'Cyber security' has become the watchword for the new generation of security and intelligence analysts. As the vast amount of data is received, transferred and managed by online and digital based services, the onus shifts from physical security to digital security. However, many companies and industries are finding that their cyber security networks are only as good as their weakest link, and by and large, the weakest link in a digital network is not a computer, but a person. 

Some of the largest and most shocking of information/data leaks have been a result of human negligence, as much as they have been a result of computer misuse, or hacking. In June 2008, a Cabinet Office employee left an envelope containing sensitive data about terrorism suspects on public transport. This envelope represented an incredible amount of effort in secrecy, intelligence gathering and cyber security, which was made redundant by simple human error. This incident has become a hotly debated topic in the cyber security industry, as cyber security experts are left bemoaning the fact that they can make a digital system as impregnable as one could hope, and yet their efforts can be undone by ten minutes' work by a so called 'social hacker', using simple psychological manipulation. 

'Social engineering', as it has come to be known, is a type of systems exploitation which targets the weakest link in a cyber security network: the individual. Using confidence trickery and psychological manipulation, these individuals will attempt to gain access to confidential information, which they will then use to further exploit the network. For instance, an individual might dial random numbers within a company directory, pretending to be technical support or the IT department. Eventually the hacker will arrive at someone who does indeed have a technical issue, and, in the process of 'resolving' the issue, the hacker will gain passwords or systems information that they can then use to further penetrate the network. While this might seem far fetched, it is a more frequent occurrence than many laymen realise. In 1999, three Israeli brothers were finally charged with computer fraud, impersonation of a policeman, and information theft, after a six-year spree where they used psychological and network based confidence tricks to access credit card, telecommunications and government data; the brothers are estimated to have stolen as much as two million dollars. The implications of these types of crimes for businesses and private individuals are manifold. 

In the Apple vs FBI case, the US government attempted to force Apple to create a backdoor in their encryption, in order for detectives to gain access to the information held on a locked phone – belonging to one of the perpetrators of the San Bernardino mass-shooting. In response, social engineer and famous anti-virus software designer John Mcafee claimed that he could gain access to the San Bernardino phone by social engineering. McAfee offered to do this for free, so that Apple would not be forced to reveal the back door to their encryption, and thereby jeopardise the safety of all Apple users' data. Indeed, McAfee saw social engineering as not only the quickest way to gain access to a cyber system, but also the most ethical, as social engineering doesn't, in and of itself, reduce the value of encryption, though this creates a dangerous precedent of its own. In his response to the case, McAfee stressed the point that cyberwarfare would be the dialogue of future security issues, but crucially, his claim to be able to access the San Bernardino phone is founded on the belief that humans are the weakest link in the digital security network. 

Large scale private businesses are already employing social engineers to test the security of their facilities, and the ease at which access can be gained to their networks. More often than not, these tests are revealing that seemingly impregnable cyber security systems are innately vulnerable in their human element. Your human network, and those people who would attempt to exploit it, should not be neglected in the effort towards network defence. This requires developing stringent and comprehensive individual security practices, and training the human aspect of your system to recognise social engineering techniques. 

One of the most common ways that hackers – or social engineers – gain access to a system is by phishing scams, whereby mass emails are sent to many different users; the user is required to give some aspect of their personal information in exchange for the possibility of a reward – such as the oft ridiculed 'Nigerian Prince' scam. Though seemingly facile, these scams rely on individuals' lack of knowledge of the systems they use, upon their cupidity, and indeed also upon human nature, and they often work. To combat this, companies need to ensure that their employees are educated about the importance of cyber security and privacy; employees need to know the difference between HTTP and HTTPS, the importance of VPN in effecting data transfer and how to develop a strong and personalised password, and how to keep it private.