In the early years of cybersecurity, people were often said to be the weakest link. It did nothing to encourage support, as it was insulting and demeaning. The new and better way to inspire people to a cybersecurity mindset is to engage with them and treat them as a valuable part of an organization’s overall cybersecurity initiative.
As a long-time social engineer, Jenny Radcliffe has watched how criminals exploit our humanity and worked to teach us to be more careful, both personally and professionally, to reduce opportunities for cybercriminals. Jenny is the founder of Human Factor Security, a company that provides security awareness training, investigative services, security assessments, penetration testing and consulting. She is also the host of the Human Factor Security podcast, which won Best Podcast at the European Cybersecurity Blogger Awards.
I had the opportunity to speak with Jenny about the path that ultimately led her to becoming “The Human Hacker” as well as her thoughts on the current and future state of cybersecurity.
Joe Pettit: It would be great to hear about your background in cybersecurity.
Jenny Radcliffe: I specialize in physical infiltration, which I learned when I was younger. My family thought it would be best if I learned to protect myself, so they introduced me to other family members who were loosely connected to the security sector in various disguises. It was there that I honed the skills that ultimately led to my interest in security.
As the cybersecurity industry grew, it became apparent that human error was at the heart of many incidents and breaches, and the psychology behind a successful scam or hack was key. I also have expertise and years of experience building ethical scams and scams, so the combination of physical interaction skills and deceptive psychology has found a natural place in cybersecurity, an industry in which I have worked ever since.
My early years in the industry were filled with adventure. Some of them were not necessarily conducive to my own personal safety. Over time, I have developed better ways to keep my own staff safe while working to improve the safety of my customers. My approach centers on ethical social engineering and manipulation, practices that can help everyone be safer.
JP: The role of the modern CISO is changing. In your experience, what are the essential skills a CISO should have now?
J.R.: Security is now at the heart of all companies, and the modern CISO must accept and adapt to this reality. In practice, this means communicating risk to the business and ensuring a strong security posture, which contributes to overall competitive advantage. Technical acumen must therefore also be accompanied by comprehensive and inclusive business knowledge and a strong commercial orientation.
I talk to CISOs all the time from many industries and organizations, and I have to say it seems like the vast majority of them have these strengths along with great leadership skills and a strategic mindset these days. . It is very gratifying to see that the profession continues to evolve.
JP: When looking to rejuvenate or create a new security program, what three or four areas would you tell organizations to focus on?
J.R.: Most organizations have accelerated their cloud adoption and digital transformation programs during the pandemic, and as is often the case when dealing with new and/or rapidly expanding systems, they need to focus on strengthening and monitoring these systems to verify that continued viability is still essential.
Moreover, we cannot continue to use the pandemic as an excuse not to denounce bad practices, especially in terms of shadow IT and remote work. Now is the time to remind teams of the issues this poses and to ensure they are aware of the security requirements for remote working. It is also essential to have support available for staff to reinforce any security that may not be in place properly, or at all, regarding their remote working practices.
Finally, it is crucial that basic hygiene and cybersecurity awareness training is repeated, adapted and reinforced at this stage. The workforce has been through a traumatic and turbulent time, and even basic requirements may have been overlooked. Review your outreach programs now and reinforce, repeat, and update.
JP: Based on your experience and knowledge, how are cyberattacks currently evolving? What are the top threats businesses need to focus on?
J.R.: While ransomware gets a lot of attention, the most common answer I hear to this question is ALWAYS that fundamentals like neglected patches, weak remote desktop protocols, and poor cyber hygiene are the cause of most problems. As threats evolve and change, we must adapt and adapt to meet them. Without sorting out these basic practices, one cannot hope to defend oneself effectively against more sophisticated attacks.
JP: Humans are often called “the weakest link”. This is false, because they are our best allies. What type of safety training should be offered to employees? What are the main areas of interest?
J.R.: Safety training should be frequent, varied, consistent and personalized for the recipient. Otherwise, it won’t stick. Employees should be involved in all ongoing programs and be included in the discussion. While speaking at people don’t work, and unless employees understand how it affects them personally, they won’t care enough to listen and participate in an ongoing or meaningful way.