Cyberattacks Exploit Humans, Not Computers

We’re used to hearing about episodes like Facebook’s data breach or Equifax’s data breach. The Equifax breach left the social security numbers and other private information of almost 150 million people exposed. In Facebook’s case, the personal information of more than 50 million people around the world was compromised after attackers exploited a flaw in the company’s system that enabled them to gain access to personal data. This was also how Equifax was hacked.

Popular culture often cultivates this image of hacking by featuring movies showing hackers breaking into systems from an isolated room.

The dangers of cyberattacks without a major human element should not be minimized. Hackers can build back doors into systems, undermining their security. And, on the national level, cyberattacks can be used as dangerous weapons. But the most common form of cyberattacks are designed to exploit human flaws, not technical ones.

The best-designed computer in the world might be able to stop a hacker, but it can only do what it’s told to by its coders. If someone is tricked into voluntarily giving someone access or information, software won’t help. A 2017 survey found that 74 percent of cyberattacks were due to individuals or employees giving away information, not high-tech hacking.

Phishing is one of the most common ways that cyber-criminals gain access to a network. The attackers research their target, sometimes using espionage tactics, in order to learn enough about it in order to gain the trust of people, impersonate someone or something else, or make it seem as if they should be given access to information.

People can unwittingly hand over information to attackers via social media or email. Criminals frequently impersonate banks and other organizations, sending official-looking messages. They can also make messages appear to be from a friend or colleague. People can be lured into clicking on links that appear to relate to trending news stories or important topics.

Once attackers have access to an email account, sometimes they monitor it to learn information about the person and their contacts. This information can enable them to later gain access to a larger computer system.

And hacking doesn’t have to involve a remote location. Sometimes, access can be gained by having knowledge main computer’s physical location. People can steal or replicate keys, or trick someone else into letting them in by impersonating a maintenance worker or employee. After that, they are free to do whatever they want.

Computers never make errors on their own. They are limited by their software, which was written by humans who do. Hacking, by nature, seeks to exploit human flaws, whether in faulty coding or lapses of judgement. Often, the easiest way to compromise a computer system is not to use sophisticated technology, but simply to attack its weakest link—people.