Loose Lips Sink Ships: The Human Element of Cybersecurity Risk

I had a chance to practice my “auditor magic tricks” with a friend the other day after she sent me a picture of her new office setup.

We were chatting back and forth about her new work schedule, her view from her desk, local lunch spots, and her commute. Really nothing out of the ordinary.

Then I texted her a word and a few random numbers.

She was convinced I was psychic.

“EMMA HOW DID YOU GUESS MY PASSWORD???”

“...sticky note by your laptop keyboard lol”

We laughed about it, and she fixed her desk before a more nefarious person had a chance to perform the same “magic trick.” But the moment stuck with me. It was a reminder of how cybersecurity threats have evolved beyond networks and devices and now involve individuals themselves.

Employees aren’t just users of systems; they are targets. Without strong security awareness, even welldocumented, strong technical controls can be undermined by everyday behavior.

What I did wasn’t advanced hacking. It was simply zooming in on a picture.

Sharing information about your job, whether it’s a social media post about your role, a photo of your badge, a video of your office entrance, or even celebrating a certification or promotion can give an attacker enough context to build a targeted attack.

Over time, attackers compile detailed profiles using publicly available information. That information can be used to impersonate recruiters, coworkers, or even IT support. These attacks succeed not because they’re technically complex, but because they feel credible and legitimate.

Reducing Social Engineering Risk Without Overcorrecting

So, what’s the fix?

The answer isn’t to delete all social media or assume everything is a threat. It’s about being more intentional and thoughtful before sharing.

Practical steps employees can take include:

Keep workspaces clear of sensitive information, including papers, badges, and client information.

Check what’s visible in the background of photos and videos before posting, such as additional screens, sticky notes, or office layouts.

Steer clear of sharing overly specific details about your role, systems used, internal processes, or access levels that could help an attacker build a convincing story.

Avoid real-time sharing of routines or locations, which can create immediate opportunities for social engineering attacks.

Treat unexpected messages, connection requests, or outreach as unverified until confirmed through a trusted source or internal process.

Separate your personal and professional digital footprint to avoid unintentionally combining personal details with workrelated information that could be exploited.

Working together, these small habits remove the context clues attackers rely on to make social engineering attempts appear credible.

Key Takeaways:

By pairing consistent training and clear policies with practical, awarenessdriven habits, organizations can better equip employees to protect both company data and themselves.

Sometimes, all it takes is a picture.

At Pease Bell, we help organizations account for real-world risk, including the human side of it. That means looking beyond documented policies and assessing how your internal controls hold up against real world behavior.

We help organizations identify gaps, strengthen control environments, and gain confidence that your security isn’t just well-documented- its effective.

To discuss how people, processes, and controls intersect across frameworks such as SOC 2, HIPAA, and NIST, please contact Emma Meisenbacher, CISA, Senior Associate, at emeisenbacher@peasebell.com.