
If you run a software or SaaS company, the biggest hole in your security is probably not your code. It is your people. That is the lesson of Kevin Mitnick’s book Ghost in the Wires, and it is why I think every software founder should read it.
If you have not heard of Kevin Mitnick and you are in the software industry, then he is someone you need to know about. He was probably the most notorious hacker in US history. Here are some takeaways from the perspective of a software attorney that only represents software, SaaS, and IT services companies.
Read the Book.
The way Mitnick describes how he moved effortlessly in and out of a tech company’s systems, stole source code, and gained direct access to developers is nothing short of amazing. Without getting a gut feel for this by reading the book, the importance of it will be missed. He was not breaking encryption. He was calling people and talking his way in.
The Weakest Link Is Social Engineering.
Mitnick popularized a phrase called social engineering. It is all about how a hacker uses trickery and deception to get information and gain access to a computer system. It is the human element. No matter how great your company’s technical and physical security is, the human element is the weakest link. A confident phone call to the right unprepared employee beats a firewall.
How to Train Your Team.
Any IT security program that is not equally focused on preventing social engineering is missing the boat. Some basic training, in the right order:
- Receptionist. Definitely first. They are the front door and the most common target.
- Tech support. They hold password resets and access, which is exactly what an attacker wants.
- Developers. They hold the source code and production keys.
If you train these groups, you will hopefully see an attack coming and have a chance of preventing it.
Why This Matters in Your Contracts.
Here is the part a software lawyer cares about. Your SaaS agreements almost certainly contain security representations, and a social-engineering breach can put you in breach of them. When you promise “reasonable” or “industry-standard” security in a customer contract, courts and customers increasingly read that to include human-layer controls: awareness training, access discipline, and an incident-response plan. So the Mitnick lesson is not just operational, it is contractual. Make sure your security reps, your limitation of liability, and your incident-notice obligations actually match what your team is trained to do. A promise you cannot keep is worse than a modest one you can.
The most notorious hacker shared his greatest insights and real-world examples of how he hacked deep into major tech companies. If you don’t feel like you know much about this topic, go read this book. Trust me on this one.
Software security culture is fundamentally a privacy and data-protection issue. For the framework regulators expect SaaS vendors to bake into product design, see Privacy by Design: A Framework for SaaS and Software Vendors.
Where the Human Layer Shows Up in Your Deal.
Once you accept that people are the weak point, you start seeing it in the contract terms customers care most about. Three places it shows up. First, your security exhibit or DPA: if you promise security awareness training and access controls, you have to actually run them, because that promise is now a measurable obligation. Second, your incident-notice clause: a social-engineering breach is still a breach, and the clock on your notice deadline starts whether the attacker used malware or a phone call. Third, your limitation of liability: the cap is what stands between a single tricked employee and a claim that swallows the account. This is the same reason we tell vendors to keep price and terms linked, since a richer security commitment is a real cost, not a free add-on (see why price and terms are linked). And it is why we never accept an uncapped indemnity tied to data incidents, a point we make in 4 Things to Know About SaaS Indemnities. Train the people, then make sure the paper matches the training.
Frequently Asked Questions.
Is a social-engineering breach a contract breach? It can be. If your agreement promises reasonable or industry-standard security and an employee gets tricked into handing over access, a customer can argue you failed the standard you signed up to. The attack method does not change the obligation.
Who should I train first? Start at the front door. Receptionists and tech support are the most common targets because they hold access and information, and developers come next because they hold the source code and production keys.
What should my contract say about security? Promise only what you actually do. Match your security reps, incident-notice timing, and liability cap to your real controls. A modest commitment you can keep beats an impressive one you cannot.
Resources:
Symantec’s Social Engineering Fundamentals
Kevin Mitnick Security Awareness Training
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.