentiator. It's our commitment to the secure future of our digital assets, our customers, and our organization.
