The premise driving TV Series Suits is social engineering.
The show features odd-couple Harvey Specter and Mike Ross, played by Gabriel Macht and Patrick J. Adams respectively. Law shark Specter hires talented college drop-out Ross as a junior attorney in the firm, knowing full well that Ross has neither graduated Law School nor passed the bar. Despite this “minute” detail, Specter recognizes Ross’ excellent photographic memory and his knack for empathy. The magic duo uses social engineering to successfully navigate the legal web of NY. As audience, we recognize that Ross is a phony and that he manipulates colleagues as a result; yet, we choose to root for the social engineer despite the scheming and complex tactics of deceit.
Now, this is fiction. Still, it holds a degree of truth.
Effective social engineering attacks require finesse and intelligent strategies to optimize manipulation. Victims, often busy with work tasks, do not expect to encounter such deception in their daily routine. That is the point though. Social engineering is designed to be unexpected, and consequently, it feeds off human psychology and vulnerabilities to maximize performance.
Ok. So how do we outsmart the social engineer? NEUROSCIENCE.
This week, Forbes Technology Council presented a post, written by author and CSO George Finney, entitled Using Neuroscience to Disrupt Social Engineering. The article offers a fresh perspective on social engineering as it discusses the crime and its tactics of manipulation in terms of brain functions. Finney draws upon the Triune Brain, a theory in neuroscience that was introduced in 1990 by Paul MacLean. Finney explains that our brain is conceptualized into three distinctive parts: “The neocortex”, which includes our ability to imagine, think, and learn; “The limbic system”, which is accountable for emotions; and “the reptilian brain”, which is responsible for instinctual actions. The notion of Triune Brain implies that throughout evolution, as mammals developed and progressed, the brain followed suit, from root emotions to rational thinking.
“How does hacking work from a neurological perspective? Hackers function in their neocortex when they are conducting social engineering against a person. They have a plan and come up with lies when needed. And they are easily able to take advantage of victims who are busy going about their daily lives only using the reptilian portion of their brains for tasks that have become routine,” writes Finney.
Breaking routine is essential in cybersecurity training as employees – once proficient at their respective jobs – perform with ease, almost instinctively. Work tasks become second-nature. Raising awareness about information security requires that we move beyond the reptilian brain and engage the neocortex. Ideally, employees step out of the instinctive mode of performance and move into a more analytical framework. Less robotic, we start noticing the red flags that reveal suspicious activity and risks of cybercrime, according to Finney. Also, by stimulating the neocortex, we challenge employees to question, think, and push boundaries. Engaging signifies that we need to think along the lines of persons or learners, rather than the monolith known as staff. Who are the individuals that make up your staff? What are their roles, and what have they learned thus far?
Finney explains that repetitive loops are reinforced through incentives. In other words, as cybersecurity facilitators, we need to understand the motivations that influence employees to take one action versus another in the course of their workday. We must “understand the rewards that motivate people before offering incentives to change behavior,” writes Finney. “Sometimes you may be incentivizing the wrong thing, and this can lead to poor results, unintended consequences or both.”
The author also mentions the importance of mindfulness regarding information security whereby employees may choose to take notes about their work habits and provide a rationale fueling their choice-making. Reflectiveness is particularly interesting in this case since it permits employees to understand their role as front-runners in information security prevention. Mobilizing and engaging employees for cybersecurity means that we acknowledge their talent, and consequently, invest in their role as company ambassadors. Raising information security shifts the focus from the cybercriminal to the employee whereby the worker takes on an empowering role in preventing cybercrime and directly contributes to the organization. Employees are strong links in your business.
Interconnecting the Show Suits, Neuroscience, and Information Security
Indeed, the common thread linking these elements is social engineering. The art of deception manifests itself in all three circles. TV character Mike Ross is a social engineer that evidently uses his neocortex to perform his role as lawyer and strategize and uncover legal loopholes which lead to wins in court. Likewise, social engineers in cybercrime navigate and challenge corporate security networks and tap into human sensibilities. Their neocortex is very much at work. If employees are simply carrying out tasks through habit and routine, without ever questioning their work, they become clear targets for social engineers. In comparison, the moment businesses invest in raising information security awareness, they encourage employees to move beyond the routine and pay close attention to online behavior, information handling, and the use of mobile devices.
Outsmarting the social engineer essentially implies that information security experts are continuously in dialogue with employees, assessing and keeping track of best practices to ultimately anticipate the next move in cybercrime. Outsmarting means being two steps ahead. Through the right training program, effective rewards, and on-going reinforcement, businesses outsmart the social engineer.