Cybersecurity experts often say that an organisation’s security posture is only as strong as its weakest link. For most organisations, the weakest link isn’t technology – it’s the people who operate it.
According to one recent report, 68% of data breaches involve a non-malicious human element, typically someone falling for a phishing scam or another form of social engineering. For that reason, along with a digital firewall, organisations also have to start thinking about how to empower a human firewall, a security-conscious workforce that can become the first line of defense against cyber threats.
Common Threats Targeting Employees
The most common threat that everyone talks about, and for good reason, is the social engineering attack, primarily phishing. These attacks are relatively easy to execute and highly effective, which makes them a win-win for cybercriminals.
Social engineering attacks exploit basic human emotions like trust, fear, and curiosity, tricking individuals into revealing sensitive information, opening problematic attachments or clicking on malicious links. These attacks are usually in the form of an email or text message, the goal of which is to create a sense of urgency in the victim, which will cloud their judgment.
A recent example is a phishing campaign that targeted a UK-based insurance company. The attackers impersonated a trusted CEO, using a malware-infected PDF hosted on AWS to redirect victims to a fake Microsoft login page, where they harvested credentials and covered their tracks with deletion rules.
Employees can also introduce technical entry points for attackers if they do not follow basic cybersecurity principles. Most people know very little about the major security risks out there, leading them to use weak passwords, to keep multi-factor authentication (MFA) disabled, and to work on public networks. These are all vulnerabilities that cybercriminals can easily exploit.
Comprehensive Cybersecurity Training
It’s difficult to defend against something you don’t know, and most employees know too little about the tactics cybercriminals use. That’s why tailored and regular cybersecurity awareness training is a must-have to strengthen the human firewall.
Simulation-based training can be particularly effective, where employees are exposed to realistic scenarios, such as phishing emails or other social engineering attempts, in a controlled environment.
Stricter Authentication Policies
A strong human firewall leaves little room for unauthorised access to critical entry points like company accounts or systems. To protect them, employees must set up strong passwords and enable two-factor authentication (2FA). With the latest technical firepower, hackers can crack weak passwords in less than a second.
Therefore, password length and complexity plays a big role in how secure an account remains against brute force attacks. If employees set strong passwords and pair those with a second factor, such as an authentication app (e.g. Google Authenticator or Authy), attackers will have a hard time gaining access – even if they have managed to harvest credentials via phishing and spoofing.
Role-based Access
After authentication, which is responsible for determining whom to let into the network, we also need authorisation, mechanisms for controlling what resources authenticated users can use and access inside the network.
It’s best to adopt a role-based access policy, where users are granted access to resources based on roles and responsibilities. The role-based access should be aligned with the principle of least privilege, which means employees only get access to the data and resources they need to do their job – nothing more, nothing else.
Secure Remote Working Practices
Remote work policies have opened the floodgates for unmonitored devices and shadow IT. Every laptop, tablet, or smartphone outside the office is a potential weak point waiting to be exploited.
The best way to secure these out-of-office connections is by issuing a company-wide Virtual Private Network (VPN). This ensures that data transmitted between employee devices and company systems remains encrypted.
Foster a Security-first Culture
The end goal with all of these practices is to embed cybersecurity into the daily mindset and behavior of every employee, making it a fundamental part of the organisational culture.
Viewed from a holistic perspective, this is what will ultimately create an unbreakable human firewall that will serve your organisation for years.
Technology to Support the Human Firewall
To support the human firewall, organisations also need the right technologies that will empower employees to make the right decisions.
Technology and employees shouldn’t be isolated but integrated to provide the best of both worlds: human capacities for critical-thinking and the precision and efficiency of automated systems. Password managers, for example, are great tools that help employees create, store, and manage strong, unique passwords without the need to remember them all.
Automated threat detection tools can also relieve the burden. For non-IT employees, this could be an email filtering system that flags or blocks suspicious messages.
Measuring the Effectiveness of Your Human Firewall
Implementing practices to strengthen the human firewall is only the first step. You also need a way to measure their effectiveness so you can make steady, incremental improvements.
Some key metrics to consider include:
- Phishing reporting rates: For teams that conduct phishing simulation training, tracking the percentage of simulated attacks that people successfully flag as suspicious is a potent proxy metric
- Threat reporting rates: An uptick in the number and quality of threat reporting indicates that employees are actively engaged in cybersecurity efforts
- Surveys and feedback: Communicate regularly with employees to find out how effective they find the new processes and how confident they feel about their ability to identify and respond to threats
Most organisations know how important cybersecurity is, but few realise that employees hold the key to how security resilient their organisation truly is.
Cybercriminals rarely have enough technical skills to compromise systems without some help from human error or oversight. By strengthening the human firewall, attackers will no longer have a reliable point of entry.