Blog · 03 Mar 2021

Why technology can never replace the human firewall

Your employees can be your biggest asset – or your biggest liability. Making it easy for employees to do the right thing (and hard to do the wrong thing) is crucial to cybersecurity.

Bryan K. Fite
Global account chief information security officer

You can have the best security technology in the world but, if you don’t take the human factor into account and look at how people are using those technologies, your security could be fundamentally broken.

One of the easiest ways to infiltrate any organisation is through someone who works there and often the only thing that stands between your business and a cyber-attack is your human firewall.

Digital working is an extra challenge for the human firewall

In today’s world of remote working, many employees are operating outside their normal processes and comfort zones. In the ‘old’ settled ways of the physical office it was much more likely that you’d use a small range of company branded tools. Now, organisations are using a myriad of partnerships to introduce new ways of working and employees are faced with a range of new collaboration tools. These tools are unlikely to have company branding, making it easier for cyber attackers to pass themselves off as one of these new tools as a way of infiltrating the organisation to perpetrate fraud and harder for employees to detect “Indicators of Fraud”. Plus, to keep the business running, IT departments are introducing new technologies and tools quickly, with no time for meaningful training. And, in many cases, supporting remote working has meant removing some security prohibitions.

The working environment is new and changing quickly, people get confused and the potential for people to make mistakes is growing exponentially.

So how do you create a robust human firewall for 2021?

Work with human nature, not against it

Your employees can be your biggest asset – or your biggest liability. It’s essential to look at everything through the lens of human behaviour, recognising that people will usually choose the easiest way of doing something. Working with this, your task is to make it as easy as possible for them to do the right thing and really hard to do the wrong thing.

There’s some serious work to do. Our latest security research reveals only one in three are 100% aware of the policies and procedures they should take to protect the security of their organisation's data and less than half say they have definitely received training on data security.

Start by making poor security practice harder by putting guard rails on your system. For example, use filters for web searches and email click throughs that block access to risky sites.

Then turn your attention to providing education and coaching on how to behave safely online. The good news here is that the attack vectors you’re training people about have remained fairly consistent over the past 15 years, so you know what you’re up against.

Priorities for security training

I’m seeing a lot of the same scams – people still looking for you to send money and cyber attackers still buying up domains that are the misspelled names of genuine brands to catch the unwary. The old exploitation techniques of creating a sense of urgency or a worry that the target will lose out in some way are still widespread.

There are some changes though. The volume of attacks have gone up and the attack surface has increased to include all the communication channels we use in our day-to-day life. Fake news is an issue and spoofing is rife, making it much harder to validate the authenticity of anything on the internet.

Organisations need to train their people on using new video conferencing tools securely as well. I’m seeing malware attacks disguised as a last-minute change of a meeting link or a software update; people under time pressure are clicking without checking. And people are unaware that sensitive corporate information could be ‘on camera’ in the background of video calls.

The bottom line in a lot of these situations is that people don’t realise the potential significance of their actions on the company. Making sure your employees appreciate the impact that a breach would have can really shift their approach to security – as can an open culture.

Create a culture that welcomes honesty about mistakes

Our research tells us that employees don’t admit to mistakes. Nearly half say they personally have had a security breach and not declared it – and that’s a serious problem.

If people feel they’ll be blamed and even punished, for admitting to making a mistake, they’ll hide it. Potentially, you’ll never know about the vulnerability, eliminating any possibility to take defensive action. After all, the perfect crime is the one that is never detected.

We need to create a culture that recognises the limited information security awareness training people have had and welcomes employees flagging up any mistakes. Making it easy to do the right thing means you know how you’ve been exposed, and it gives you the option to deliver remedial training to the employee involved. You may end up dealing with notifications about emails, messages and sites that aren’t malicious, but that’s far better than missing a crucial attack.

Power up your human firewall

With the right culture, awareness and training, your people can become your greatest defence against cyber-attack. Make it easy for people to do the right thing, and they probably will. Is it time to make changes in your organisation?

Start assessing your current position by asking yourself these questions:

  • How easy is it for someone to confess to a cyber error in your organisation?
  • What’s the process and the payback for reporting?
  • To what extent do leaders in your business set an example?
  • How do you deliver regular cybersecurity training to reinforce good behaviours?

To find out more about consumer attitudes and behaviours around security, download our new whitepaper, ‘CISOs under the spotlight’.