“Cyber security is a people science and a business issue.”

Recently I read this quote: “Cyber security is a people science and a business issue” by Matt Gyde, NTT. I think there is a lot of truth in that one sentence. I try to explain why that is so.

Motives for Cyber Criminals

Cyber criminals have different motivations for doing what they do. Sometimes you would think it is to bully others, but that is only a very small minority. There are those who do it to make a political or social point, for example by hacking the websites of certain governmental organizations and putting their own message on it. Some cyber criminals do it as an intellectual challenge; to show that they are better than the company’s security people.

But the vast majority do it purely for the money.

The anatomy of a cyber attack

First of all, I would like to distinguish between targeted attacks and fluke. In most attacks, the cyber criminals will try to attack very large numbers of computers and people using very generic ways. If they have something to do with something, they can focus more on that.

In other words, most attacks are non-targeted in origin, but start as fluke. Only after it appears to the cybercriminal that an attack will be successful do they start to work in a more targeted manner.

So what does such a targeted attack look like? This generally takes place in a number of steps:

  • Reconnaissance
    • Exploring the situation and collecting as much information as possible that can later be useful for their ultimate goal
  • Weaponization
    • A fixed security issue is chosen and a package is prepared to exploit the vulnerability found.
  • Delivery
    • The prepared package is delivered to the victim
  • exploitation
    • The found vulnerability is exploited so that the cybercriminal gains access to the victim’s system

The human nature

 

One of the most common techniques cybercriminals use to get information to continue their attack is to use our human nature and use it against us. In the jargon this is also called “social engineering”.

 

Social engineering is used very often in the ‘Reconnaissance’ and ‘Delivery’ steps, especially because it is so easy.

 

And that’s where the quote comes in: “Cyber security is a people science and a business issue.

 

Cyber criminals are very interested in how human behavior works, so that they can take advantage of it during their exploration or delivery. In this way they ensure that a cyber security incident is actually a kind of ‘inside job’, albeit unconsciously.

 

It is therefore very important as a company to provide explanations and training to your employees so that they become aware of their own human nature that is being abused by cyber criminals. And so the second part of the quote comes into play: humans are studied to abuse human behavior, which is a problem for the companies and so the companies must do something to protect the company.

 

Summarized

TL;DR – Cyber criminals abuse human nature to launch their attacks for pure profit. It is up to the companies to train their employees to deal with this in order to protect the company data.

 

Spinae is happy to help you identify vulnerabilities that could be exploited by cyber criminals and train your employees. Would you like to exchange ideas about this? Feel free to contact our experts.