Over a decade ago, Dr. Steven Bucci published an article in Security Debrief discussing the concept of “Fifth Generation Warfare.” Wikipedia (which of course, is not a valid source), has some interesting specifics on the evolution of warfare, as well. It specifically states: “Fifth-generation warfare is conducted primarily through non-kinetic military action, such as social engineering, misinformation, cyberattacks, along with emerging technologies such as artificial intelligence and fully autonomous systems. Fifth generation warfare has been described by Daniel Abbot as a war of 'information and perception.'"
One of PCA’s strategic partners has a concept that I believe applies here – they call it: Psychological Security (PsySec).
PsySec is the practice of protecting humans from being manipulated and exploited by technology through training their brains to recognize and react. From hyper-targeted ads to phishing attacks, technology and data are used to influence us every day. This is the reason that phishing is so successful. We’ve learned to trust and depend on the technology we use, the brands we buy, and the people we know.
In fact, it’s very possible to argue that PsySec is the third stage of security – after Physical Security (PhySec) and Information Security (InfoSec). We focus on physically protecting our infrastructure and buildings and then we focus on protection of the information itself through encryption, multi-factor, strong passwords, and the like. However, without focusing on the third stage – we, the people – we are missing out on what many experts argue is now the most important piece of it all.
Why bother to break a window when someone will let you in the front door? Why worry about trying to crack a password when someone will just give it to you? These are the questions that sophisticated hacking entities have asked themselves. And obviously, it’s working. Did you know:
• According to Checkpoint, Phishing attacks are involved in 36% of data breaches.
• According to KnowBe4, Only 31% of employees receive annual cybersecurity training.
• According to GoogleSafe Browsing, There are now nearly 75x more phishing sites as there are malware sites.
• According to Terranova Security, 20% of all employees are likely to click on a phishing email link. In addition, 67.5% of employees will enter their credentials on a phishing website. And lastly, 13.4% of employees are likely to input their passwords on a fraudulent page.
So how do you protect yourself and what do you focus on?
A study published in the proceedings of the Third International Conference on Human Aspects of Information Security, Privacy and Trust defined five key principles of persuasion used in social engineering: authority; social proof; liking, similarity and deception (LSD); commitment, reciprocation and consistency (CRC); and distraction.
How do you feel about your team? Are you investing in education to help raise their awareness on how best to battle PsySec? Hopefully you’re already investing in the first stages but are you adequately investing in the “fifth”?
It is essential to keep this at the forefront of your strategy. If you are not currently and continually testing your team, tracking the results and training on the techniques, it may only be a matter of time before you find yourself facing a battle that is extremely challenging to win.