Risk Insights
March 25, 2021

Human Threats to Organizations

One of the most important offerings from RANE (Risk Assistance Network + Exchange) is its expertise in risk and threat management as well as mitigation strategies.

The nature of the threats facing organizations today is as complex as the nature of business itself.  But with increasing reliance on digital and remote work, common applications, and a diversified employee base, today’s businesses face an age-old and ever-evolving threat; the threat posed by human vulnerability. 

Whether it's a nation-state actor, criminal organizations, hacktivists, activists, or malicious insiders, individual employees and networks are often manipulated to gain access to proprietary information, business intelligence, or even goods and services in an effort to steal information, disrupt business activity or even destroy businesses altogether. 

In a recent podcast designed for RANE clients, RANE’s Executive Director, Safety + Security, Brian W. Lynch, honed in on the human threat to organizations. He spoke with Peter Warmka, the author of Confessions of a CIA Spy: The Art of Human Hacking to identify the motivations and objectives behind attempted breaches by foreign intelligence services, criminal groups, industrial competitors, activists, and other threat actors.

Lynch and Warmka set out in four parts how businesses can reduce their risk, by learning how individuals inside organizations can be targeted, who would target whom, how information is stolen, and what processes should firms be aware of when they are the victim of that type of activity. 

“Prior to the digital age,” Warmka said, “not everybody was a target. We had target selection that had to be very, very carefully conducted because not everybody had access to the information. Information was more closely held. Now almost everybody in the organization, employees, as well as contractors, have a degree of access, in many cases, a lot of access to information that is held somewhere in the company.”

Threat actors no longer need to target individuals from the “outside.” “In today's world [threat actors] can get on LinkedIn, and can do a search for an organization and the position of maybe someone who they might be interested in taking a look at. They search the name of company and position, and it's going to produce hundreds, if not thousands of people. And they can further whittle that down by geographic location, more specificity in regard to the position of the individual. And can also take a look at who might already have their bios contained on the organization's website. [It’s simple to] use social media to identify individuals in senior management, up to the C-suite, as individuals who could be easily targeted because of the level of information that's out there about them and the level of access that they likely have in their organization.”

Social engineering is one of the most important tools a threat actor can use to manipulate a human target once identified. Lynch and Warmka offer tips on what that process might look like to engage, whether through phishing, vishing, face-to-face approaches, and going out to meet targets when they're attending trade shows or conferences.

Warmka said that social engineers play on what really motivates the individual who has been targeted. That could be money, frustration with the current situation at work, debt, addictions, a simple wish to connect, or even just not recognizing that the corporate information they have might be of value to a threat actor. 

Organizations can protect themselves from human weaknesses. Among the best practices are training the entire organization, from the C-suite all the way down to the entry-level employee that they could be targeted. Warmka said in his experience training should include all teams across the enterprise. 

“Then it's: How can we reduce the possibility of being targeted? And if we are being targeted, what can that look like and how can we react to that? So one of the very first things for the organization, as well as its employees is: What is the information that we have control over that we decide whether or not we're going to make that public information, or we're not going to blast it out on the social media airwaves? “

Learn more about reducing the social engineering threat to your organization with RANE.

RANE is a risk intelligence company that provides access to critical insights, analysis, and support to ensure business continuity and resiliency for our members. Find out how RANE can help you at RANENETWORK.com