Cybersecurity Strategist: The Real Threat Is The ‘Human Hack’

‘Technology gets the press. But it’s the person pressing the button. It’s always a human making a mistake,’ John Sileo, cybersecurity author and adviser, tells an audience at XChange 2022.

John Sileo, a cybersecurity strategist, adviser, author and speaker, has a message for solution providers: “All security is personal.”

Speaking at The Channel Company’s XChange 2022 event in Denver, hosted by CRN parent The Channel Company, Sileo didn’t discount the need for sophisticated technologies to detect, block and recover from cyberattacks. But the said technology is not the end-all when it comes to cybersecurity.

Sileo, who said twice in his adult life has had his identity stolen with devastating results, did say one of the greatest mistakes security officials can make is to underestimate human nature when it comes to security—and it’s not just about social engineering schemes by hackers to get workers to fall for phishing ploys.

It’s also about IT personnel not patching system vulnerabilities when they should, companies ignoring warnings about running outdated system software, top executives thinking their home devices are safe from hackers, and other human-tied problems.

He said human training at all levels, from office clerks to company CEOs, is needed to bolster cybersecurity.

While the subject matter of his talk was at times grim and sobering, Sileo injected humor and a very down-to-earth example of how easy it is to manipulate, or social engineer, if you will, human beings.

At the start of his session, he asked for the cellphone of one XChange session attendee and proceeded to ask him questions that elicited more information than someone might suspect. The queries included asking the name of his wife’s father (to get her maiden name) and the year he graduated from high school and college (to guess the year of his birth).

On stage at the XChange session, Sileo, after a number of other questions, ended up breaking into the attendee’s password-protected phone, with just a little help from a digit or two from the attendee.

“The point here is how easy it is to hack a human,” he said. “It’s not a hack. It’s a human hack.”

Sileo also enthralled audience members with tales of his own identity theft woes that almost landed him in prison before authorities discovered that two people had separately and effectively hacked his life. He lost hundreds of thousands of dollars and was forced to declare bankruptcy. He said he also lost his family computer company and, most valuable of all, time with his children.

He wrote two books on his identity theft nightmares and on identity theft in general, “Stolen Lives” and “Privacy Means Profits.” He also worked on the script of the movie “Identity Thief,” which was loosely based on Sileo’s experiences. (Sileo is chagrined to this day that the film failed to mention his books in the movie credits.)

His fleeting Hollywood experience is one of the reasons his XChange session on Monday was titled “Blockbuster Cybersecurity in a Zero Trust World.”

Sileo said cybersecurity officials, especially channel players, need to “write your own script” about how a major cyberattack might play out—and take action to correct “known vulnerabilities.”

“The most important thing for you to know as solution providers and as channel providers, if you’re not the one to take the responsibility even if it’s not your company, nothing will happen like it should,” he said.

After the session, Sileo said he’s aware some people poke fun of those who, like Sileo, preach that human training should be a top priority in cybersecurity.

“Technology gets the press,” he said. “But it’s the person pressing the button. It’s always a human making a mistake.”

Roman Golshteyn, president of the Computer Guy based in Detroit, said he “100 percent agrees” with Sileo that human foibles are often the top cybersecurity problem at organizations.

“Humans are so easy to compromise,” he said.

He said companies need both technology and human training to bolster corporate security. “You have to have multiple solutions in place, layers of them,” he said.