TL;DR: Social engineering succeeds because attackers follow legitimate communication paths, not because they always break software, and Illumio’s article argues that zero trust matters most for containing what happens after trust is abused. The security model has to assume humans will occasionally grant access and then prevent that foothold from becoming a broader breach.
NHIMG editorial — based on content published by Illumio: Exploiting human trust still beats hacking code and how zero trust helps
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams reduce the impact of social engineering after a user is tricked?
A: Security teams should assume some deceptive requests will succeed and design for containment.
Q: Why do routine business processes make social engineering so effective?
A: Routine processes lower skepticism because people are trained to act quickly, reuse familiar patterns, and trust expected channels.
Q: What do organisations get wrong about security awareness training and phishing?
A: Many organisations treat awareness as if it can compensate for every deceptive message.
Practitioner guidance
- Embed challenge points in high-risk workflows Require out-of-band verification for password resets, payment approvals, supplier changes, and remote-access requests so a convincing pretext cannot complete the full transaction path.
- Segment access after initial authentication Limit how far a compromised user or session can move by enforcing network segmentation, application-level authorization, and narrow privilege boundaries after login.
- Reduce standing privilege in privileged workflows Remove persistent admin reach from workflows that do not need it, and force just-in-time elevation for support, finance, and identity administration tasks.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- How threat actors structure phishing, impersonation, and pig butchering workflows to exploit predictable human routines
- Why zero trust containment limits the damage after a compromised credential, device, or remote connection
- How AI increases scam scale and variation without changing the underlying trust-exploitation model
- The podcast discussion and examples that inform the article's behavioural analysis
👉 Read Illumio's analysis of how social engineering exploits trust paths →
Human trust and zero trust: what security teams still miss?
Explore further
Human trust is the first control plane attackers target. The article is right to frame social engineering as a process attack rather than a purely technical one. Modern enterprise security often assumes that if a user is trained, the risk is bounded, but attackers exploit the fact that people optimise for speed and familiarity. The real lesson is that identity workflows must be designed to survive routine mistakes, not just malicious insiders.
A question worth separating out:
Q: Who is accountable when a social engineering attack leads to identity compromise?
A: Accountability sits across security, identity, operations, and business owners of the affected workflow. Teams that control authentication, privileged access, account recovery, and payment or data handoffs all have a role. Frameworks such as NIST Zero Trust Architecture and identity governance controls reinforce that responsibility is shared across the path an attacker exploits.
👉 Read our full editorial: Human trust is still the easiest path into enterprise environments