In the early years of cybersecurity, it was often said that people are the weakest link. This did nothing to encourage support, as it was insulting and demeaning. The new and better way to inspire people towards a cybersecurity mindset is to engage with and treat them as a valuable part of an organization’s overall cybersecurity initiative.
As a life-long social engineer, Jenny Radcliffe has observed the ways that criminals exploit our humanity, and she has worked to teach us how to be more cautious, both personally and professionally, to reduce cybercriminals’ opportunities. Jenny is the founder of Human Factor Security, a company which offers security awareness training, investigation services, security assessment, penetration testing, and consultancy. She is also the host of the Human Factor Security Podcast, which is the winner of the best podcast by the European Cybersecurity Blogger Awards.
I had the opportunity to speak with Jenny about the path that ultimately led her to become “The Human Hacker” as well as her thoughts about the current and future state of cybersecurity.
Joe Pettit: It would be great to hear about your journey into cybersecurity.
Jenny Radcliffe: I specialize in physical infiltrations, which I learnt when I was younger. My family thought that it would be best for me to learn how to protect myself, so they introduced me to some other family members who were loosely connected to the security business in various disguises. This is where I honed the skills that eventually led to my interest in security.
When the cybersecurity industry grew, it became clear that human error was at the heart of many incidents and breaches as well as that the psychology behind a successful scam or hack was key. I also have expertise, and years of experience, in constructing ethical scams and cons, so the combination of physical interaction skills and deceptive psychology found a natural home in cybersecurity, an industry in which I have worked ever since.
My early years in the industry were filled with adventures. Some of which were not necessarily conducive to my own personal safety. Over time, I developed better ways to ensure the security of my own staff while working to improve the security of my clients. My approach is centered around ethical social engineering and manipulation, practices which can help everyone to be safer.
JP: The role of the modern CISO is changing. Based on your experience, what are the essential skills a CISO should have now?
JR: Security is now at the heart of all businesses, and the modern CISO must accept and adapt to this reality. In practice, this means communicating risk to the business and ensuring a strong security posture, which contributes to an overall competitive advantage. Technical acumen must therefore also be accompanied with an inclusive comprehensive knowledge of business and a strong commercial focus.
I speak to CISOs from many industries and organizations all the time, and I have to say that it does seem that the vast majority of them do have these strengths along with great leadership skills and a strategic mindset these days. This is very gratifying to see as the profession continues to evolve.
JP: When looking to rejuvenate or build a new security program, what three or four areas would you tell organizations to focus on?
JR: Most organizations accelerated their cloud adoption and digital transformation programs during the pandemic, and as is often the case when dealing with new and/or quickly expanded systems, they need to focus on reinforcing and monitoring these systems to check ongoing viability is still key.
Additionally, we can’t keep using the pandemic as an excuse for not calling out poor practice, especially in terms of shadow IT and remote working. Now is the time to remind teams of the issues with this and ensure that they are aware of the security requirements for working remotely. It is also vital to have help available for the staff to harden any security that might not be in place properly, or at all, concerning their remote working practices.
Finally, it is crucial that basic cyber hygiene and awareness training is repeated, adapted, and reinforced at this stage. The workforce has been through a traumatic and turbulent period, and even basic requirements may have been forgotten. Review your awareness programs now and reinforce, repeat, and update.
JP: Based on your experience and insights, how are cyberattacks changing at the moment? What are the biggest threats companies need to focus on?
JR: Whilst ransomware is getting a lot of attention, the most frequent answer I hear to this question is STILL that fundamental things like neglected patching, weak remote desktop protocols, and poor cyber hygiene is the cause of most issues. Whilst threats evolve and change, we must flex and adapt to meet them. Without these basic practices being sorted, we can’t hope to defend effectively against more sophisticated attacks.
JP: Humans are often called “the weakest link.” This is wrong, as they are our strongest allies. What sort of security training should be offered to employees? What are the main areas of focus?
JR: Security training needs to be frequent, varied, consistent, and personal to the recipient. Otherwise, it won’t stick. Employees need to be involved in any ongoing programs and be included as part of the discussion. Talking at people doesn’t work, and unless employees understand how it affects them personally, they won’t care enough to listen and participate in any ongoing or meaningful way.