Live Articles

When Facebook teaches its staff about how to detect and prevent cyberattacks, there isn’t some hum-drum Power Point presentation. Instead, it hacks its own employees.

The company told Mashable it recently celebrated its second-annual “Hacktober,” a month-long event in October which features a series of simulated security threats attacking staffer computers to see who would fall for them and who would report the issues.

If employees reported a phishing scam or security threat developed by Facebook — which showed up throughout the site or sent to company email addresses — they received a prize such as a Facebook-branded shirt, bandana or sticker. If the security threat went unreported or was clicked, staffers would undergo further training.

“Webinars don’t exactly fit in well here, so we wanted to do something unique in line with our hacking culture to teach employees about cybersecurity,” Ryan McGeehan, a director on Facebook’s security team, told Mashable. “We took the theme of October, fear and pranks and created something that is both fun and educational.”

Hacktober was also a part of a greater effort to celebrate October as National Cyber Security Awareness month.

Threats, which were designed by Facebook’s engineering team, were issued to groups within the company based on what they might encounter while doing their job. Each hack was explained afterward to reveal what happened and how employees could prevent similar incidents from spreading in the future.

For example, Facebook developed a worm in the form of a fake Facebook news story that demonstrated how quickly spam can spread across the site.

“We launched a worm to simulate some of the spam campaigns we see on Facebook and other sites, and this was our grand finale,” McGeehan said. “Within minutes, we were overwhelmed with reports from employees and it was a wild success.”

McGeehan noted it also allowed Facebook to test tools used for reporting suspicious activity and refine its policy systems.

“People don’t always lock their doors until they have been robbed,” McGeehan said. “It’s easy for cyber security awareness month to go by like a trip to the dentist, so we wanted to do something with an impact and not have the security team talk down with tips to the rest of the staff.”

Jenn Lesser, an operations manager on Facebook’s security team who worked with the internal events and design on the project, said using the month to teach proactive strategies has already proven to be extremely valuable.

“The biggest challenge we face with security awareness is employees in general don’t care about it until there is an issue, and at that point, it’s too late,” Lesser said. “Hactober gives people a real world-like event and encourages people to respond. If you give them a quick quiz about security, you won’t get the type of engagement we do on an ongoing basis. People are still posting to an internal group about how to respond to issues.”

At the end of the month, Facebook treated workers to a Hacktober-themed Happy Hour and a pumpkin carving.