Building secure information systems is all very well and good, but if you really want to keep your private
data safe, the best way is with an understanding of how people think.
It’s a truth of war from ancient times no matter how formidable your defenses, no matter how thick your city walls or how deep and wide your castle moat, your weakest security link will always be the human factor — intentionally or unintentionally.
They’re the most effective backdoor into a secure system, the leading cause of data leaks, and ultimately the biggest threat to your organisation.
And addressing that threat requires something more than mitigation tools an techniques,; more than security systems.
It requires that you understand psychology.
You need to know how your employees think, but more importantly, you also need to know how your cyberattackers
think.
Equipped with that understanding, you’ll know exactly what needs to be done to proactively address and mitigate potential data leaks and cyberattacks.
Hackers use various psychological manipulation techniques to target your employees and to get into your system.
Once you understand these techniques it will enable you to formulate creative strategies in order to deal with complex cybersecurity attack chains.
So that you can understand where these techniques come from, we should start with basic human needs and motivations.
Abraham Harold Maslow was an American psychologist best known for creating Maslow’s Hierarchy of Human Needs.
I studied this in an MBA course on psychology in HR management.
His model explains that human needs are motivated by a hierarchical structure.
This means that basic needs which are lower down in the hierarchy (food/water/shelter/security) must be satisfied before individuals can attend to needs that are more sophisticated and complex.
Hackers take advantage of these fundamental human needs.
Hackers use tactics such as spam or phishing in an attempt to directly exploit one of these human needs.
However as people become more aware of these techniques, hackers become increasingly sophisticated and combine various needs together in order to create a complex attack model.
For example, a hacker may try to become your friend through a social media platform like Facebook (FB).
Seriously, how many of your friends on FB do you really know?
I mean, think about it, you know all 100+ FB friends well enough to share your intimate family photos?
By going through your profile, hackers can get a better understanding of your needs, such as your religious or spiritual beliefs or your favorite sports, etc.
The hacker can then target you by sending you a Facebook message with an offer for a limited time only for a spiritual event, or game tickets to your favorite team, followed with a text message and a phone call.
Because the hacker has studied you, he knows exactly how to push the right buttons in order for you to respond.
These types of cyberattacks are very convincing so employees must be constantly reminded of the risks of being too
open to these types of friendly approaches online.
I won’t even go into how vulnerable children are into these types of cyber attacks and cyber safety online is paramount to prevent such things happening or escalating.
Traditionally, people have something of an adversarial relationship with cybersecurity.
Although consumers are far more security-conscious than they used to be especially with credit card use etc, people
still prize convenience over security.
They’re interested in doing their jobs, in being as efficient as possible without worrying about whether or not they’re putting corporate data at risk.
The truth is, they usually are.
There are plenty of reasons for such behavior.
They might be ignorant about the risks of their behavior, they might not realise exactly how they’re putting private data at risk.
Maybe they see cybersecurity as an “IT problem” rather than something they necessarily need to care about, or maybe more common — they simply aren’t being given the proper knowledge!
Or aren’t aware of the value of the data that they have access to.
By understanding how your people think and act — and why — you can better prepare yourself to improve your cybersecurity maturity matrix and ultimately security
posture. When doing so, there are a few things you need to consider:
- What information assets you’re trying
to protect and who has access to them; - What security tools you already have
in place, and how they impact the experience
of your end users; - How often you engage in cybersecurity
training with your people, and; - what that training involves;
- Whether or not you work with an independent cybersecurity consultant to perform cyber vulnerability assessments, pentests, phishing campaigns and social engineering attacks;
- The prevalence of personal and Internet of Things (IoT) devices in your workplace
such as tablets, Smartphone, and wearable
technology.
The IT policies you’ve put in place, and how well your employees adhere to them.
The general attitude towards cybersecurity within your organisation.
Does your staff feel engaged with and responsible for protecting corporate data, or do they seem to believe it’s your IT department’s problem?
I would suggest as IT management or executives you study your employees.
Look at how they work, and talk to them about their needs and requirements.
Endeavor to understand them, and use that understanding to encourage them to be better at cybersecurity.
Empower them in this area.
Once you understand what your most important information assets are, you’ll be able to figure out why someone would target those assets.
And by understanding that, you can better formulate a plan to protect them.
If you work in healthcare, for example, they might want to steal patient data to sell on the black market or lock it down with ransomware to get some money out of you.
If your organisation has recently made some unpopular decisions, targeted cyberattacks might instead be politicallymotivated.
Generally speaking, the motivation behind any given cyberattack is one or more of the following;
– Money — the simplest motivation. A criminal who targets a business in an effort to make money may be attempting to facilitate identity theft. They could also be trying to make off with proprietary data such as customer lists or intellectual property.
This motivation is easiest to predict and guard against — simply understand what data has the most monetary value to an attacker (and what data has the most monetary value to yourself), and lock that data down – encrypting that data both at rest and transit;
– To make a statement — has your business done anything controversial recently?
Best be on your guard – you might well be the target of politically or socially motivated “hacktivists”.
Unfortunately social media has become the platform of choice for these and in most cases the story
is typically ‘one-sided’;
– To create chaos or simply notoriety.
Unfortunately attackers of this type are the hardest to predict, and the hardest to protect yourself from.
They don’t want you to give them money, or to respond to their attacks. They simply want to watch
the world burn; and
– The insider — intentionally or unintentionally this still accounts for 80 per cent of successful cyber breaches.
A disillusioned IT professional. A former worker, angry about being laid off.
A programer who has simply stopped caring about their organisation. The one thing these employees
all have in common is anger — and the capacity to turn that anger against their company and cause as much damage as possible.
Ideally, you want to address this problem by treating your workers well, and ensuring they don’t have reason to become disillusioned.
But in some cases, this might not be entirely possible.
In such situations, it’s important that you’re able to recognise the signs that someone might be malicious and take action to prevent them from causing too much damage.
Good cybersecurity is more than technology alone.
It’s holistic and about understanding both your own people and the people targeting you. Only by taking into
consideration, as part of an overall cybersecurity strategy, a proactive psychological approach can you truly keep your people, systems, and data safe from those who would do them harm.
As ancient military strategist and philosopher Sun Tzu states in the classic The Art of War – “The greatest victory is that which requires no battle”.
Congratulations to the Olympics gold medal winning Fijian Rugby 7s men’s team!
As always, God bless you all and stay safe in both digital and physical worlds.
- ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
