Social Engineering Means Cybersecurity Depends on Human Resources

Some believe that our increasing reliance on technology has lessened the importance of humans in today’s workplace, but just the opposite is true. Although technology can help us work more efficiently, humans remain the central motor that drives all endeavors forward. This means human resources (HR) must play a role in cybersecurity.

BeeBright / iStock / Getty Images Plus / Getty Images

As technology proliferates to assist people in performing more work in less time, the potential pitfalls of technology also multiply. The types of pitfalls, and the reasons they exist, may be more subtle than some of us appreciate. Understanding those subtleties is key to understanding the critical role that HR professionals must accept in combating the perils that arise when workers meet computers.

Cyberattacks Have Evolved

To understand the subtleties of human interaction with technology, we must appreciate the true nature of common cyberattacks. While many conceive modern hacking as primarily being an exercise in highly sophisticated computer coding, the truth is far different. The easiest attack route for cybercriminals is through the use of social engineering, which often allows the attacker to bypass increasingly sophisticated technological controls.

What is “social engineering”? At its core, social engineering is the manipulation of basic human emotions to get people to do something they wouldn’t do if they were assessing a situation logically. A common scenario involves an appeal to the basic human instinct of being helpful—e.g., allowing a “workman” without credentials access to an office because he claims he’ll get fired if he doesn’t immediately complete the job. Likewise, hackers prey on the human desire for accolades and recognition—e.g., sending a tailored e-mail (containing a poison link) that tells an employee he has been selected for some sort of “honor.”

In essence, social engineering plays on basic human emotions such as helpfulness, the desire for recognition, and greed to generate an emotional, rather than a logical, response to a given stimulus. It’s that instinctual emotional response that the social engineer seeks.

Social Engineering on the Rise

Social engineers prey heavily on the modern office’s need for speed. As workers are increasingly pressed for time because of mounting workloads, they put less thought into many of their habitual actions. “Multitasking” becomes a badge of honor for employees, and they hurry through many routine tasks. Put simply, a harried employee who is simultaneously on a conference call and clicking rapidly through her in-box is much more likely to open a poison e-mail attachment or click on an unverified link than a thoughtful, unhurried “one-task-at-a-time” worker is.

At its core, workplace technology exists as an effort to increase efficiency by making processes routine and accelerating the speed with which work can be completed. And there’s little doubt that the pace of the modern workplace has increased. The demand on workers to perform more work in the same amount of time is an almost universal truth in today’s workplace. But, as the old saying goes, “Haste makes waste,” and modern cybercriminals count on that principle when they carry out common workplace attacks.

Study after study shows that harried multitasking employees are much more prone to errors and unfortunate “automatic” behaviors, whether they are answering e-mails, driving trucks, or managing nuclear plants. The simple fact is, as technology offers ever-easier routes for attackers to penetrate into sensitive areas, it makes workers more prone to a variety of social engineering ploys.

Once we consider the omnipresent problem that social engineering presents, it becomes clear that HR has as critical a role to play in cybersecurity as the IT department does. After all, IT workers are neither fundamentally equipped to tackle, nor generally charged with, the challenge of modifying employee behavior. In fact, because the sophistication of security technology is increasing at a much faster pace than workers’ behavior is changing, most of the cybersecurity vulnerabilities lie with workers, not firewalls. It isn’t a stretch to suggest that the success of present and future cybersecurity efforts may have more to do with HR’s effectiveness in guiding worker behavior than with IT’s effectiveness in implementing stronger technical controls.

Modern Mobility Entails Higher Risk

Workers’ use of increasingly prevalent and sophisticated technology raises security risks in other ways as well. As the workforce becomes more mobile, sensitive data also moves. Many cybersecurity professionals have given up on “defending the perimeter” of a corporation’s IT network because there is no defined “perimeter” to defend in the age of laptops, remote employees, and smartphones.

Entry points into a company’s network and data exist everywhere. Defending on-site workstations and servers is only a small component of the modern cybersecurity pro’s concerns. The harder part is protecting employee home computers that can access the corporate network and the so-easy-to-lose laptops and smartphones that are often both entry points into the network and repositories of sensitive data in their own right.

Likewise, the combination of data mobility and increasing demands on workers has led to more employees taking work, and thus data, off their employer’s premises. While most workers have the best of intentions, unsanctioned data removal is usually done without adequate safeguards (encryption, for example). Too often, employers that install a data loss prevention system discover, to their horror, the widespread removal of sensitive data by employees to facilitate after-hours work.

While most employees are well-intentioned, some are not. Unfortunately, technology has greatly increased the means for potential access to sensitive data—and the mobility of that data. Back in the day of paper records, it was much harder for a malicious employee to remove large amounts of personal information without detection. Today, it’s much easier for malicious employees to abuse their insider access to the system (and the tools to accomplish it are freely available on the Internet), and thousands of files can walk out the door on a USB device.

Bottom Line

Many of today’s most pressing cybersecurity challenges don’t arise from flaws in the technology but instead stem from human vulnerabilities. Because human vulnerabilities can’t be easily fixed by plugging in a new piece of hardware, the human side of cybersecurity will only grow more important and more difficult to regulate in the future. This large and growing problem has made HR one of the most important frontline soldiers in the cybersecurity battle.