Cybersecurity is a significant concern for businesses and their customers. According to a Gartner survey, 88 percent of Boards of Directors view cybersecurity as a business risk. Similarly, 90 percent of Americans say they are concerned about cybersecurity. Ironically, it isn’t just a technology problem as the human factor plays a prominent part in many cybersecurity incidents.
Jenny Radcliffe understands this dynamic as well as anyone. The self-described social engineer and burglar is especially attuned to the human factor. Radcliffe is the Chief Executive Officer of Human Factor Security, a risk assessment and consultancy, and The People Hacker, where she provides security education and awareness, bespoke content creation, training, and talks.
We recently spoke with Radcliffe about the most pressing cybersecurity challenges that have emerged this year, the most commonly overlooked vulnerabilities, and the best technologies for keeping data secure in 2022.
You’ve been at the forefront of security education for several years, winning multiple awards and helping large audiences understand the risks and opportunities of our always-changing online environment. In 2022, what are the most pressing security challenges that people and businesses must prioritize?
For most people, the risks themselves don’t really change. Email scams remain prevalent, and learning to recognise when something doesn’t look right and knowing what to do about it is a good first line of defence. Remember, phishing scams nearly always discuss money and ask you to click on a link, open an attachment or give away information, often in an urgent timeframe prompting you to act quickly without first verifying the source. These indicators, often coupled with emotional content, should always be a red flag, and we need to check with the official company first, independently of any information given in the email, to check whether the information is trustworthy.
In reality, this means finding the customer service number or email on their legitimate site or on the back of our bank statements, for example, and asking if there is really a problem. We can also put a few lines from the email into a search engine followed by the word “scam” or even just the company name and “scam” and we will often find evidence very quickly if we have been hit by a common attack. This is also true for suspicious phone calls and texts or however we are approached. In many cases the scams are known and have been reported by others, and we can very quickly find out if they are bogus, often with the company or organisation themselves offering help and a way to report the issue. We should also remember that these scams may have themes that reflect the wider environment, reflecting news stories and praying on our sympathies for causes and issues we might be familiar with. Unfortunately, we live in troubled times when the wider narrative is ripe for exploitation as a backdrop to cybercrime.
Other than that, always be careful about what information you share online and stick to basic “cyber hygiene” rules, such as using strong passwords and taking care which links we click on. These small steps are very helpful in making ourselves smaller targets.
As a “burglar” for hire, what are the most commonly overlooked vulnerabilities when protecting our physical spaces?
The most common mistake I see is companies either not using the security systems that are in place already, leaving doors open or switching off alarms for example, or otherwise not repairing these when they break or malfunction. Watch staff and find out what shortcuts they take, and find a way to either make these secure or block them off entirely.
Many places have already invested in good security measures and procedures, but if they are not maintained, updated, and used properly they are as good as useless.
Make sure whatever measures you have in place are still fit for purpose and used properly, listen to staff when they bring issues to you and actively approach people for ideas about making your site more secure. Many staff already know where the problems are on a site, but if you don’t ask for their input they probably won’t see it as their job to tell you what they see.
What is the “human element” of security, and how can accounting for this security dynamic help companies protect their people and physical spaces?
The “human element” refers to the issues around having people as part of a security system. Working with people and making them aware of how to live and work securely puts a layer of defence in place, giving us many eyes and ears that can help spot things that might be a threat to our business and personal lives.
However, people also get tired, distracted and make mistakes. We get around what we find inconvenient and can be bribed, coerced and manipulated into helping or causing a security breach. So the “human element” also refers to the fact that whilst humans have a part to play in any security system, they also introduce an element of vulnerability, of weakness, and that is what criminals very often rely upon to get past even the most sophisticated security systems.
As more people/businesses upgrade the way in which they protect themselves, what types of technology (i.e. AI) do you believe will be at the forefront of transforming the security industry?
There are many technological security solutions on the market and provided they fit the needs of the businesses they serve, they are extremely helpful in improving the security posture of organisations. Improved exterior and physical security makes physical breaches slower and easier to detect, if not preventing them altogether.
Whilst cyber defences like email screening and anti-virus software do the heavy lifting in terms of filtering out malware and other problems in email, we also need technology in various forms to narrow the options for criminal access and for our own people to spot malicious approaches.
We need technology in various forms to narrow the options for criminal access and for our own people to spot malicious approaches. The few problems that get past our technology still need to be assessed and dealt with by humans, who, as I mentioned, don’t always make the right decisions, so we need technology to help minimise the number of times a human has to make those choices.
Like anything else it’s always going to be a partnership between humans and technology working together to keep criminals out and protect ourselves and our businesses from harm.