Dan Kitchen, CEO of leading Managed IT & Security partner razorblue, works with organisations of all sizes to defend against evolving threats. Here he explains what’s really happening, and why the next cyberattack won’t look anything like the last Cybercrime isn’t always about breaking in. Sometimes it’s about being let in.
Retail giants. Banks. Public sector organisations. Household names. One after another falling victim to cyberattacks — and not because a vulnerability wasn’t patched, but because someone in the organisation did exactly what the attacker wanted them to.
That’s the uncomfortable truth most business leaders are still missing. It’s also the one that cybercriminals are exploiting.
Finding the weakest link
As businesses start to invest more in technical cyber defences, they become much harder to breach.
These criminals have already looked for the unpatched vulnerabilities, the misconfigurations – and now they’re looking for gaps in human behaviour.
Their attacks aren’t ‘smash and grab’, they’re calculated. They don’t want to be caught or arouse suspicion, and they can often take months to fully execute.
Once they’re in, they’ll sit quietly in your systems for months, studying your work, language, habits, even knowing when regular meetings are held. And when the time is right, they’re ready to strike, armed with all the information they need.
That’s social engineering. It’s not hacking systems. It’s hacking humans. And it’s the cause of some of the high-profile breaches we’ve seen in recent months.
What is social engineering?
Social engineering is the art of deception, it’s modern-day con-artistry.
A social engineering attack might start with something simple: a fake invoice from supplier you usually work with, a file shared by a colleague, a phone call from ‘the IT department’. The branding’s right. The language feels familiar. The context makes sense.
That’s because these aren’t random emails sent in bulk anymore. Most social engineering attempts aren’t cold. The attacker has already breached an organisation you work closely with, or even another person in your own organisation, and has access to huge amounts of useful information.
There is already an established level of trust when they send you an email, a Teams message, or call you, and this is precisely why even the most experienced, tech-savvy employees fall for it. Modern cyber threats by-pass technical defences, not because the systems are weak, but because humans are inherently trusting. That’s not a flaw, it’s human nature. But it’s also what makes people the number one attack vector today.
It’s a problem that technology can’t solve alone
And crucially, no amount of investment in tools alone will protect you without a degree of human protection too. razorblue often gets called in after an incident, and the story is almost always the same:
Someone was called or e-mailed; the communication was from someone familiar; they knew about the business, and could provide context.
The unassuming user provides their login details or downloads and runs an attachment, and thinks nothing more. Nothing seems to happen.
Meanwhile, in the background, the attacker is watching. These criminals don’t smash and grab. They infiltrate and observe. That’s what makes them dangerous.
In technical terms, it’s known as ‘dwell time’ – the period attackers remain undetected inside a network. In some cases, this can be months. That’s months and months of watching, learning, and preparing.
They might have planned for when the user is about to go on holiday. That would be an ideal time to launch an attack, as the user won’t be checking their emails or teams messages.
Often they will try to betray the trust of another, internal user, too – moving laterally closer to the department they want to be in.
Why urgency is the hacker’s greatest weapon
Almost every social engineering attack has one thing in common: urgency.
The message always has that pressure baked in. It’s always: ‘Act now’, ‘Your account’s at risk’, or ‘Payment needed today’. That pressure is designed to bypass critical thinking.
And under pressure, people often revert to instinct. They act without verifying. They want to help. They don’t want to hold up the process.
That’s why awareness training can’t just be policy-focused — it needs to be situational and psychological. Employees need to be trained not just to spot red flags, but to pause. To think. To verify before acting.
So, what should businesses actually do?
This is where the conversation shifts from fear to strategy. Cybersecurity isn’t just a technical challenge. It’s a leadership one.
Here’s where I recommend business leaders focus:
1. Make cybersecurity cultural, not just technical
Cybersecurity should be a core part of your culture. Everyone, from interns to executives, should understand their role in protecting the business and how they could be the target. It should be talked about around the boardroom table, every month.
2. Simulate real-world attacks
Run regular, realistic phishing simulations. See how your team responds — and more importantly, coach them through what they missed. Some IT Managed partners offer this as a managed service.
3. Use multi-factor authentication everywhere
Even if credentials are stolen, MFA can stop attackers from logging in. It’s one of the simplest, most effective defences, but it isn’t infallible, as accounts with MFA can still be breached.
4. Limit access to corporate devices only
The modern ability to log in to anything from anywhere is a huge problem. By ensuring cloud services are only accessible from your company-owned, managed devices, you will buy yourself more time in the event of a breach.
5. Use a Managed Security Services Partner
The difference between a successfully mitigated security incident, and a disastrous one that results in months of downtime, is only a matter of minutes. You need a partner who is watching, 24/7, and ready to intervene, very quickly.
6. Have an incident response plan — and rehearse it
Know what you’ll do before an incident happens. Test your response like you would a fire drill. Who’s involved? Who communicates? What systems are prioritised?
No business is too small to be a target.
Small and mid-sized businesses are often more likely to be targeted, because they typically have fewer resources, less training, and looser controls.
Some are hit directly. Others are used as back doors into larger supply chains.
Attackers don’t care about your size. They care about access. And if you have data, money, or trusted relationships — you’re valuable.
Cybercrime isn’t just a tech issue anymore. It’s a trust issue. Your clients, your suppliers, your staff — they all rely on you to protect the data and systems they interact with. So the next time someone in your organisation says, ‘That would never happen to us,’ pause. Challenge it. Because it’s already happening — just not to you. Yet.
Click Here For The Original Source.
