Why human beings are so easily misled
Social Engineering | It can happen to you
By Etienne Verhasselt, Senior Account Manager at ZIONSECURITY, partner of SecureLink
Proofpoint states in its ‘Hacking Human Nature report 2018’ that 90% of all social engineering is done through email. This is a very high number. Why is that? Why email?
Well, let’s get logical. Do you know anyone who does not have an email address?
There are so many end users who work with email on a daily basis. Of course, as a company, you can – and you have to – add the right technical security controls to protect your organization against threats. This will definitely decrease your risk of being breached. But in the end, this won’t do. It is about people, process and technology.
People can be influenced in a million ways.
It is the human behind the screen that is being misled. People are very easy victims because they can be influenced in a million ways. That is why it is extremely important to focus on your end users.
Your employees (all of them, also the managers, the IT-team, etc.) need to know that it can happen to them too! They can all become victims of social engineering. And social engineering takes many forms. Just think of:
- Trojan Horses
- Mystery guest
- Role playing
- Media dropping
- Reverse social engineering
- Shoulder surfing
- Dumpster diving
You name it! Your end users need to be trained in these different areas because the criminals know that the weakness lies in the human behavior.
Wherein lies the weakness of human behavior?
Just think of typical things humans can be susceptible to e.g. curiosity, stress, fatigue, extortion, or culturally learned behavior like politeness, etc.
- Why do people pick up a USB and plug it in?
Maybe because they are curious about the data it contains.
- Why do people click on a bad email link?
Maybe because they are up to their eyes in work and don’t have the time to think everything through?
- Why don’t people always destroy their confidential papers?
Maybe because they are too lazy or too messy or simply because they forgot.
- Why don’t people notice a certain misspelled link?
Maybe because they are tired.
- Why do people respond to suspicious questions?
Maybe because they are culturally programmed to answer if they get a question.
- Why do people let a stranger into the building?
Maybe because they are just trying to be polite.
- Why do people accept a strange friend request on social media?
Maybe because they want to be popular.
I can go on forever, but I think you get my point. It is just normal that people exhibit certain behavior because it’s in their nature and in their culture.
You can’t expect them to know and remember everything they were once told because it is not programmed and therefore, no automatic behavior. In order to program something (like cultural behavior), people need to be trained. Trained during a continuous process so that, in the end, their automatic pilot takes over. That does not entail constant repetition, but it does come down to raising awareness during a continuous process because true cybersecurity is based on the right people, process and technology.