Since 2021, there has been a significant increase in the number of cases in which confidential information was turned into a commodity for illicit gain. Characteristically, in most cases, the direct participants in such activities were employees of businesses that had the appropriate level of access to information. Such losses of information affected not only business giants, but also medium-sized businesses.
Contrary to the widespread stereotype that the digital world is the root of all evil, provoking unscrupulous individuals to hack into computers and other user devices to obtain sensitive and secret data of particular value, leading cybersecurity experts such as John McAfee, Kevin Mitnick, and Bruce Schneier are convinced of the opposite:
The main threat is people. Most of the time, people are being “hacked”, not technological protection systems.
On June 10, 2021 in the Kyiv office of the European Academy of Sciences of Ukraine under the auspices of the Information Security Institute, the second closed-door meeting in a series of discussions on methods to prevent and counter insider threats was held, under the heading: “Insider Threats 2: Social Engineering”. At the meeting, the reasons and prerequisites for the emergence of insider threats were explained in detail, including effective and practical approaches to countering these threats.
The meeting involved experts from the areas of psychology and information security, who worked together to formulate solutions. The meeting covered both social engineering and ways to counter insider threats. At the meeting, experts introduced the concept of “hacking” and outlined its basic definition. When we speak of a person being hacked, rather than a computer system, we are referring to a person’s life-trajectory being changed as a result of psychological manipulation by third parties. This can induce vulnerable employees to commit certain actions, such as disclosing insider information.
The meeting reached the conclusion that the best way to avoid such manipulation of employees is to identify potential insider threats before they are employed, or before they are given access to sensitive information. The solution likely lies in the area of preventing people vulnerable to social engineering attacks from having access to information which third parties are likely to induce them to reveal.
