Hacking People vs. Computers in Data Security

In the ever-changing world of data security, the major emphasis (understandably) still seems focused on 'cyber' attacks -- hacking computer systems to gain access to sensitive data.

But as several national and even international publications have already noted, both the Russians and Chinese are increasing their efforts related to social engineering ploys (low-tech) versus the more traditional aspects of cyber attacks (high-tech). Why?

If you think about it, long before the advent of the internet, how did foreign players and even domestic instances of corporate espionage and sabotage attain their end goals? It obviously wasn't through hacking computers, as they weren't that accessible or even existent in many cases. They did so through old-school social engineering -- meaning impersonation, bribery, or blackmail.

It would seem some of these same strategies are coming back into vogue today as has been noted by Russian attempts to bribe employees of U.S. companies while the Chinese have been found threatening or blackmailing Chinese employees of similar companies with the safety of their loved ones back home in China. And still there are the ongoing concerns of corporate espionage and sabotage among U.S. companies against other U.S. companies using similar strategies.

I believe these will be on the increase as they are honestly more cost-effective and historically effective than trying to constantly "one-up" the other side where it pertains to technological hacking of computers. But who is addressing this dynamic? For the most part (in the corporate world) NO ONE! Why? Because it means employers have to delve into personal habits and lifestyles of their employees, some of which may include distasteful vices they would rather ignore, but are the 'first things' a would-be adversary would use against said employee to compromise their position within the company of their employers.

Gambling vices, sexual vices, drug vices, et al are all potential points of vulnerability, let alone setting someone up on camera in such a position of compromise, or staging through deep-fake video or similar something seemingly convincing to the non-discerning eye of an employer used against the employee, even though they never did "the deed." And what employee feels empowered enough to be proactive and approach their employer if ensnared in such a plot? Few if any.

It also means employers must be more in-tune with their employees on a personal level to know who is suffering from financial loss, who is facing personal bankruptcy, who has medical bills coming due with no way to pay, etc. Make no mistake, the right person in the right position can be offered that proverbial "free lunch" not knowing or caring who helps them out of such bad situations -- until their personal debt to that person or entity comes due by way of "favors" that compromise the companies they work for. Again, what employer, HR Director, Risk Manager, or CTO/CIO is privy to such intel? Few if any.

Any data security protocol that does not take this social engineering dynamic into consideration is leaving a gaping hole for would-be adversaries to exploit the naivety of employees of the company -- period. Yes, absolutely address what needs to be addressed regarding potential cyber attacks, but do not do so to the detriment of a strategy that existed (effective strategy) long before computers and the internet even existed. Those are the oldest, tried-and-true methods that are seeing a resurgence today. Do not be blind -- or blindsided.

In the world of data security, it is still easier and less costly to hack your *PEOPLE* versus hacking your computers -- and unfortunately the bad players out there have discovered this fact as well. Have you, and have you addressed the same with your employees?

This is a game of strategy, a game of chess -- not checkers. Make sure you are playing on the right board.

Jeff McKissack, President, Defense By Design