Learning Hub
Hugh Torpey

Hugh Torpey

15th Feb 2018

Hugh Torpey is Content Manager at the IMI

Related Articles

Blockchain: Digitally Disrupting and Transforming Business Ecosystems
Finding a Safe Harbour in the Storms of Cyberattacks
We Mean Business with Data Business...

People Hacking – A Risky Business

Lock the doors, close the windows, set the alarm and secure your building. Create firewalls, encrypt mobile phones, beef up email security, and you’ve begun to protect yourself digitally. There is one factor however that means you will never be fully protected – people.

As technology gets better, security for that technology will get better in parallel. It’s an arms race to a certain extent, but it’s a race that organisations will, to a large degree, have to rely on outside expertise. For the criminals out there looking to exploit your organisation, this means that people are their best way in.

The Bad Actors

Jenny Radcliffe is an expert in finding the bad apple in an organisation or, more regularly, making a good apple go bad. Jenny spent most of her adult life ‘people hacking’, using social engineering techniques and the digital landscape to gain access to businesses. In this world where an organisation’s digital security may be airtight to the average criminal, using the internet to spot the human weak spots within an organisation is easier than you would imagine.

If, for example, an outside bad actor wanted to gain access to a member of your board’s computer system, how would they do it? The answer is, nearly always, online.

It is very easy to find out personal information about people online (Photo source)

By searching each board member you can, very easily, find out who their partner is, do they have children or pets, their phone number, home address, what’s their favourite TV show… the information unique to each individual. Once the bad actor has these hooks, they can use them to target individuals. The person with lots of dogs, for example, would be vulnerable to an email asking them to re-book an appointment with the local vet.

This online research will also give clues to the outsider on who to overtly target to recruit for corporate espionage. If you surveyed CEOs today corporate espionage would probably not be high on their list (although cybersecurity might) as it doesn’t feel like something that would be common to an organisation. This is not the case.

At the time of writing, WeWork – the largest company in the co-working space business (like an Airbnb for office space) – has been accused of sending two spies to infiltrate rival Knotel to steal information and customers. The spies allegedly visited seven Knotel properties in Manhatten in September in a “systematic attempt to pilfer Knotel’s proprietary information and trade secrets”.

Of course, there is nothing like a malicious employee to damage your organisation. From straightforward leaks of information, stealing and sharing of plans and projects, to outright sabotage, the internal employee has a huge amount of power to damage your organisation.

If they weren’t a plant from the beginning, it is people using the techniques laid out by Jenny that can turn them into the malicious insider through the use of fear, emotional manipulation and, most commonly, money.

Protecting your Organisation

Unfortunately, there is no real way to protect your organisation entirely. Kevin Mitnick, one of the world’s most foremost computer security consultants, once said ‘there is no patch for human stupidity’, and this could probably be extended to greed as well. If a bad actor is within your organisation, all the security in the world may not be enough to combat a big enough monetary reward.

For those attempting to stop bad actors ‘people hacking’ their way into an organisation, the best prevention strategy is awareness. Make your employees – especially the high-value targets – aware of the threat and give at least basic training. Arming your employees with insights on how they can be targeted and what to look out for is the best shield.

Digital security is today both the lock and the key, but organisations should begin thinking about the people that can actually open the door. It is not computers stealing internal company information, it’s people.


 

This blog was adapted from a talk given at the IMI by Jenny Radcliffe at the National Management Conference 2017. Jenny Radcliffe – aka “The People Hacker” –  is an expert in social engineering. She speaks, consults and trains people in the skills of “people hacking” and explains how social engineering using psychological methods can be a huge threat to organisations of all sizes.

Did you enjoy reading this article?