TL;DR
Attackers do not usually come through your firewall. If they do, you were sloppy, because firewalls and pen testing are the easy part. The real ways in are social engineering and the insider, and the insider is the most common and most missed. I learned this running enterprise security for two decades. The lesson: harden the perimeter so it is boring, then spend your worry on people, because that is where the attacks actually come from.
People picture a hacker as someone hammering at a firewall from a basement until it cracks. That almost never happens. If someone gets through your firewall, it usually means you did not do your job, because hardening a firewall is one of the easiest things in security.
I ran technology and security for a national retailer for two decades, and these days I ghostwrite books for the security leaders who do this work. So I have seen, from both sides, where attacks actually come from. It is not the place most people guard.
If a hacker gets through your firewall, that’s not a sophisticated attack. That’s you not doing the easy part of the job.Share on X
The perimeter is the easy part
Firewall rules are among the simplest things to harden. You close what does not need to be open, you write the rules carefully, and you test them. The work is finite. There are only so many ports, only so many services, only so many rules, and once you have them right, they stay right until someone changes them.
Penetration testing is not optional. You pay people to attack your own systems and tell you where the holes are, then you close them. A good penetration test is one of the most useful things you can buy, because it replaces your assumptions about where you are weak with facts. You think the perimeter is solid. The pen tester proves it or breaks it, and either answer is worth the money. The mistake companies make is treating the test as a grade to pass rather than a map of what to fix.
After that, you harden your servers, and you lock down user endpoints as much as you can. That last part is getting harder, because everybody brings their own device now. The phone in your employee’s pocket is a door you do not fully control, running software you did not approve, connecting to networks you have never seen. The endpoint used to be a company desktop bolted to a desk. Now it is a personal device that goes home every night and comes back in the morning, and you are trusting it on your network either way.
Do all of that and the perimeter becomes boring. A boring perimeter is the goal. It means the attacker has to find another way in, and the other ways are about people, not technology.
Social engineering is the front door
Once the technical defenses are solid, the easiest way into a company is to trick a human. This is social engineering, and it works because people are helpful and do not expect to be lied to. You can spend a fortune hardening systems and a confident stranger with a clipboard walks past all of it, because no firewall screens a person who looks like they belong.
I watched one play out that I still think about. Someone swapped out our point-of-sale terminals with their own version. The replacements looked identical, but they were built to skim the card number and the security code off every transaction and quietly hand them to the attacker. It was clever and it was bold. Think about the nerve it takes to physically walk into a store, replace real hardware with your own, and walk out, betting that nobody will look closely at a terminal that looks exactly like the one that was there yesterday.
An employee noticed something was off about the terminals and flagged it, and we stopped it before any real damage was done. That is the shape of a real attack. Not a genius cracking encryption. A person physically swapping hardware, betting that nobody would look closely. The defense was not a better firewall. It was an employee who paid attention, which is exactly why the human layer matters more than the technical one. I get into that fully in the human layer is where security actually breaks.
The most effective hack I saw wasn’t code. It was someone swapping our card terminals for skimmers and betting nobody would look closely.Share on X
The insider is the one nobody guards
Here is the vector companies miss most, and it turns out to be one of the most common. The attacker does not break in. They are hired.
Someone comes to work at your company, does the job, and works their way up into trust and access. They are not a spy who joined to steal from you. They are a normal employee who, over years, accumulates keys to everything. Then something changes, and the same access that made them useful makes them dangerous.
It usually takes one of three shapes. The first is the disgruntled employee. They get passed over for a promotion, or reprimanded, or simply soured on the place, and on the way out they take passwords with them, or copy data, or leave themselves a way back in. The second is the greedy one. They realize the data they can reach has value, and they sell it. Customer records, card numbers, trade secrets, whatever they can carry. The third is the one nobody likes to think about: the blackmailed employee. Someone on the outside learns they have access and pressures them, through debt, through a secret, through a threat, into handing over what they can reach.
In all three cases the damage is worse than most outside attacks, because the insider already has the keys. They do not have to break anything. They were given access on purpose, and they are using it for a purpose you did not intend. Extortion and disgruntlement quietly do more damage than the dramatic outside hacks that make the news.
