Previously in procurement, today Jenny Radcliffe is a security expert and author of People Hacker – Confessions of a Burglar for Hire. Here she speaks to Supply Management about the psychology behind infiltration, and just how criminals the weaknesses in your organisation.
Jenny, you’re often called a con artist, a burglar, and social engineer – but what does your work actually involve?
We are ethical con artists and burglars. So my crew, but me particularly, I’ll only rob you if you pay me. You have to ask us to come in, and then I would describe it as a cross between a fire drill and Oceans 11. When people think of a hacker, they think of someone in a hoodie, working from a distance, using technology. But the truth is these crimes often comes down to the human element; an internal person that facilitates the attack – someone who clicks on a link or forgets to patch the system, or just gets round the rules because they’ve made a mistake or because they’ve been persuaded to. And that’s what social engineering’s about, it’s a blend of technology and human skills, and it’s about weaponising those human characteristics and traits. And a lot of the skills in my work – non-verbal communications, deception detection, influence, persuasion – all of those skills help because the key to security is understanding human psychology and human behaviour.
And I hear you’re also a negotiation expert from your time in procurement. When you’re assessing a person or a situation, how do you then apply this knowledge? For example, if a negotiation appears to be going well but you can tell the other person is not happy?
Over the years I’ve worked as a gun for hire on negotiations and I’ve taught thousands of people negotiation, and what happens is we tend to go in with our own agenda. The danger is we focus so much on certain outcomes we have to achieve, because we’re myopic and under pressure, and don’t take the time to notice the dynamics, those subtle cues and hints. Being able to listen and watch people and really understand what the other parties want is very important to get the best outcome, and especially to build a relationship. If you say, ‘Are you okay with all those terms?’ and they reply ‘Absolutely’, but you can see they’re not, you know that’s going to come back up later and be a problem. The skill then is knowing how to approach that so the matter can be discussed properly, even though someone might not want to give that up straight away. Also understanding the exact words people say in negotiations really matters. Say, ‘Is this your best price?’ versus ‘Is this your best price at the moment?’. It’s subtle, but it’s important if you want to manage relationships properly.
More and more companies are working with their suppliers as partners. Do you think knowledge of social engineering can support better relationships and better overall outcomes?
Now, you said a word there I hate: partner. It’s a great word, but it’s not always what people really want. The truth is, if this is a business relationship, what you may really be looking for is to be able to call the shots. That’s not me saying that, it’s Oliver Williamson who won the Nobel Prize for his theory on opportunism with guile. In other words, if you can you will be dominant over your business partner. But it doesn’t always work out that way because businesses have become so codependent. Therefore you have to negotiate to get the relationship you want.
One of the first things to remember is a deal is numbers, it’s deadlines, it’s a lot of things we should be able to talk about easily. But what will get in the way is if we behave in an aggressive or a non-collaborative manner, perhaps the person has something to prove, or wants to put a difficult supplier in their place. But if the relationship we need going forward is collaborative, then we have to be collaborative from the start, even when it seems like the cards are stacked in our favour. Because if we’re not, we might get the deal we want, but it won’t necessarily be sustainable.
Do you think there is crossover between your con artist skills and the ability to influence suppliers, for example, on compliance or transparency?
Well, if we put compliance in the security space, ticks in boxes aren’t going to protect you. If we send our supply chain huge questionnaires to tick off yes or no, that may include do you have a security awareness programme among your staff? Yes, but what does that mean? Is it one spreadsheet? A PowerPoint once a year? Often processes don’t give you the details so it’s about what you do and knowing your suppliers as well as you possibly can. And that will help as much in compliance as in negotiations, because if you know the psychological levers, you know the pressure those people are under, from where it’s coming and who they’re answering to – because they may not be at the table with you – this helps us shape our persuasion and shape our relationship going forward.
In your experience of security risk and breaches, what are the common blind spots you encounter?
I specialise in two things – the psychology of scams and physical infiltrations – and what we test is existing procedures and technology. If we are hired by a company to assess the physical security of a site, that’s whether or not they have adequate locks, alarms, perimeter fences, those types of things, whether they can be bypassed, and if anyone will notice. But the second thing we test is people. Can that person be manipulated or persuaded? And, in theory, because we stop at the point of harm, could we blackmail or bribe them? We also test operational security, by which I mean, do you use the security there or do people get around it? To give you a procurement example, when I worked for a big American firm, we used a system that had procedures so you couldn’t place an order over a certain amount without finance approval, which is absolutely correct and normal. But it was cumbersome and there were times we worked around it or we would have lost a deal. It’s the same with security.
Are you saying people are the biggest blindspot?
Well we surveil a site before we attempt to infiltrate it. We assess the alarm system, the code, see if the perimeter is in good repair, but very often we don’t need to think up a plan, we just need to watch the people. What often happens is people get around security because they see it as an inconvenience. Imagine you’re on your lunch break and you’re supposed to go around a certain circuit, swipe your card and only go out of one exit. But you’ve only got half an hour and you know there’s a door in the car park that’s usually open, so you do that instead. And this applies to physical and technical assets.
