Victims, targets, defenders, and perpetrators: when it comes to cybersecurity, all human life is there. IRISSCON 2025 was a timely reminder that cybersecurity might be a technical discipline but we can’t forget the critical role that people play.
Now in its 16th year, the conference has consistently advocated for the good guys, and to do this, speakers have often explored bad guys’ behaviour, to understand their methods and better defend against them.
In one of the morning keynotes, the BBC’s cyber correspondent Joe Tidy listed a roll call of well-known names that experienced high-profile attacks over the past year, including brands like Gucci, Harrods, Qantas, Marks & Spencer, Jaguar Land Rover, and The Co-Op. What these incidents have in common is that the perpetrators were all teenagers.
We know this because some of the perpetrators have been arrested – but not charged yet, Tidy pointed out. In other cases, they can’t help themselves: they like to brag about their exploits. Leaning on the research for his book, CTRL ALT CHAOS, Tidy said there’s been “a resurgence” in teenage cybercrime. “Teens are becoming more professionalised and they’re teaming up with cybercriminals. Teenage cybercrime is not a niche issue any more,” he said.
It was a fascinating insight into the humans on the other side of the attack. If they’re caught at the right time, some of these people could be rehabilitated and potentially go on to have useful careers on the right side of the law, Tidy said. But not all teenage hackers have the heart to repay their debts to society. Some of the people he profiled keep reoffending even after they’ve been caught. They can’t seem to help themselves and they seem oblivious to the human consequences of their actions.
How victims get targeted
Other presentations at IRISSCON were dedicated to victims of cybercrime. Often, they’re the subject of social engineering like phishing emails, fake text messages, or more recently, convincing AI-enabled video and audio created to look like colleagues or bosses. At times, attackers might try to physically access workplaces or gather important information just by sparking up conversations with employees in public spaces.
Social engineering expert Jenny Radcliffe talked about the “weaponisation of human vulnerabilities”, where people can be easily manipulated or just make a mistake which leads to bad outcomes. “I do not work on the lock, I work on the human,” was her mantra: a reminder to everyone in the room that they need to work on protecting and defending the people who work in organisations.
She urged security professionals to make sure their awareness-raising focuses on helping people to feel empowered, not defenceless. “Saying to people ‘you’re the weakest link’ doesn’t make them stronger,” she said.
Security training and awareness is time well spent: 60 per cent of breaches involved the human element, according to the Verizon Data Breach Investigations Report 2025. The data comes from analysing 22,052 real-world security incidents, with 12,195 of them confirmed data breaches that occurred in all sizes and types of organisations.
There was even a kind of social engineering on show in the talk by Dick O’Brien of Symantec Carbon Black, who showed how easy it can be to get around guardrails in generative AI tools. When security researchers wanted to use AI to build up a profile of a target, the large language model didn’t let them the first time. When they persisted by saying ‘we’re authorised’, it gave permission and went ahead with the information gathering.
The human cost of a cybersecurity breach
Ireland has one of the highest rates of phishing scams, said Dr Hazel Murray, Chair of Cybersecurity at Munster Technological University. In her talk, she said the public focus tends to fall on major multinationals being hacked, yet the impact of cybercrime is often a personal one. “We forget the real people on the end of this, that are affected,” she said.
Her team spoke to more than 200 small businesses in Ireland for her research and found a gap between actual and perceived risks. Almost seven out of 10 participants had no backup procedure in place, 55 per cent have never engaged in cybersecurity training and 28 per cent didn’t know they had an obligation to report a data breach under the EU GDPR. Many small companies don’t know where to go for support, she added.
Dr Murray has also researched security awareness among vulnerable groups including older adults and people with additional needs. Through this work, she hopes to raise the standard of cybersecurity awareness overall, so that more people can use online services safely and securely.
The unspoken insider threat
Mick Moran, CEO of the Irish Internet Hotline, focused on some of the most vulnerable humans: young children. He made an impassioned call to everyone in the room to treat child abuse material – “a horrific societal issue” – as an insider threat and deal with it the same way. Security professionals routinely scan their networks for malicious activity or suspicious files, so it’s just another type of content to check for, he argued.
Moran referred to data from NetClean which found that one in 500 work devices are used to consume this material. He reminded everyone that they shouldn’t just delete it if they find it on a work machine, but they have a legal obligation to report it to the authorities. “Now you see why it’s a security threat that you should be paying attention to,” he said. The Journal has an excellent report of his talk in more detail.
