Social engineering is not about the hackers and cyber-criminals you see in the headlines. Social engineering is the human element of security, and is also defined as the psychological manipulation of people into carrying out actions or divulging confidential information.
Kevin Mitnick, one of the world’s most well-known and notorious social engineers, stated there’s “no patch for stupidity” when it comes to social engineering attacks. Industry professionals realise the best-laid plans and most sophisticated systems can be greatly damaged by just one person’s careless or malicious actions.
As an ethical social engineer, I understand how to manipulate and fool, to persuade and cajole, to influence and convince. I do this in order to demonstrate weakness, replicate malicious attackers and help companies patch up vulnerabilities. I have observed first-hand how easily people can be led to talk too much, become too trustworthy and thus 'open the company kimono' to attackers of all backgrounds for a variety of different reasons.
As a result, people have the power to bring organisations down based on what they know about them. Criminals only need small nuggets of information as a pathway towards breaching companies. Loss of privacy, dignity, security and money are all considered collateral damage en route to the target.
But let’s talk about positive qualities that people have. Yes, humans can be conned, scammed and fooled, and occasionally demonstrate stupidity, but people are also strong, resilient and have an incredible capacity to adapt and grow. They can form an effective part of organisational and social defence structures. This is known as 'people power'.
People who are informed and aware can work alongside more technical defences to help reduce or prevent human-based attacks dead in their tracks. Once people are educated about social engineering scam threats in any form, they are in a better position to prevent, measure and mitigate than most warning systems. That’s because people who are energised, motivated and alert are a powerful magnetic force for change, and change is needed to spot and report such crimes.
Protection against social engineering is a good start when creating secure individuals, workforces and societies, because it’s an attack vector which is easy to understand.
Human-based attacks are often linked with more technical threats, but the human side has a better story when raising awareness for various forms of attack. It’s easier for people to adopt the mindset of a con artist than it is to place themselves within the structure and consequences of a more technical hack or problem. So 'people hacking' is a good starting point on the journey to awareness and security.
Individuals require personalised and relevant information about the nature of social engineering attacks, with guidance on when and how to report this. People cannot be blamed if they fall for tricks, cons and scams, and they should have a voice to report near-misses and suspicious behaviour.
The baton should be handed to the masses to observe and report human hacking, as they are the people who can do it best. The industry must inform, empower and step back to let people lead the way.
Social engineering attacks people. Everybody is a potential target because everybody has information which can be used in some way, somewhere. We must all take responsibility to protect ourselves; it has to be shared by any individual, organisation and society, not something to be passed on or over.
Only people power can prevent attacks from happening: the troops must be mobilised, with millions of eyes and ears open and alert to dangers. Mass vigilance and widespread observations are our greatest hope of stopping attacks, while slowing them down and draining them of energy.
One person can bring down a fortress, but one person can also protect millions of other people.