Cracking The Code - The Psychology Of Social Engineering And The Power Of The Human Firewall

Joel Earnshaw, Manager Security & Risk, Perenti

Joel Earnshaw, Manager Security & Risk, Perenti

The idiom that “a chain is no stronger than its weakest link” reportedly was first published in 1786, yet it is known to have Basque origins that pre- date that period. When viewed through a cyber lens, the inference is that even the most stalwart of defences can be circumvented by targeting areas of known weakness. And it’s through this notion that the art of Social Engineering and human manipulation have continued to evolve. Threat actors’ prey on people as the weakest link, exploiting our natural propensity to trust, and tricking unsuspecting victims into divulging sensitive information or taking certain actions. But what’s the psychology behind these tactics, what makes it so successful, and how can we prevent ourselves from becoming unwitting accomplices.

For centuries, crooks and criminals alike have understood one fundamental truth – that humans are social creatures, wired for trust. This instinctive inclination leaves us susceptible to manipulation and exploitation. And exploit us they do; bypassing even the most robust technical controls to target the human element and achieve their objectives. But what if we could turn weakness, into strength.

As humans, our brains are wired for efficiency. We rely on mental shortcuts to process the wealth of data inputs we receive daily; and these shortcuts can lead to what’s known as ‘Cognitive Biases’. These biases are caused by the tendency of the human brain to simplify information inputs, and our limited capacity to process information objectively. Instead, we process information through a filter of our own experiences and preferences. Social Engineering exploits these very biases, using elements such as urgency, scarcity, authority, reciprocity, and confirmation bias to amplify the effectiveness of their attack campaigns.

But Phishing, Smishing, Vishing and Telephone Oriented Attack Delivery (TOAD) techniques are just the tip of the Social Engineering iceberg. Adversarial tactics have evolved, becoming even more sophisticated thanks in part to the propagation and accessibility of Generative AI. Fortunately, though, we're not powerless.

In many circles, the human element is commonly seen as an organisation’s greatest risk. But risk and opportunity are often two sides of the same coin. And what if we could turn that weakness, into one of our greatest strengths? Herein lies the concept of the Human Firewall.

People are capable of incredible things, but the pursuit and achievement of the incredible typically requires perseverance, purpose, and preparation. A well-trained mind is a powerful asset. And through regular training we can better educate our people on current and emerging threats, common tactics and techniques, acknowledgement and reduction of cognitive biases, and instil both an individual and collective responsibility for cyber-safe securityaware behaviours. However, this must be paired with the establishment of clear guidelines that reaffirm when and how suspicious activity or communications should be reported. And we should always encourage our people to question their digital reality, no matter how compelling or believable – in today’s hyper-connected always-on digital world, caution and vigilance are key.

But the most important facet is culture, and culture is king. It’s our responsibility as leaders to promote a cybersafe culture that permeates from the top down. Transparent communication and constructive feedback empower our people to raise potential incidents or issues without fear of reprimand. And by fostering a safe and inclusive team climate, we’re able to cultivate a security-minded culture where everyone understands and acknowledges their shared responsibility for individual and collective security.

By understanding the psychology behind Social Engineering and promoting a culture of continuous cyber awareness, together we can significantly reduce the risk of falling victim to these universal attack types. And while the human element will forever remain an inherent vulnerability, through purposeful preparation, perseverance, and continuous engagement, it can become our most resolute line of defence.

Cyber Security Isn't Simply About Firewalls, And Other Protective Technology Controls – At Its Core It's About Empowering People With The Knowledge And The Tools Necessary To Better Protect Themselves, Their Families, And Their Organisations From Those Current And Emerging Threats

Cyber security isn't simply about firewalls, and other protective technology controls – at its core it's about empowering people with the knowledge and the tools necessary to better protect themselves, their families, and their organisations from those current and emerging threats. People, process, and technology working in harmony, to create a truly resilient cyber immune system. Let's reorient our thinking, and transform ourselves from weakest link, into Human Firewalls – The first and last line of defence, capable of thwarting even the most cunning of cyber criminals.