You may have heard of the human firewall; it’s a term that’s starting to gain traction in the cybersecurity space but what exactly does it mean?
It’s all about building a defence against threats and attacks through your workforce. After all, you’re only as strong as your weakest link, and that applies to your team as well.
The human firewall refers to your employees who act as a barrier to security risks like phishing and social engineering attacks.
They follow best practices in cybersecurity to ensure the business is protected and keep the security team updated with any suspicious activity they’ve noticed.
Your human firewall could defend your business against the following threats:
Phishing attacks have become increasingly sophisticated in recent years, with scammers pretending to be well-known companies in order to persuade individuals to share sensitive data.
According to IT Support company AAG-IT, 323,972 internet users were victims of phishing attacks around the world in 2021.
More recently, Reddit announced it had suffered a data breach due to a phishing attack that included ‘plausible-sounding prompts’ pushing them towards a website that imitated their intranet portal.
Tip. Making sure your employees can spot a phishing attack is key.
Similar to phishing, baiting lures people in with the promise of free goods, or involves leaving items like USBs lying around to appeal to people’s curiosity.
Once the victim has handed over their details or plugged the USB in to their computer, the malicious actor takes advantage and installs malware on to their device.
Tip. Keeping your employees updated on the techniques scammers might use can really help here.
Scareware is intended to look deceivingly helpful by claiming that a virus has been detected on an employees’ computer, encouraging them to download software to rectify the issue. In fact, this software itself is malicious, giving the criminal behind the attack access to data on your computer.
Tip. Ensuring your company’s computers are covered by anti-virus software, and educating your employees on the alerts they should pay attention to is a great way of combatting scareware.
With a heavy focus on manipulation, pretexting involves someone acting as an employee’s manager or another senior colleague to pressure them into giving information out. Pretexting lays the groundwork for any of the above tactics like phishing.
If any of your employees are asked to take specific actions like letting in a delivery driver or giving an IT person access to your system.
A human firewall is not the responsibility of one person or team - it’s a collective effort which involves every employee within the organisation.
It’s also not built with annual security training that is easily forgettable. A human firewall requires continuous training that’s integrated with an employees’ role so they understand how it fits within their responsibilities.
There’s a danger around employees sharing sensitive data for the sake of speed, rather than out of any malicious intention.
In our recent webinar on the human firewall, Christopher Russell, CISO at tZERO, said the thinking behind sharing sensitive data in SaaS apps could be from employees thinking, “I’ll just share this in Slack, then delete it and it’ll be fine.”
The difficulty with this is that the modern workspace moves so quickly that if that person then forgets to delete that piece of information, it could live in Slack indefinitely. What if your Slack channels were then hit with a data breach? There's a misconception that slack is secure, meaning that information could easily fall into the wrong hands.
On the other hand, you don’t want to slow your colleagues down or block them doing their jobs entirely.
“You have to be an enabler for the business to meet their deadlines and not have this process that makes sharing these things arduous,” Chris continues. “If you make it painful, not feasible, or inefficient, they will work around that. With the amount of SaaS tools out there, it’s really hard to monitor them all. You have to give them an easy, no-brainer way, so you can at least keep it in that one lane.”
Using a data discovery tool like Metomic in this sort of scenario can help you to get visibility over all your SaaS apps from one dashboard so you can detect sensitive data being shared, and act early when it comes to insider threats too.
There are a few ways you can start to strengthen your human firewall:
If people don’t know who you are and what your role is in the company, they won’t think to include you in crucial decisions and discussions. Or they may not know who to approach about any security concerns. Making yourself known to all your colleagues can alleviate this.
Although it may be difficult, making yourself available when someone is worried about security issues can make all the difference. Once they know you’re able to help, people will begin to trust you and come to you when they suspect something is wrong.
Generic security training just won’t cut it anymore. Engaging content that relates to a particular team’s job can improve the attention paid to your presentation.
Help each team to see how they’re connected to the bigger picture. For instance, if your customer service team are sharing sensitive customer data with each other in Slack regularly, you may want to alert them to the fact that if the company suffered a data breach, this information could put customers at risk.
You won’t be able to fix every problem yourself and putting the responsibility back on individual employees will help to maintain a culture of security-aware employees. Jonathan Jaffe, CISO at Lemonade, suggests trying “to automate as much of the responsibility and notification of the issue to the person who raised the issue. If you can automate a response that notifies them in nearly real-time of the issue, there’s proximity which increases learning and retention.”
If you can, try to spread security awareness training out over a few weeks rather than giving people information in one go. You could do this with a mixture of short videos and in-person tutorials to ensure all of your time isn’t spent giving training to your team.
Another key point highlighted in our webinar was the importance of getting buy-in from your leadership team when it comes to building your human firewall.
The time, cost and resources dedicated to security training can be a barrier for security experts who need to convince senior members of the team that it’s worth the investment.
The most important thing is to speak to the leadership team in a language they’ll understand. “Speak in terms of risk, and metrics they understand like ARR or MRR,” says Chris. “For example, it cost us this much, or this many work days, or this person’s entire week.”
With a tool like Metomic, you’re able to continuously educate your employees on your security policies with custom notifications.
See how we’ve helped companies like TravelPerk to do the same here.