In my work I have to support VIPs, investors, politicians, CEO’s and decision makers in closing the gap between systems and people. What this really means is that I help them develop the abilities to avoid attacks against them personally or their business by evaluating their threat levels. At that level personal and professional life is corelated.

What all these people have in common is that they already have established a security base, they have their support team and they monitor the situation all the time due to the high risk of attack on them. However, they are missing a very basic and crucial component their team cannot give them. The ability to avoid an attack. In order to do that they need someone who can think like an attacker, and this is where I come in.

I spend a whole day or many days with them depending on their schedule and their needs. I act as their shadow to evaluate every habit they have. I know this may sound weird and intrusive, and not all habits might seem related to security, however for someone who knows how to connect data from the “hacking” point of view bad habits are opportunities for launching an attack. And for these categories of people the stakes are very high. I know you are not familiar with this point of view of evaluating data as it is not something that is available in other sources. It is included only in my data related training, and it is also analyzed in the book I am currently writing.

Why do they ask me to do that habit evaluation? They themselves and their teams know that they need to cover every angle and they are well aware of the fact that no matter how impenetrable their security is, the weakest point is always the human nature. In the attacks on this category of people hackers will always do exactly what I do for them – surveillance, in order to find an opening. Then they will craft an attack, which is based on a bad habit they identified and find their way in without the security team being able to see it coming. This is the “disguised like a sheep” philosophy Odysseus used to escape from the Cyclop’s cave if you are familiar with the Greek mythology.

Odysseus and his men after a decade of fighting in Troy took a long journey to return home. In this journey they had several adventures and one of them relates to a Cyclops called Polyphemus. Cyclopes, just for the record, where giant vicious one-eyed monsters, who eat humans. Odysseus and his men hungry and tired found Polyphemus’ cave filled with food and they took advantage of it. Then they slept. When Polyphemus returned he blocked the entrance with a rock they could not move because it was too heavy and ate some of his men. The only ones who could leave the cave were Polyphemus’ sheep. So, Odysseus came up with a plan. He got introduced to the Cyclops as “NO MAN” and he offered him wine Polyphemus had never tasted before. When the Cyclops got drunk he fall asleep. Then Odysseus and his men managed to blind his only eye with a sharp heated timber. When the other Cyclopes heard the Cyclops in pain they ran to his cave and asked him who did this to him. He replied: “NO MAN”, so they returned to their caves laughing. On the next day, Odysseus tied each of his men to the belly of each one of the giant sheep and grabbed onto the fleece of the last sheep’s belly. Polyphemus could not see but he touched the back of each sheep to make sure no one was on them. He did not know that Odysseus was smarter than him. All the sheep went out carrying Odysseus and his crew. This is the story about how Odysseus and his crew managed to escape Cyclops’ cave.

Basically the “disguised like a sheep” philosophy says that, if you want to enter into a space with a high security setup your best and effortless way in is to find the weakest link and bypass all security measures and control through this link. In almost 100% of the cases this link is a human. Security personnel will not see it coming. So, that is what I do. I help them discover their sheep’s belly in order to avoid attacks! In the process of course, I advise their team on other issues I have discovered – their blind spots – for the systems set-up they currently have, but that is another story.

Want a little help?

Each case I am evaluating is unique.

However, I found some similarities and would like to present to you the top 3 so that you can use to minimize your “sheep’s belly” surprises.

When you are at your office or at home your devices are in a protective shield (allegedly).

The easiest way to compromise them is when you are in an environment, which is not controlled by you, thus the perfect place is when you are at a restaurant, bar, wedding setting, hotel and in general, at any social gathering. You leave your phone on the table to get a drink or dance, the computer in your room to eat in the restaurant. Just a few minutes or even seconds are enough for your device to be cloned or infected with malware undetected by your security team.

Even in the best-case scenario you have a bodyguard with you, still, they could easily create a distraction so that he runs to protect you leaving the device unattended! Yes, this is the common case these days. It is not possible to discover all attacks with even the best industry tools and systems. Voila! They are in your device and eventually in your network undetected!

Criminals are familiar with psychology and how to take advantage of it. I mean not all of them, but the elite ones. They can thrive on what ticks you or create a weak point for you. So, here is how it works. When you are in your normal state you have a specific amount of intelligence but when you are under stress this percentage falls to half of its capabilities. So, if you have 160 IQ when you are under stress it falls into 80 IQ. Not great for decision making. This is why you always get advice to avoid making decisions under stress or to learn how to “tame” your stress – in other words how to be able to control it. And yes, I do teach teams of security personnel, especially to the ones working in public safety how to “tame” and control stress and be able to operate under stress situations with almost perfect response. To discuss how this can be done is a matter for a whole another article. So how do the criminals act? They introduce you to a stress factor or take advantage of an existing one. Introducing a non-existing factor is usually applied for short term results, but for long term results they wait patiently until there is a window to take advantage of an existing one. The reason is that in the first case you will find out sooner or later that it was a lie and until then they better finish their con/attack.

Let me give you some examples so that you can understand:

• You are going to be a speaker at a specific conference. It is publicly announced so that people can register for your keynote speech. In the last 24 hours you receive an email from the organizing board of the conference saying that there is some kind of change with the schedule of the conference because of an urgency, which also affects you. You worked so hard on creating that keynote speech and you start to worry. The changes are shown in the document attached. Will you open it? I mean, it’s from the organizing board. The hacker might have managed or not to send it from the organizing board’s email address or managed to fake it well enough, but the point is until you figure it out they have already completed their con/attack. They are already in your systems.
• You hear about a “shooting” at the school your child attends, and you receive an email saying: please find attached the school contact details with which you can contact us to find out if your child is okay.

What would you do? Would you click on the attachment link? The attack is real. It is announced in the news! You open it and the details are correct!

You call the school and they confirm that your child is okay. You have no reason to worry right? Wrong! Because you just landed a malware on your device and network which in most cases is undetected. I mean they would not go through all of this trouble if they were to infect you with a malware your security setting will detect easily.

There are so many examples I can give you, but I know your time is limited and I always respect that. At the end of the day your time is invested in your protection with me, so keep reading.

You might spend millions for your security set-up, but the best security experts worldwide will all agree on one thing: if you have a weak password or you have lousy habits in relation to your passwords there is no security set-up which will be able to block the attack against you.

You need to learn how to create strong memorable passwords yesterday!

Why? Because hackers can mislead systems into thinking that they are you. Passwords are one of those things that you control, not your security team meaning “weakest opening” and a grand opportunity for cyber-criminals.  You have more advanced authentication methods than passwords? Trust me, all these can be fooled by a skillful hacker, especially your biometrics if you are considering that as a solution. I will give you more details on how they can be fooled in a series of articles so stay tuned.

By the way subscribe to receive my articles and more resources I share only with my community.

Here you go! I gave you three habits that can make or break your security! This is why you need to get your act together. Evaluate your habits, create habits which are supportive of your protection and eliminate the “sheep’s belly” ones.

Habits are the bond with the fancy security set-up you paid millions for and you are the only person who can maintain that bond. Otherwise you just wasted all that money.

Apply what you learn immediately.

So, I am now turning it over to you. Security without action is not effective so let me know in the comments section below:

• What steps can you take right now to increase your security levels with these 3 habits?
• Which of the 3 habits are you committed to applying immediately to increase your protection?
• Do you need a threat evaluation of your habits?

I cannot wait to hear your comments so, leave them below and let’s continue the conversation.