Most “cyber attacks” aren’t just cyber; they’re human. Social engineering – coercing or manipulating people to either divulge information or aid a breach – accounts for… err… well, it depends on whose data you rely on. 82% here, or 98% here, or 57% here but actually 87% when factoring in other human failures, like lost/stolen devices.
The point is simple: human (in)action is the OVERWHELMING cause of data and other breaches. Technical vulnerabilities exploited by hackers – the classic movie image of a hoodie-clad protagonist tapping away at green code on black screens – is largely BS (3% of hacks occur this way).
I’ve spent time hunting down the social engineers. Working with various agencies – often in sensitive sectors – to weed out the state-sponsored, direct action group, or competitor-backed spies targeting their precious intellectual property. It’s fascinating but tough work. If you need to call someone to do that, you’re possibly already in trouble. So how might we prevent the risks of social engineering?
A few years back, I co-wrote a brief “e-book” on the topic with microlearning specialists, Yarno. You can get the book by clicking the image 👆 (or here). But if you want the summary:
🚦 Keep private lives private – try and keep work and personal devices (and content) separate (becoming tougher in the WFH era).
🚦 External devices – really? No need in 99% of cases (for the 1%, have an encrypted and approved device).
🚦 If you’re travelling to high-risk areas (hotels and their safes are never safe), go low-tech (brick phone for calls and texts, pared-down laptop).
🚦 Physical security matters more than you’ll ever realise. Do you know how people love to leave devices on, print-outs lying around, etc.? Well, so do baddies.
🚦 Careless talk (or not disposing of documents properly) costs. A lot of sensitive information can be gleaned from eavesdropping and dumpster diving.
There’s more in the PDF, including phishing and vishing (voice cousin of phishing and SMSishing).
Natural disasters aside, most risk is human. We may give risks titles that depersonalise (cyber to sanctions), but those of us managing human risks are well-placed to help mitigate issues that may seem outside our immediate area of operation. If your organisation’s information security and data protection architecture is mainly about technical controls, they’re missing your expertise!