A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Podcast

Why Hacking Humans is Easier Than Hacking Software

Craig Hays

Illustrations by Lisk Feng

Craig Hays is an ethical hacker with a knack for hacking humans. But how does he do it? In a recent  podcast episode, he divulged his secrets and discussed why social engineering attacks are on the rise – all from the point of view of an attacker.

Listen to the full podcast here, or read on for his top three takeaways.

Hacking humans is easier than hacking software

At the beginning of my career, the way we stored information was very different to how it is now. Data used to be stored on-site, at the office with you. With the cloud-based technology of today, there is no longer a corporate firewall to protect you, and you might never even use a VPN – your identity is now the key that grants you access. What’s more is that people are vulnerable – it’s easy to find information about someone to get hints about a password, or be given a password, or find a password. There are just so many ways to attack a person compared to technology, and it only takes one slip up. 

As a hacker, once I have gained access to your account I can do everything that you can do. This includes things you might not even know you can do (e.g. if an administrator has configured your account to do more than what is required within your role). So, I can poke around and see if I can access things or delete things that I shouldn’t be able to – or even send phishing emails to co-workers.

Further to this, activity by a hacker within a hacked account is very difficult to detect. The attack won’t appear as a threat that has come in – as far as the rest of the company is concerned, it will appear as you just doing your job. Ultimately, hacking people is easy and can be devastating for a company, and this needs to be understood by businesses.

Cybersecurity is a business problem, not an IT problem – and security training should reflect this

Security awareness training serves a purpose, but it is not the end goal. We hire people to do their jobs, and the role for most people in an organization is not cybersecurity. So, cyber awareness training makes a dent in some of the threats coming in, but it is never going to be 100% effective, and it is unreasonable to expect it to be.


I think that a lot of businesses see cybersecurity as an IT problem that they pay the IT department to ‘fix’. But in my opinion, it is a business problem that goes all the way to the top. I believe that it is the responsibility of the organization to take security obstacles out of the way, not the individual employee. If you haven’t got buy-in from the very top when it comes to cybersecurity, you’re limited in what you can do. You can try to increase awareness and education, but if people aren’t incentivized to pay attention, they’re not going to.

Good cybersecurity training for me is all about putting it in the context within how someone operates. If you’re in sales, messaging about ransomware and phishing needs to be phrased in a way that applies to your sales job. If you’re in manufacturing threats should be spoken about in the context of how your manufacturing environment works. Each person is focused on their own space – so training needs to be done in a way that is relevant to their job and how they think.



Sticking to processes is one of the best ways to protect against social engineering attacks

When considering how to defend people against social engineering attacks, it is important to take a step back and think about what cybercriminals are actually trying to achieve. Cybercrime is a business – cybercriminals are trying to make money from you, and they’re either going to ask you for money, or get hold of your credentials and take or extort it.

Even with the right technical controls in place attackers can get through, and you have got to have processes in place that people follow for when attacks do get through. For example, the accounts employees will have a process to follow if they have a bill to pay. Problems occur when people break from these processes. 

This is why cybercriminals are trying to make you move away from your usual processes, generally through a sense of urgency and/or fear (e.g. I am the CEO and I will fire you if you don’t do this right away!). Attackers play on your emotions, and the goal is to make you break process and do things that you wouldn’t normally do. This is why it’s important to educate people as to why these processes exist, and what could happen if they break them. If you stick to the process, you’ll be fine. But if an attacker makes you break the process, that is when things go awry.

For more from Craig Hays and what he has learned as an ethical hacker, listen to our Tessian Podcast episode, here.

Share this Article