Cybersecurity: the professionals’ perspective
Another side of the human in cybersecurity is the professionals tasked with protecting their organisations from breaches and attacks. Journalist Dan Raywood’s presentation posed the question of whether it was acceptable to disconnect a network if a company found it was under attack. After rumours emerged that one company chose to do just that earlier this year, he carried out a poll on LinkedIn to gauge if others would do the same, if faced with a similar situation.
The responses were 55 per cent in favour of taking the same approach. Others felt differently; one believing it was a failure, and another suggesting that such drastic action could affect a patch cycle or risk corrupting live software updates. If the attackers are already in the network, pulling the plug after the fact won’t necessarily get rid of them. That’s why it’s important to plan for breaches in advance. “It’s easy to deal with a crisis before it becomes a crisis,” Raywood said.
Understanding what leads to breaches can be a challenge for security teams because it’s hard to measure risk. “It’s not something that humans are particularly good at,” said Thom Langford, EMEA CTO with Rapid7. He urged security teams to adopt a “casino mindset”, because those organisations understand risk very well because of the high stakes involved. Among the steps they take to avoid losing money are: conducting regular risk assessments; establishing operational risk management processes; implementing measures specifically designed to secure customer data; and abiding by regulatory and legal frameworks which have been shown to reduce risk.
With a nod to the theme of the day, he pointed out that casinos also train all their staff to look out for certain types of suspicious activity. They do this by phrasing it in terms of helping to protect the business and their own livelihoods. “If you can get people to do things without mentioning ‘security’, then you’ve won,” Langford said.
For security professionals themselves, they often work with threat intelligence that includes information about breaches that have already happened. The problem with this approach is that “someone had to get hit first”, said Ken Bagnall. He is CEO and founder of an organisation called Silent Push that collects data to spot when attackers register fake or malicious scam sites or apps before launching a campaign. This way, organisations can defend themselves better by having an early view and blocking activity that matches those “digital fingerprints.”
Regulations and frameworks for better security
Sometimes, humans aren’t to blame when a security breach happens: their digital products let them down. Joe Stephens, director of resilience at the National Cyber Security Centre, pointed to a range of studies from sources like ENISA, IBM and Verizon which show that between one in five and one in four attacks come from vulnerabilities in products.
In the rush to produce cheap hardware and software, the market doesn’t reward product makers for designing products with security principles in mind. The EU Cyber Resilience Act aims to address this by forcing product makers to improve their security by building those features in by default. This isn’t an obligation but opportunity for the security industry to provide their expertise to manufacturers, Stephens said. According to one impact assessment, there could up between €180-290 billion saved per year by having products with better security protection.
While we’re on the subject of better products, AI’s rapid advance also presents challenges for security professionals. Daniele Catteddu, CTO with the Cloud Security Alliance spoke about the need to prevent errors, abuses and unwanted use with the technology. The arrival of agentic AI that can make decisions on people’s behalf, is “possibly the scariest part for all of us in the cybersecurity community because it’s about autonomy which we are not able to control,” he said.
Fortunately, the experience gained from adoption of cloud computing gives organisations a blueprint that will allow them to trust AI more. The CSA’s STAR framework is in development and inviting feedback from the community to review, Catteddu said.
Sharing ideas leads to better security
Wendy Nather of 1Password also touched on the human aspect of cybersecurity when she talked about the erosion of trust. The rush to embrace AI, or risk being left behind if you don’t, feels eerily similar to classic social engineering tactics that use urgency and fear to provoke a response. AI’s ability to create seemingly convincing fake news, or give us the impression that we’re talking to another human, is a reminder to focus on an often-overlooked part of security. “We focus on confidentiality and availability, not on integrity,” she said.
Deviant Ollam’s talk on seeing the world through the eyes of a thief was high on entertainment value, showing ingenious ways of getting through various locked doors. But behind the assortment of escapades was a serious message: “it protects people when we share ideas,” he said.
Sharing information has been a theme of the conference from its earliest days in 2009: the more we understand the nature of the risks and threats we face, the more secure we all become. Det Insp Gerard Doyle of the Garda National Cyber Crime Bureau urged security professionals and businesses to report cybercrimes and security incidents to law enforcement because it helps them to understand threats and gather intelligence that could help other victims.
Gordon Smith.
