PwC Felix Kan: The Ethical Hacker for Modern Cyberattacks

Felix Kan is a Partner in PwC’s Risk Assurance Cybersecurity Privacy practice with 10 years of extensive experience. Kan began his career as an ethical hacker and has committed his career to help Hong Kong companies enhance their protections against increasingly sophisticated cyberattacks.

We were able to catch up with Kan before he took the stage at the Asian Financial Forum. In this first part of our interview, we discuss his role as an ethical hacker, the severe lack of cyber talent in Hong Kong and current trends in cyberattacks. 

Finding his Superpower

Kan originally studied marketing with a focus on IT audit. Following his graduation, Kan joined PwC and took some time off to prepare for his CPA exams. It was during this short period of leave when he came across a website that featured a variety of hacking games. He said, “The site was configured as a type of training program, each level became more difficult and required you to learn a new skill. It was much more interesting than studying for my CPA.”

Kan was surprised by the amount of information he was able to find on YouTube, “There’s so much free information and even tutorials on the web about how to hack. At the time, it felt like I was discovering some kind of superpower, which I would use to hack the levels on this training website. I felt as though I had broken an invisible wall or as if I was breathing for the first time, it became something of a healthy addiction.” 

When he returned to PwC, Kan realized that he was on the cusp of an emerging and critical field, “Ten years ago, there really wasn’t anything called cybersecurity, although aspects of it existed like data protection and IT system protection. I had acquired my cyber Kung Fu at the right time as opportunities to use my power presented themselves and I was prepared. Our Cybersecurity practice at the time was a team of three people and today we have over 120 people just in Hong Kong.”

Luckily for enterprises in Asia, Kan is burdened with a conscience and has only ever used his powers for good. He explained, “I enjoy being ethical, I can sleep soundly at night and I believe that freedom is about setting principles and behaving with discipline while taking responsibility for yourself."

Building your Cyber Defense

While organizations are concerned primarily with keeping up with the increasing level of sophistication of cyberattacks, they spend much of their time simply trying to find the appropriate talent to fill their defensive ranks. Kan said, “There really aren’t that many talents in Hong Kong, so even if you hire a talented cybersecurity expert it is very difficult to retain them due to the demand. These types of talents are also not likely to adhere to strict business hours and tend to expect more freedom which can be tricky for some organizations’ cultures.” He further highlighted, “In my experience, one of the most important things for these types of people is that they need to be stimulated. Very often they will be hired, they will find and fix all deficiencies in their company’s network and then will grow bored simply maintaining it. They need fresh challenges.”

As Kan mentioned above, his team has developed into 120 people, so how is he able to retain his talent and keep them incentivized? He explained, “Our team operates as consultants so we are able to keep growing and developing. My role is finding new projects and new clients and they have new and different needs that we need to understand to enhance and better the cyber ecosystem. Our ethical hackers are constantly developing themselves through experiences and on-the-job training and sharing information amongst each other keeping the whole team stimulated.”

Modern Cyberattacks

Cyberattacks are no joke in the modern world. While everyone has probably experienced some annoying but mild virus on their PC or accidentally clicked on some spam malware, cyber threats and attacks have evolved and are universally recognized as significant challenges for enterprises with serious financial and reputational consequences.

Kan reflected on some of the trends he had observed over the years defending against hackers. He said, “About five years ago, hackers would focus on attacking the organization's website. To a hacker, I suppose a website would be like the lobby of a building. So think about the lobby of your apartment building, it can be accessed by everyone, residents, and guests who would need to enter have to register with the guards but beyond that, it is a private building. Hackers were basically the equivalent of criminals loitering in the lobby and watching residents enter their door codes, and then when the guard wasn’t looking, they would simply enter the restricted area using registered users' information.”

He continued, “Of course the protections for users’ passwords became more sophisticated and the hackers had to change their tactics. Now we see a lot of phishing emails. In the email, there will be a malware attachment that will infect your network if you open it or some bogus link within. Going back to the analogy of the building, its basically like picking up a letter from your mailbox and bringing it up to your house not knowing the letter is a bomb.” 

In part two of our interview, Felix Kan discusses the future of cybersecurity and we take a deep dive into his innovative attack simulation tool—CatchMe.