Especially in large organizations, it can be difficult for each employee to at all times know who they are accountable to. Hackers exploit this by asserting their authority over people and pressuring them into revealing information, making changes to data structures, or giving up access to systems. In security-relevant departments, it is important to develop a clear chain of command, including a limited set of authentication methods (PGP works great for that). The people in that command have to learn to deny requests when they do not come from the appropriate channels or lack proper authentication. Imagine getting a request from someone in an overseas department who claims to have superiority over your boss, asking you for their travel details. Would you give it to them?