Hacking the Human: Security in the Age of Social Engineering

Cyber security is evolving - so are the tactics of hackers and cyber criminals

Dealing with online attacks and fraud isn't a new concept, but the age of social engineering has begun. Cyber criminals now use basic human interactions to mine victims for personal information. Trust is gained, credentials are taken, and criminals exit casually with the result they wanted.

It's all down to human error, rather than a lack of security software. They're harder to contain because they're harder to track and identify. That kind of unpredictability makes curbing social engineering threats a high priority to improve cyber security posture.

Acclaimed social engineer and 'people hacker' Jenny Radcliffe joined Sales Director Alex Ayers off stage at GX Summit 2025 to discuss such a topic. In a world of constant change, building stronger cyber defences and being aware of the 'human side' has never been more critical. Businesses must now embark on a journey to build trust, awareness and resilience against social engineering.

Back to basics

Jenny's talk at GX Summit was filled with "a lot of challenges around the basics." Alex comments that, considering we've all been at it for a whole now, "[you'd] think we would be better at this." When it comes to security, the basics always seem to be a stumbling block.

Remembering those simple messages tends to get lost in the noise and busyness of it all. When operating in an evolving environment, that easy-to-understand message gets drowned out by "the noise of everything." But, as Jenny reminds us, it's important to remind people that "humans are still at the centre of this."

We're guilty of using technology to stop the number of times that a human must decide. At the end of the day, it's still about "the customer… the firm… the human." Jenny advocates for businesses to "try and minimise that a little bit" to remind everyone that "we're still fallible."

Amongst everything else, it just gets forgotten about. Remember to take it on board and "keep going."

Jenny's journey

'People hacker' isn't typically advertised as a job on LinkedIn. For Jenny, she "professionalised a hobby" and developed her love of buildings and the secrets they might hide. That experience of "just messing around" turned into something more professional and legitimate.

Questions started to come in - "if you can get into any building, can you get into my house?" In fact, "could you get into my office and tell me how to stop criminals doing that?" Not many people were speaking about, not many women were doing it, and through word of mouth, "that's really how it happened."

Again, Jenny applauds the technology that can be used, but "don't forget the people." The message was received loud and clear by both the tech and cyber industries, and suddenly Jenny had a platform to build from. Thanks to events like GX Summit, her message could be heard and acted upon.

Don't be afraid to challenge

Before anyone asks, Jenny can't say which building has been the toughest to crack. In her career, she has come across cases that are challenging and "not what you'd expect." Always good to have some variety.

To be vague, a "medical company" were utilising thumbprints, photographs and very specific escorts. They were cautious of "industrial espionage" and gave Jenny a challenge. But what tends to get in the way is how "people are frightened to challenge."

Professional people shouldn't be scared to "interrupt politely" and say that someone shouldn't really be snooping around here. It's a "big flaw" in a lot of companies, and these people must act on their training and just double check. For Jenny, "it's all about making sure people are happy to challenge."

The physical side of things

As we put more focus on digital security, the physical, "more basic forms", tend to be forgotten about. Alex rightly points out that businesses should "100% look at it in the round" and not ignore one side. When we're focused on these modern threats, sometimes that's difficult to do.

It's a question Jenny gets asked often. Her view now revolves around technical teams not "[being] all things to all people." Digital threats are more sophisticated and need greater attention, but organisations need people who "stay focused on the physical side."

These employees can work with the technical and cyber teams, while also taking on more responsibility around internal training. CSOs can't be expected to "do everything" by leading awareness programmes or examining building security. It's important for businesses to be "realistic" about the resources needed to assess risks on all fronts.

Outrunning the lion

Sometimes, it helps to be able to run quicker than everyone else. While we would rather have others preyed upon, learnings and advice should still be shared with other interest groups. If you're away from home and leaving the windows open, while your neighbour is much more cautious, perhaps it's worth striking up a conversation.

Jenny champions the idea of "cross business groups" that share ideas and threats (if it doesn't infringe on their business, of course). Even if that advice comes from competitors, finding that "on your own" leaves businesses less resourced to deal with it. It should be done together "within reason and within practicality" - perhaps "unionise a little bit."

Internally, speaking about social engineering builds that awareness and gets people discussing these threats. Speaking openly about potential phishing emails or recent external incidents means it becomes "part of the general conversation." People are kept in the loop, and greater investment in the best possible tech can take place.

All that shiny tech

Buying the latest and 'shiniest' technology doesn't guarantee a solid cyber security posture. Alex has noticed that some customers, having done this, "they don't actually feel more protected." The modern world and its ever-evolving challenges mean, at times, we end up feeling "less and less protected."

Jenny reminds businesses that it's important to take stock of what technology is being used and "[getting] the companies engaged." Understanding how it can be used to its full potential is vital, especially if representatives are coming in and explaining it. Again, buying "shiny new things" isn't the solution if businesses aren't making use of what they have already.

Take a "cold, hard look" at what has been done before. Certain legacy systems may have never been right in the first place, and the time has come to "take the plunge" and invest. Alternatively, don't invest, but get the best out of those already implemented solutions.

Know where you're vulnerable - don't just spend all that money to end up not getting what you need.

"No patch for human stupidity"

Kevin Mitnick is right there, but for Jenny, it's time to "stop calling people stupid." Humans have their weaknesses; the right decisions aren't always made, but it shouldn't be dwelt on. All we can do is acknowledge it, admit that "it can be scary", and act rationally.

Never be afraid to show everyone else just how bad it can be. People aren't stupid, and they shouldn't be "frightened to say if [they] think [they've] seen something." Even if it's a false positive, that's perfectly fine; no one should be blamed or chastised for reporting something "benign".

It's the "dark arts" of security to work with people and be honest with them. Mitnick's quote resonates with everyone, but when leading an organisation or security project, it's the "worst thing" you can say.

Don't be nihilistic, or just say "we're all daft, let's not do anything" - do your best, temper it with "good solutions, good communication" towards resolution.

Culture and confidence

Jenny has seen organisations that have an "army of people" talking about culture. It's critical, yes, but it needs to be a "holistic… multi-layered approach" that requires sensibility. Keep it in the conversation, asses the tools, and trust employees to do their best.

When Alex speaks with customers, the topic of confidence crops up a lot. Recent retail hacks have shaken that confidence, but Jenny reminds businesses to remember basic "cyber hygiene." Updates, password managers, multifactor - all useful, but remember to be alert to all the "routes to your identity."

That's where the social engineering threats come in. These "emotional stories" can make people "more cautious… and more paranoid", but nobody should be left scared. Always be "mindful in this age of information", ask the professionals, and discuss it with colleagues.

We need to be informed and mindful, while not taking too many risks and having updated cyber hygiene. Either "the heavens will fall, or they won't" - hacks happen, but there are people who can fix, mitigate and protect.

"Know your people better than the bad guys"

That's Jenny final piece of advice for companies. Knowing your employees and understanding when "something's off" goes a long way in building that confidence. Again, it's all about the human.

As we've said before, industry events like GX Summit gives Jenny a platform to spread her message. When businesses understand the finer points of cyber security, that posture can become more robust and resilient. Social engineering threats can be stopped in their tracks, and business goes on as normal.

Now is not the time to "just get the duvet over your head." Now is the time to "be a bit more cautious."