You cannot firewall your way out of this. The defense is access control, segregation of duties, and pulling access the moment someone’s role changes or they walk out the door. Nobody should be able to reach more than their job requires, and the moment the job changes, the access should change with it, that day, not six months later when somebody finally notices. The boring governance work is the only thing that limits what an insider can do, and it is exactly the work nobody wants to own. I cover that grind in the boring security work that actually keeps you safe.
And then there is ransomware
I cannot talk about how attackers get in without mentioning ransomware, because we got hit early, before most people had even heard the word. It was nasty.
Ransomware encrypts your files and demands payment to unlock them. Back then, clearing it off a machine was sometimes impossible. Sometimes you just ended up with a brick. That was the word we used. Your computer is bricked. Dead weight. We used Malwarebytes to clean up in those days, though the product is not what it was. There are better tools now, but it is still hard, and sometimes you still lose the machine.
The important thing to understand about ransomware is that paying does not actually solve your problem. You are trusting a criminal to honor a transaction, and even if they hand back the key, you now have a machine that was thoroughly compromised by someone who wanted to hurt you. The only reliable defense is not a tool and it is not a payment. It is good backups. If your files are encrypted and you have a clean copy from last night, you wipe the machine and restore. The attacker has nothing to sell you. The ransom demand becomes a piece of spam you delete.
That is the whole game with ransomware. It is not really an encryption problem. It is a backup problem wearing an encryption costume. Backups saved us once in a way I will never forget, and I tell that story in full in the piece on backups and the boring work.
Guard the right door
The pattern is always the same. Companies spend their security budget and their anxiety on the perimeter, because that is where they imagine the threat. They buy the impressive tools and watch the firewall logs and feel protected. Meanwhile the actual threats walk in the front door as a friendly request, or sit in the next cubicle with a badge and a grudge, or arrive as an email nobody should have clicked.
Harden the technical stuff until it is boring. Then spend your real attention on people, because people are where the attacks come from. A lot of what passes for security spending ignores this entirely, which is its own problem, and I get into the tools that look impressive and do nothing in most security tools are theater.
This is also the kind of thing I try to get on the page when I work with a security leader on their book. The framework everyone can look up. The judgment about where the real risk lives is what only experience teaches, and it is what readers actually need.
Frequently Asked Questions
Get the Free Guides
Join the list and get my condensed books, free. No spam, unsubscribe anytime.
By subscribing you agree to receive occasional emails. Unsubscribe anytime.
Usually not through the firewall. Hardening a firewall is one of the easiest things in security, so getting breached there means the basics were skipped. The real ways in are social engineering, tricking a human, and the insider, someone hired who later takes passwords or sells data. Those are the vectors most companies underguard.
It is when the attacker is someone you hired. They work into trust and access, then turn, usually in one of three ways: disgruntled and taking passwords on the way out, greedy and selling data, or blackmailed by someone who learned they have access. Because they already have the keys, an insider often does more damage than an outside attacker.
You cannot always prevent infection, and clearing ransomware off a machine is sometimes impossible. Paying does not really help, since you are trusting a criminal and keeping a compromised machine. The reliable defense is good backups. With a clean copy from last night, you wipe the infected machine and restore, and the ransom demand becomes spam you delete.
Because people are helpful and do not expect to be lied to. They do not expect the person in a uniform with a badge to be an attacker, or the caller asking for information to be hostile. The technology can be locked down, but a person can be talked into opening the door, and no firewall screens someone who looks like they belong.
Yes. A penetration test replaces your assumptions about where you are weak with facts. You pay people to attack your own systems and tell you where the holes are, then you close them. The mistake is treating it as a grade to pass rather than a map of what to fix.
Yes. I ghostwrite books for CISOs, security founders, and technical executives. I ran enterprise security for two decades and was technical editor on Cyberheist for KnowBe4, so the engagement is not spent explaining the basics. You can see how I work with cybersecurity leaders on the cybersecurity ghostwriting page.