29-01-2025
'Humans Aren't the Weakest Link, They're the Strongest Layer in Cybersecurity,' says Social Engineer Expert Alethe Denis
'Humans Aren't the Weakest Link, They're the Strongest Layer in Cybersecurity,' says Social Engineer Expert Alethe Denis
When discussing cybersecurity, a common refrain emerges: 'People are the weakest link.' From phishing scams to social engineering attacks, much of the conversation centers on human susceptibility to manipulation. But Alethe Denis, a renowned social engineer and Senior Security Consultant at Bishop Fox, challenges this narrative. 'People are not the weakest link,' she asserts. 'In fact, they are a company's greatest asset.'
This shift in perspective is born from Alethe's extensive experience in social engineering, open-source intelligence (OSINT), and red team engagements. With accolades including a DEFCON Black Badge—one of the most prestigious awards in the cybersecurity community—Alethe has firsthand knowledge of how people, policies and technologies interplay in protecting companies.
So why does the rhetoric persist that people are easy to hack? Alethe believes it stems from a culture that perpetuates negativity. 'You tell people they're not good enough for long enough, and they'll start believing it, at some point,' she explains. Constantly framing humans as the problem erodes their sense of responsibility and pride.
Alethe points out that many security failures are not purely human errors but the result of systematic gaps. 'When companies don't invest in the right layers of technical, physical, and procedural security controls, they leave themselves vulnerable,' she says. Blaming humans (employees) without addressing these foundational issues oversimplifies the problem and prevents meaningful solutions.
For example, this cybersecurity consultant recalls a red team engagement involving falsified documents with electronic signatures. At one store, the one in charge strictly followed the procedure, refusing access without a ticket number. At another store in the same chain, employees accepted the fraudulent document and allowed unescorted access.
Despite both locations having the same training on procedure for onsite visits, the outcome was unexpected. The difference? The first location had employees who felt empowered and supported to enforce company policies, even under pressure. The second location, while staffed with equally capable individuals, lacked the same level of adherence to procedures—potentially due to a more relaxed culture or differing leadership styles. These experiences underscore Alethe's point: 'People are not inherently easy to hack. They're only as effective as the systems and support around them.'
Alethe likens effective security to an ecosystem, emphasizing the importance of multiple components. 'A hardened target has technical controls, physical barriers, and human policies working together seamlessly,' she explains. When any of these components are underfunded, misconfigured, or poorly enforced; vulnerabilities emerge.
She also highlights how attackers exploit time pressure and benign scenarios to bypass defenses. 'People don't always recognize manipulation because it often feels harmless. A friendly interaction or a seemingly urgent request can be enough to lower someone's guard,' she shares.
This underscores the need for organizations to empower their employees with the tools and confidence to enforce policies without fear of repercussions. Alethe emphasizes that imbibing a culture of trust and respect is critical. 'People are proud to work where they feel valued and significant. When employees care about their work, they're more likely to follow procedures,' she adds.
Traditional security training often focuses on fear—teaching employees what not to do and emphasizing the consequences of failure. Alethe, on the other hand, advocates for a more positive approach. 'We need to emphasize that people have the power to prevent security breaches. When employees understand the 'why' behind policies and feel confident in their roles, they become a formidable line of defense.'
In one of her many engagements, the Social Engineer tested the security of a critical infrastructure facility. The organization had strict policies in place, but the lack of proper training and infrastructure left gaps. 'We saw systems left wide open due to misconfigurations and employees who weren't adequately trained to use them securely,' she recalls. For her, this highlights the need for organizations to invest in their people as much as their technology. 'You can't rely on tools alone. It's the combination of people, processes, and technology that creates a robust defense.'
As a red team specialist, Alethe focuses on emulating real-world attackers to help organizations identify and fix vulnerabilities. Unlike phishing campaigns targeting the entire workforce, red team exercises often involve precise objectives or trophies, such as gaining access to a critical system or sensitive data. 'The goal isn't to embarrass employees or highlight individual failures,' she explains. 'It's to test the organization as a whole—its tools, procedures, and training.' By creating realistic but non-harmful scenarios, red team exercises provide invaluable insights without causing reputational or financial damage.
Alethe further notes that the most effective red team engagements blend technical expertise with human interaction. 'You need to understand how to navigate both systems and people,' she says. This holistic approach ensures that organizations are prepared for a range of potential threats.
This skilled physical penetration tester is on a mission to redefine how we view human roles in cybersecurity. By challenging the 'weakest link' narrative, she aims to inspire organizations to see their employees as assets rather than liabilities. As Alethe Denis continues to share her insights through speaking engagements, podcasts, and an upcoming book on the red team social engineering process with personal insights, one thing is clear: the future of security lies in empowering people, not exploiting their vulnerabilities.
