The more people an organisation employs, the more chances of a hack being successful.
Because, on average, around 80% of cyber security incidents are down to human errors and human vulnerabilities being exploited, according to our keynote speaker at FourNet's recent Digital Transformation Summit, Jenny Radcliffe, known as The People Hacker.
She told our audience that she didn't much like the phrase "the weakest link" when referring to humans and cybersecurity, but said most hacks were successful because they targeted people and their emotions.
Jenny said she defined "social engineering" as the 'manipulation of human factors to gain unauthorised access to resources and assets.'
"But I go further and say it is the active weaponisation of human vulnerabilities, behaviours and errors," she said.
She pointed out that hackers, or social engineers, were motivated by money, ideology or coercion.
Jenny outlined how she and her team helped check cybersecurity systems and the effectiveness of physical security systems for many high level organisations, often physically penetrating their offices and buildings to prove where the weak points lay.
Just like hacking, she said, it was mostly people who let them in, despite employing the tightest perimeter security or locks.
"Criminals, and people who pretend to be criminals, aren’t bothered about locks and they’re not bothered about rules. And they’re not bothered about GDPR or anything like that.
"They're just bothered about how they can get past. If there’s someone who can open the lock, then I’m going to work on the someone – not the lock," she said.
"So, it’s a psychological hack effectively. What we’re doing is tapping into everything that can go wrong. The fact that people get bored. The fact that that people follow everybody else like sheep."
She said there were hacker red flags to look out for: money, emotion, urgency, and calls to action – asking us to click on a link, to give credentials or access.
"Every con artist, more or less, including hackers, including social engineers needs the target to not know the flags. The first one is money. And particularly if they’re asked to do something out of context, that’s a flag. Second one, as I’ve said, is emotion. An emotional story. You never give a target time to think. We want them to make decisions way too quickly. And then we have a call to action. I need you as a con artist to do something, to click on a link to open an attachment to give me those credentials. It’s something – so money, emotion, urgency call to action."
Jenny said that no matter how technical or great the big cybersecurity solutions are, organisations need to work with the human.
She concluded: "We are not the weakest link, but we are not the strongest either."
How to Secure Your Team from Social Engineering Attacks
Now you know the motivations behind social engineering attacks, the tactics that they employ and how successful they are, how do you go about equipping your team with the skills to identify and stop these threats?
Download our Quick Guide to Socially Engineered Attacks to learn more about how social engineering attacks work and why so many cyber criminals employ social tactics.
We also give insights into the common types of social engineering attacks, such as:
- Quid Pro Quo
Then we share our advice on how you can build your human defences to reduce the risk posed by social attacks.