Think of the WannaCry breach; a hostile hack that took out most of the NHS. That was facilitated by the fact that people hadn’t patched their systems. Look at your phone, how many apps on your phone need updating right now? On mine, I’m looking at 14 even though I auto update, and I imagine yours is similar. Those are usually security patches, which means if you don’t patch that app your phone can be breached by attackers – but we just don’t do it. That’s what social engineering’s about and what we exploit those weaknesses as an education piece.
So procurement needs to enforce its processes?
If we look at it from a supply chain procurement perspective, people will say, ‘Why can’t I just do things this way?’ or even worse, we have colleagues who go maverick. So the question is how do we impose that cultural change, because throwing money at this doesn’t work well. The way to get people engaged is not to say to them, ‘The company needs you to do this for our security’, it’s to show them they are a step on this ladder to the company being hacked, and if that happens they will suffer personally.
My crew, we mimick criminal attacks, remember. Criminals want to get into that company’s network, its software, data, money, right? The way to do that is through an individual, it could be that somebody is approached online, clicks on a link in a text, it could be a phishing phone call, a business email compromise. What people need to understand is they are a target because of who they work for and because of who they know. Criminals don’t care if it takes that person’s life apart on the way to the bigger target. We could access everything on your phone and computer, persuade you or con you into doing something that’s not only going to threaten your job, but it’s going undermine your whole sense of judgement and character.
It really attacks people’s self esteem because they think they were stupid. You’re not stupid, this is targeted crime. But in protecting the company, the knock-on effect is you protect yourself. So it matters how you tell your people this – and not in some terrible cheesy training or a presentation to click through – you have to show them this is important and it’s personal. People are not stupid. As long as we keep that conversation at the forefront, then people are the best tool to protect an organisation.
And what about third party and supply chain attacks?
Well, why attack a fortress when you can attack a garden shed? Third party providers and lower tier suppliers all mean potential vulnerabilities because it means more nodes on your network, and every one is potentially a target. It’s very difficult and, again, it points to what we were talking about earlier, about the importance of good relationships so you can go to your supplier and say, ‘We’ve got a bit of a problem’. But you want suppliers, just like people in the workplace, to be able to raise up a flare and say ‘This looks dodgy and we’re investigating’. Because the connection now isn’t just through the business, it’s through technology and the cloud, and where we store and protect our assets.
How is the rise of technical infiltration affecting physical infiltrations?
The tech does the heavy lifting, much more than before. Technology is definitely helping to protect our physical assets, as well as non-physical assets. Physical infiltration used to be something every site considered, but now people think of it as going alongside the technical defences. The problem is, if your tech is very good they will target your non-technical assets instead. So if your tech stops phishing attempts, for example, we will still use email to target you, but we won’t put malware in it because your defences will pick that up and defang it. So we get around that by using the physical element, humans. Very often the only thing that can spot a non-technical attack is a person. So on the one hand you’re right, there is a lot more reliance and technical attacks going on, but because that’s well detected the humans are always going be the target. The amount of breaches that have a human error or manipulation at their heart is anything up to 99% of attacks. Because there’s always someone who clicks on a link, opens the attachment or lets someone into the building.
And did Covid have an affect on this?
Yes, what lockdown did was accelerate digital transformation for a lot of organisations, which was a good thing overall. But now, with the combination of working from home and from the office, people are working in transit much more, doing things like connecting to public wifi instead of using VPNs. Right now, I could set up a wifi called Coffee Shop ABC Guest Wifi, and if you connect to that you’ll still get on the internet, but now I can see everything in that conversation. That’s called a man in the middle attack, it is one of the most basic things and so easy to do. Imagine if someone is working on a deal and looking at proposal bids. I could go in and see all of that, everyone can if they want to. It’s not necessarily that they’re following you for that but a lot of those networks are open and criminals will look at them just in case something comes up. If you see someone talking about a million-pound deal, or even tens of thousands, it’s just fish in a barrel.
Do you have any final tips on how to lower risk?
People are a weak link, but we are also a strong defence. From an individual point of view we’d be a harder target if we didn’t do careless things. By which I mean boring things like using unique, long, strong different passwords for all different apps; turning on two-factor or multi-factor authentication on all of our accounts. That’s not foolproof, but it’s a good start.
To make yourself less of a vulnerable target stop posting everything about yourself online. It’s fine to use social media, but think, what am I posting here and who can see it? Because the more a criminal knows about you the easier it is to sell you a good story. We all think we would always spot a fishing email – but I promise you, you wouldn’t. Every year I tell people the world does not need to see your child on their first day of school, standing outside your front door in their uniform. I mean, use your head! Now I know enough about you to craft an email or call to say, ‘I work in the school office, we’ve got little Timmy here and he’s not so well. We’re going to give him some water and lay him down but we need consent. Can you just click this link to fill out a permission form?’ You’ll panic and you’re more likely to fall for it.
It’s the same at work. If you’re going to post on social media, say a photograph of a team raising money for a charity, I could get an idea of the company, the demographic who works there, what they care about, see what’s in the background. And from that a phishing email can be written in a certain style and be convincing. Don’t give them fuel for the attack. You need to take as much time from a security perspective as you do into making yourself look good in the post. It’s basic cyber hygiene.