Why do hackers use the same methods over again?”

“Repeating oneself and expecting the different result” is the clear definition of insanity. Yet, hackers for 25 years have similar tactics like brute force, zero-port attacks, and even my favorite; social engineering. Yet, many times the hacker sees different results. In some cases, they could similar results depending on the target. Password spraying, tailgating, and my all time favorite, “phishing” still very much work today even with the growth of email security.

As more systems have moved to the cloud, clients today have a greater risk than ever before. Even with improvements to single sign-on, SAML, and MFA, hackers still find a way to use people’s credentials. Then how will this tidal wave change? How can hackers be stopped? Well, the FBI reports that greater 84% of hacks still continue to from internal resources. Disgruntled employees, contractors, vendors, and outsourced providers to continue to feed that statistic. Yet, even with the most comprehensive security training, people will be people and make mistakes. The idea of limiting the access to the data is a novel idea. Yet, people need access to the data to do their jobs. No matter how complex INFOSEC has become, companies should consider investing more into “employee well-being” and less about the top-end hyper growth revenue models.

Yes, money is important to the employee. Hackers know this. They steal people’s identity and study their victims credit report and bank information. Employees want to feel needed, appreciated, and respected. Those corporate traits may show up on the “new hire handbook”, yet most employees leave a company because their bosses have forgotten those principals.

What costs more? A cyber attack or a high employee turnover as a result of poor leadership? The perfect storm is when both of these catastrophic events happen at the same. Hackers follow the news, see the highlines, and read the “Glassdoor reviews”. They know which organization is having turnover issues and they use some “old school” social engineering to learn more about who is leaving the company. Not rocket science, yet this method of cyber attack still works , 25 years later :).