A logo for soteria technology solutions with a spartan helmet

The Path of Least Resistance

September 18, 2023

Social Engineering and the Human Element

By now you've probably heard about the recent (Sep. 11, 2023, for anyone reading In The Future) cybersecurity breach and ensuing chaos at the MGM Casino. For days after, there were reports of slot machines and hotel room keys not working, offline websites and hotel check-in systems, and more. A week later, they are still dealing with the effects, and losing millions everyday.


A group claiming responsibility for the attack claimed that they had done it by spending some time researching employees on LinkedIn, and making a 10 minute phone call to the Help Desk.

Although nothing new, this may be a moment where we see social engineering tactics, and "Vishing" (voice-phishing, i.e. a phone call) in particular to really take the lead in how attacks occur going forward.


Why? People, like electricity and water, tend to follow the Path of Least Resistance.

When you want to infiltrate a highly secure system, like a safe, do you kick the door open with brute force, or do you look around to see if someone wrote down the combination?


Manipulating people is almost always the path of least resistance.

Especially if they are stressed, or tired, or busy, or hungry, or new, or have strict 'The Customer Is Always Right' policies,

or really any of a million human foibles.

That's just people being people. Mistakes happen. People get taken advantage of.


The big mistake, however, in deciding how to move forward in protecting your business from this sort of attack,

is in solely placing blame on or trying to move away from the human element. Automation isn't going to solve the problem.

People may be a weak point, but those same people can also be your greatest defenders.

 

People aren't the real problem. Policy is.


  • Multifaceted training is essential.  Some companies rely on just phishing simulation training. That is a good start, but too often the training gets punitive, and the employees really learn only how to spot the training emails. Training like this wouldn't have stopped the MGM attack at all. A better option is to make sure employee security training covers multiple topics and attack vectors, is updated often, and isn't just rote testing.


  • Front-line employees will go to great lengths to defend your company, if they care about the company. They'll care about the company if the company cares about them first. Devalued employees may not feel particularly invested in whether the company gets hacked or not, or take the time for the critical thinking involved in thwarting sophisticated attacks. An invested employee, on the other hand, will be paying attention. What makes people care about their job and their workplace? Management that is supportive, not micro-managerial. Non-toxic culture. Reasonable hours, adequate breaks, and competitive wages. Meaningful work. Being honestly valued for their contribution.  A pizza party is not going to do it.


  • Limit Personal/Professional information available online. This may be difficult to regulate, but encourage all staff, especially upper management/C-suite to be extremely mindful of the information they put on social media, and in emails.


  • It's not so much if, as when. Have a detailed Disaster Recovery Plan in place and ready to go. If the MGM incident shows us anything, it's that even the largest, richest, most securely defended systems can be brought down.  With the sheer number and force of cyberattacks that happen every day, sometimes it's just a numbers game.  (Natural disasters count too!) The wise move is to assume the worst will happen. Prepare for it.  Get multiple backup systems in place. Have policies ready for what to do when the worst happens, so if it does, there's no panic, hopefully no data is lost, and business can get operational again as soon as possible.


  • Party like it's 1999. And 1979. And 1879. Here's a good exercise for disaster preparedness. Imagine if you woke up and it was 1999.  Your organization has computers, but no internet. Can your organization function?

How about 1979 - you have no computers. Records and receipts are all on paper.

You can take credit cards, if you have a knuckle-buster and call in the numbers. Can your business function, to some extent?

(If this feels silly, remember this is essentially what happened to the MGM hotel employees.)

Now it's 1899, and there is no electricity.  Does your business handle essential services that need to keep going? Can you do that?

How can you best prepare for these sorts of scenarios?

Ask your people.


This post, like all our posts, is 100% written by a human.

Share this Post

A woman hides her face behind a library book
December 10, 2024
A rare win this month, these scammers are in trouble.
a book with fanned pages and blurry background
By Erin Patten November 20, 2024
Revisiting the Ghost Books Scam - with real-world consequences.
The insightly podcast logo
November 1, 2024
Tariq talks all things cybersecurity with the podcast hosts Alyssa and Jordan.
the silhouette of a woman's face is covered with a projection of green computer code
September 30, 2024
A freely accessible database containing full background data for about a third of all Americans was just uncovered on the internet.
A new two-story home with a soft pink and blue sunset in the background.
August 28, 2024
Real Estate scams and wire fraud costs Americans hundreds of millions of dollars every year. One victim shares her story.
A 19th century engraving of three rough and hungry looking children searching for potatoes.
July 24, 2024
A look at what insights history can offer us about how things like this happen.
A closeup photo of a boxer's shoulders and arms. They are wearing black boxing gloves.
By Erin Patten July 8, 2024
Gigantic password leaks keep rolling in; and they keep getting bigger. How can you keep your accounts safe?
A screenshot from KSN Channel 3, of a newscaster speaking in front of a screen showing computer code
June 24, 2024
Cyberattacks have led to an outage in the software car dealerships across North America use to run their operations - making dealerships rely on pen and paper again, and putting untold amounts of personal data at risk.
A robot hand explores a blue imagined universe of connected webs of dots
By Erin Patten June 17, 2024
Researchers recently proved that GPT-4 can find and exploit unknown security weaknesses - by itself. It's a whole new world for cybersecurity.
More Posts
Share by: