Source: Financial Times
by Jonathan Moules
June 12, 2016.
While many business schools now teach cyber security, one professor has a rather unorthodox approach
The first-year MBA student at the IE Business School had just sat down for her first lecture of the digital innovation module of her 24-month course.
Looking at a series of photographs of people being projected by her professor José Esteves on the white board at the front of the auditorium, Ms Raymond, a former wealth management executive at Morgan Stanley, recognised several old school friends among the faces.
When Prof Esteves asked her why she had been up at 3am on her computer the penny dropped. She had been hacked by her tutor.
“When he told me he would be able to access my personal bank account with the information he had gathered I was really worried,” she says.
Ms Raymond had left a lot of her Facebook page open to the public because she is hoping to develop a career as a musician. “I guess he was picking on me because I had been putting myself out there,” she adds.
Despite what amounted to a serious breach in personal privacy, Ms Raymond shows no signs of anger. “My mind was blown,” she says, laughing.
The dangers of companies suffering attacks on their information technology has meant that cyber security is now a compulsory element of many MBA courses. But it can be difficult to engage students with no background in computer science and whose interests lie in management.
Revealing hacking techniques is a colourful way to get students engaged in the subject, where much of the teaching is about creating strategies and processes for ensuring a company’s internal data are secure.
Sandro Gaycken, senior researcher and director of the Digital Society Institute at the European School of Management and Technology in Berlin, recently started teaching a Hacking for Executives class to MBA students by showing them how they can break into iPads.
Students like to show off what they have learnt to their families, according to Mr Gaycken. “It makes them pretty cool with their kids,” he says.
Jan Veldsink heads up the cyber robustness module at Nyenrode Business Universiteit in the Netherlands. He admits to being a hacker “on the side” of his teaching duties, but insists his skills have always been used to help others — in particular assisting large Dutch banks that have suffered data breaches.
Mr Veldsink runs simulations of corporate hacking attacks in his classes, but says that he never shares techniques with his students because it is not necessary. Both he and Mr Gaycken draw the line at Mr Esteves’ clandestine approach of breaking into students’ social media accounts without their knowledge.
Mr Esteves, who has been voted teacher of the year by his MBA and masters students each year since 2008, is unrepentant about his methods.
“I don’t just want to teach the techniques of how to hack,” he says. “What I want to show my students is the hacking mindset and how to think like hackers.”
He describes himself as a “white hat” hacker because the attacks he makes on students never cross the line of breaking the law, something he attributes to his own tutor, a hacker he met while working as a business analyst.
“He was a godfather,” Mr Esteves says. “He showed me some techniques, but he also protected me, warning against entering particular forums that were dangerous and ensuring that I never did anything illegal.”
In order to access Ms Raymond’s personal details, Mr Esteves created several fake social media accounts in the name of a former MBA student, who had since moved from IE’s base in Madrid to London.
Ms Raymond accepted a friend request believing that it was the actual student, allowing Mr Esteves to rifle through the various photographs and personal details she made available to those she had connected with.
“There is this myth that hackers use these very complicated techniques to gain access to people’s personal data, and that is simply not true,” Mr Esteves says.
Although she has no intention of becoming an IT security adviser after graduation, Ms Raymond says the stunt engaged her in the subject and that she is learning relevant skills for managing her image as a performing artist and protecting copyrighted material.
“This is now one of my favourite classes,” she says.
The main lesson she has learnt is that it is often what seems like the most innocuous information, such as her date of birth and mother’s maiden name, that left her most vulnerable to attack because it could be used to crack work and banking passwords.
Ms Raymond, who after graduation plans to work full time on an event-organising business she has started in order to develop her musical career, stresses she has since made changes to her social media account settings and information to prevent copycat cyber attacks.
The biggest challenge with trying to teach cyber security in such a practical way is finding ways to hack students who are wise to your ways, according to Mr Esteves. “Now they know me and are quite scared,” he admits.
