As we all know, firewalls are security devices that filter network traffic, preventing unauthorised access to your data. Most users probably don’t even know they’re even there, but they work in the background to keep employees, devices, and company data secure.
Some security professionals draw an analogy between a firewall and building robust defences and a cyber resilient organisation by boosting the cyber savviness of the people on the frontline of a business.
As MailGuard, CEO, Craig McDonald says “Cybercrime is not an IT problem, it’s a human problem. Nine out of ten cyberattacks result from human error. Cybercriminals know that your team are busy and distracted, so the prey on their vulnerability by tricking them into clicking a link, or unwittingly re-submitting credentials, and that’s all that it takes to expose your business to a devastating breach.”
So, a human firewall is when employees in a business are empowered through training that gives them an understanding of their own role in cybersecurity, and they have the knowledge, skills, and awareness to recognise and prevent attacks. With the right education and resources, everyone can help to keep the company secure. It shifts the thinking from cybersecurity being just an IT issue and creates an extra layer of defence against attacks.
It’s a sentiment echoed by other industry professionals, like KnowBe4’s APAC Security Awareness Advocate, Jacqueline Jayne, who explains that, “…cybercriminals are looking for the path of least resistance.” She offers the example of, if you leave the door to your house unlocked, a criminal will walk right in. If it’s locked, they may look for an open window, and if none are found, they’ll likely move on quickly. Your firewall (and the rest of your security stack) could be seen as the front door, and your human firewall are the windows. The more employees that are committed to being a part of the firewall, the more windows that are locked from outside threats.
However, building a successful human firewall isn’t as simple as a one-off cybersecurity training seminar or sending out the odd reminder email. As with all walls, human firewalls need to be built brick by brick. It requires a business to develop a security first culture that starts from the top.
Building a Successful Human Firewall1. Make it personal
We all know at some level that cybersecurity is important, but your employees could be questioning why it matters to them. Make sure to inform your team on the affects a cyberattack could have. One mis-click could lead to a data breach which not only affects the reputation and income of the company, but potentially threatens job security if the attack is severe, for all employees, including potential reputational damage that could be damaging to their future career prospects as well. It also impacts customers and their personal data.
To take it a step further, you can create personalised scenarios. If someone was to gain unauthorised access to a member of the marketing team’s accounts, that person may be able to send malicious emails to customers through the CRM. Or a craftily worded email could have someone from the accounts team updating credit card details on a phishing page, leading to fraudulent charges and significant financial losses.
Cybersecurity training should start when an employee is being onboarded, but it shouldn’t end there. Regular security awareness training is vital for building a human firewall and helps to ensure cybersecurity is always front of mind. These sessions should not only teach them how to identify a threat, but they should also be informed of the procedures to follow once an incident or breach is detected.
It’s also important to continue building awareness of the ever-changing threat landscape. If the IT or Infosec department intercept an attempted phishing attack, it could be worthwhile sharing screenshots so that other employees know what to look out for in the future. This will help to provide an understanding of the frequency and complexity of attacks. It’s also a learning opportunity, to educate other employees who may have fallen prey.
3. Keep it interactive
Just like a child can’t simply be told that a stove is hot, employees need to learn for themselves how to detect a threat. There are a number of programs that offer phishing simulations, which send realistic but safe malicious emails to employees in order to gauge how they respond to attacks.
Alternatively, there are a number of free online resources which assist in building awareness. MailGuard’s interactive quiz “Can you spot a scam?” helps individuals to identify a fake email from a real one.
4. Create a security minded culture
It’s imperative that cybersecurity is seen as a team effort. When completing training, other departments should be encouraged to build relationships with the IT or security team. This will help them to feel comfortable reaching out if they’re needing to report a scam, if they’re unsure of the authenticity of an email, or if they think they’ve fallen victim to an attack – it happens, but the sooner it can be acted on, the better. Plus, the IT of Infosec teams can’t know every corner of the business, but the individual teams and departments will, so with the right education they can help to pose questions about selecting secure vendors in the supply chain, changing account credentials for invoice payments, or protocols for sharing data with third parties.
Most importantly, to build a culture of cyber resilience, the message should be supported from the most senior levels of leadership, down. After all, if there is an incident it will impact everyone.
The participation of employees in a human firewall is critical for keeping any organisation secure, so it’s vital businesses implement strategies which encourage involvement. Of course, it’s important to remember that a human firewall cannot provide 100% protection against cyberattacks.
Keeping businesses safe and secure
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993