News Release

August 25, 2017

Hacking Humans

Opinion by Michael Ferendinos, Enterprise Risk Business Unit Head at Aon South Africa and Rudi Dicks, Senior Cyber Consultant at BDO Forensics and Cyber Lab

Cyber crime is rampant, increasing in frequency, voracity and taking longer to resolve, and at far greater costs than ever before. Organisations are operating in an era of unprecedented volatility combined with the rapid pace of changes in technology. This convergence has created a challenging new cyber reality for organisations regardless of size, industry or location.

Cyber risk is rated at #5 in the top 10 risks facing business according to Aon’s 2017 Global Risk Management Survey, and has thrown the human factor in cyber risk into sharp focus. A PWC report released in 2016 placed current employees as the top insider cyber risk to businesses.

The Aon ERM Centre of Excellence teamed up with Rudi Dicks, Senior Cyber Consultant at BDO Forensics and Cyber Lab, to demonstrate how employees are the biggest cyber security threat.

Rudi Dicks is a hacker – with permission of course – and according to Rudi, the easiest way to hack into a network is by exploiting the one vulnerability most often left unpatched – human nature.

Why bother fighting through all the security management systems deployed by a competent IT department, when instead a hacker can get an employee to click on something they shouldn’t and gain full access to the infrastructure, bypassing all the costly and very best security measures? It’s much easier than people think. Here’s how:

Method 1 - Using the LinkedIn platform, a hacker will search for employees of a target company with more than 500 professional connections. They then pick one of these employees - let’s say Joan, in HR - as the target of their attack. The hacker sends Joan a fake e-mail notification from a high level executive, the head of HR for a big bank for example, wanting to connect with her. Joan, who has already received many such requests, won’t think twice about clicking on the link. At this point, unless the IT department is up to date on every single patch (including Joan’s favorite browser, something that usually must be done manually on each machine), the hackers have gained access to her machine. They have bypassed the firewall and anti-virus and can read or copy any information Joan has access to, including her cloud storage, mail and documents. They can even turn on her webcam to see whether she is at her desk or record her keystrokes.

Hackers exploit human nature. They know that people are generally helpful and curious and hackers don’t hesitate to use this to their advantage. Joan is not a bad person, and it’s nothing personal, but more often than not, she is their key to the “good stuff”.

Method 2 – A hacker walks up to reception wearing a suit and a tie and pretends to be flustered. “I’m here for an interview and I’ve just spilled coffee on my CV. I have to make a good first impression! Please could you help me print a copy of my CV from my memory stick?”

Presto – in goes the memory stick and she runs the program that looks like a PDF file (but it isn’t). She is understanding and sympathetic when the file doesn’t open, and eventually, in exasperation the hacker tells her he’s going to run back to the car to look for another copy. Job done! He now has access to her machine and can use this to gain access to other computers on the network because who wouldn’t open an email from their friendly receptionist?

Method 3 – Hackers leave USB memory sticks lying around their target’s offices or parking lot if the building is access controlled. The stick is clearly marked as ‘confidential’ or even ‘payroll’ – who can resist? If employees haven’t been taught better, someone will plug that stick into their computer and run the hacker’s file, giving him full access. All he has to do is play to human nature.

How does the IT department stop people from being caught by these attacks?

Part of the problem is in the question. Technical people try to solve people problems with technical solutions. IT departments get into a cat and mouse game with attackers by installing new tools to prevent cyber attacks, while hackers simply write new exploits and code that circumvent those tools.

A far better approach is education. Cyber awareness training shows employees how they can be exploited and what to do to prevent it, drawing on real case studies. Effective, ongoing education is key to employees being the greatest asset in the fight against cyber crime.

About Aon
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
About Aon South AfricaAon South Africa is a leading provider of risk management, insurance and reinsurance brokerage, and human resources solutions and outsourcing services. Aon Empowers Results through over 700 colleagues in 13 offices in South Africa with its head office in Sandton, Johannesburg

Aon welcomes relevant dialogue and commentary on our thought leadership materials posted to our website. However, we reserve the right to delete any content that is harmful, obscene, or spam before it is published to the site.

If you elect to comment or engage with our content via third-party social media websites, you authorize Aon to have access to certain social media profile information. Please click here to learn more about information that may be collected when using these tools on Aon.co.za

All Comments(570)

Open for comments. Sign in or create your Aon South Africa account to join the discussion.
Tom Hatcher 7 Jun 2014 14:58 Comments Policy
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed luctus nulla ac sem viverra, quis adipiscing lectus elementum. Fusce semper bibendum pellentesque.
Sandy Smith 25 May 2014 11:44 Comments Policy
Lorem ipsum dolor et al.
John Smith 12 May 2014 17:09 Comments Policy
Lorem ipsum dolor et al. Lorem ipsum dolor et al. Lorem ipsum dolor et al.
Show all comments...
Previous 1 2 3 4 5 Next

Quick Forms

Contact Me
Compliments & Complaints

Twitter Feed