By Ajay Singh, Author of CyberStrong! A Primer on Cyber Risk Management for Business Managers
The human firewall can be a critical element in warding off cyber-attacks and thwarting cybercrime. Our fascination with finding and deploying that one elusive piece of technology that will boost our cyber defenses often takes precedence over enabling and empowering employees and making them an integral part of building robust and resilient cybersecurity.
In the recent past, cybersecurity has experienced challenges on several fronts. The rapid pace of adoption of digital technologies across sectors and the movement towards a flexible corporate network perimeter have brought forth unprecedented opportunities as well as introduced new risks. Meanwhile, hackers have upped their game and have become adept at not only dodging technology-based security measures but also in using attack vectors such as social engineering, ransomware, and adding various sophisticated forms of phishing to their bag of tricks.
When it comes to cybersecurity, human-centered attacks lead to employees making security errors including unintended actions, mistakes, negligence, and not taking the right steps that could cause or allow a security breach to take place. Early identification of such hacking attempts and human errors can help in taking remedial action to prevent cyber-attacks.
More than ever before, organizations require to nurture a cybersecurity aware culture and develop a cyber responsible workforce. Several studies have highlighted the importance of engaging employees to build an effective security posture. This is not to say that technology and organizational processes are less important in ensuring cybersecurity but to place the human element on par in terms of strategy and implementation.
The concept of a human firewall is based on developing and operationalizing a system consisting of a group of people who work continuously towards detecting cyber-attack attempts that bypass traditional defense mechanisms such as traditional firewalls. A recent report from the Ponemon Institute shows that 25% of successful hacks are caused by human negligence or simple mistakes. We must also accept that hardware and software defenses if not configured properly or due to limited capabilities sometimes allow phishing messages through. Considering that over 90% of all cyber-attacks begin with phishing emails/messages it is essential to implement proactive security measures to address human-centered cyber threats, Here the role of employees who are a part of the human firewall is armed with the knowledge of best practices, skills, tools, and training to thwart cyber-attack attempts that bypass technical controls such attacks become critical to ensuring effective cybersecurity.
To build robust cybersecurity the use of various types of firewalls is essential. Typically, a firewall is used to monitor inbound and outbound network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been deployed as the first line of defense in network security for over two decades now and while they have been largely effective, they have limitations especially when it comes to human-centered attacks. A hardware firewall is a physical device that is deployed to perform exercise the network perimeter with the objective of enforcing security rules, controls, and policies. A software firewall runs on a computer/server with the objective of blocking unauthorized access from outside the firewall to prevent malicious traffic from entering your system and causing a loss of vulnerable data.
While hardware and software firewalls work as a frontline for defense, a human firewall is effective as a last line of defense and provides an additional layer of defense and comes into play when technical layers of defense fail, and human errors and negligence can become a source of cyber threats.
Building a human firewall requires strong commitment supplemented by the right tools and training required for it to be effective. While enabling a more robust security posture, the human firewall is also useful in instilling a security mindset among employees and developing a security culture. Here are six principal elements of building an effective human firewall:
Leadership must recognize that technology-based protection mechanisms have limitations more so in the case of human-centered attacks and be committed to developing a human firewall as a part of cybersecurity plans and programs
Value the role of people in cybersecurity and creation of a strong cybersecurity culture where security issues are discussed freely, best practices are adopted and implemented, security updates and success stories of security appropriate behavior are widely shared. Employees must be encouraged, incentivized, and appreciated for their security efforts. The more employees’ contribution to security is valued the stronger the human firewall will become.
Training and awareness through regular employee engagement and interaction to develop the right kind of security mindset, the required skills and knowledge to identify and respond to cyber threats, and the ability to work as a security team even where employees from various functions and departments work seamlessly as a unit are essential in building an effective human firewall.
Measure, monitor, and adapt are other important ingredients that are important in building a human firewall. The cyber threat landscape is extremely dynamic and requires security teams to constantly update their understanding of hacking methods and ways to stop attack attempts.
Nothing works without a proper plan and commitment of adequate resources. A human firewall has to be built brick by brick and requires the development and enforcement of strong security policies. Security policies should be unambiguous and concise and cover various aspects including password policy, email security, and social media usage. Enforcement of security policies and holding employees accountable for violations is as important as encouraging responsible security behavior.
Continuous vigilance by a dedicated team of employees forming the human firewall can ensure that even if the technologies that are a part of perimeter security fail there is still a line of defense that can recognize an attack on social media, phishing attempts, etc. and stop it in its tracks thereby averting a full-blown crisis and preventing data leaks.
The steep rise in social engineering scams has already reached alarming proportions. Some reports even suggest that 98% of cyber-attacks rely on social engineering. All these scams and phishing attempts are directed toward deceiving people and manipulating human behavior. Hackers are always ahead of the game when it comes to circumventing security controls and mechanisms to meet their objectives. In this scenario, a human firewall can act as an additional security layer that can function as a vital component of an organizations’ security architecture and contribute effectively to building your organization’s security culture and posture.
One valid criticism of the concept of the human firewall is that for cybersecurity to be effective the participation of everyone is necessary and that a group of persons (read human firewall) cannot ensure the security of an organization. However, when looked at from a practical viewpoint it is not easy to ensure that all employees can operate at a level where they are fully aware and equipped to handle security issues as they arise. Hence, it is useful to make the human firewall a key element of cybersecurity strategy alongside the required security technology and processes, while we continue to build a durable organization-wide security culture.