Within the cybersecurity industry, there’s a game of cat and mouse that we’ve been grappling with for quite a while. That is, no matter how much security technology we purchase, we still face a fundamental security problem: people.
As a security practitioner and during my time as a research analyst and industry adviser at Gartner, I invested my time evaluating security technologies and helping organizations decide which one(s) would best enable them to secure data. What I found to be the case throughout my career was that no matter how good my recommendations, or how secure the technologies, people are a game-changer that many organizations don’t think about until it’s too late.
One malicious or negligent human can often intentionally or unintentionally nullify the effectiveness of technology-based controls. The truth is that humans are both our biggest threat and they serve as our last line of defense.
This article is the first part of a two-part series that looks at what I call “Deceptioneering” and examines why human beings are so apt to fall for trickery, even if they have been warned against it. This article will give insight into the concept of Deceptioneering and set the stage for Part 2, which looks more deeply into the principles of the concept.
Two disturbing truths
As I mentioned, our people have the ability to cause significant harm if they are not educated about the threats they encounter. But they also have tremendous potential to protect our organizations and act as a “human firewall.”
But, to make our team members an effective last line of defense, we need to first grapple with two disturbing truths: 1) all humans are master deceivers; and, 2) we are all easily deceived.
Let me explain: each of us are trained in the ways of deception beginning early in our childhood. Early-on we were taught that lies make life easier and social situations more comfortable. Do you remember going to a distant family member’s house and being instructed to just act like you enjoy being there? Give a hug to crazy Aunt Shirley even though she talked to you like you were an infant? Or to tell your friends’ parents that you loved dinner even though it was the worst thing you had ever eaten? As we get older, we refine the talent even more – from learning how to expertly respond to questions like if your significant other has gained weight, to when your boss asks for your ‘honest opinion’ about his/her new strategy.
Those are just untruths from the ‘little white lie’ category; there are also the big ones that we and others tell to hide things, get away with things, trick people, cheat, mislead, and outright steal from one another. And yet, we all know people who have believed both benign and malicious lies.
And – if we are truthful with ourselves – we’ll even admit that each one of us has been deceived badly more than a few times over the course of our lives.
We’re engineered for trickery
Why do we continue to fall for scams, social engineering and other deceptions? It’s because our brains are easily fooled. Each of our brains take-in a massive amount of input and then decide what is important, what the implications are of the input, and what (if any) response is needed.
Our brains filter and present ‘reality’ very efficiently by employing a variety of shortcuts. Over the millennia, magicians, pick-pockets, con-artists, scammers, and others have learned how to hijack these mental shortcuts and use them to their advantage.
In my keynotes, I love using examples from magic, pick-pocketing, and hypnosis to quickly and easily demonstrate how our brains can be manipulated.
Come back to read Part 2: Deceptioneering next week to learn exactly how we fall for scams – particularly cybersecurity-related tricks – and what we can do to see through the con.