How to Create a Human Firewall: Proactive Cyber Advice

By Mary Beth Hamilton | Thursday, February 2nd, 2017

How much security protection is enough? That’s a tough question to answer and the catalyst behind our recently published whitepaper on selecting the right cybersecurity tier based on individual risk profiles (download it HERE). The paper outlines three common tiers including Tier 0 (the ‘must-have’ list) to Tier 2 (the ‘advanced’ list), however it only touches briefly on the human element of security.

The reality is that in today’s sophisticated cyber environment firms must go beyond physical or virtual firewalls firms and establish a ‘Human Firewall,’ because sometimes technology alone won’t stop some of the most damaging attacks. In many instances, employees are “holding the door open” to criminals or inadvertently “leaving the keys out.” At other times, disgruntled employees act with more malicious intent.

Building a ‘human firewall’ comes down to establishing a security-conscious workplace and culture where employees understand the risk landscape and know how to respond. So what goes into their ‘human firewall’? It has varying parts including policies, training, awareness and of course people(!).

Practical, User-Friendly Policies

Many firms create a 20+ page written information security plan that formalizes the definitions and policies that govern the creation, access, and deletion of confidential information and computing services. That can be everything from a definition of personally identifiable information (PII), a description of user access privileges and roles, or policies regarding data handling. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services.

While the plan should be comprehensive, firms should also avoid getting bogged down in “tech speak.” Employees need user-friendly policies that are straightforward to follow. For example, they want to know the implications of their actions (“If I read this on a mobile phone, am I creating a security vulnerability?” “What happens if I lose my mobile device?”).

Ongoing plus In-the-Moment Phishing Training

The importance of employee security awareness cannot be understated. We hear and read stories too often about employees being victims of social engineering schemes. From downloading a malicious virus to falling for a wire transfer scam, these occurrences not only have financial implications to an investment firm but can also impact an employee personally and directly.

Teach your employees about safe computing practices and common phishing scam tricks (here’s a list of 13). And remind them to always pick up the phone to verify a wire transfer request. Beyond teaching, conduct simulated phishing exercises to test employee knowledge and conduct in-the-moment training (hint: Eze Phishing & Training).

Ongoing Cyber Awareness Education

All of the documents, committees, and meetings won’t have any meaningful impact in building a ‘Human Firewall’ if the proper security practices don’t spread quickly and uniformly across the organization. And the way that starts to happen is through systemic and comprehensive training practices. These training practice range from in-the-moment training via simulated phishing tests to the following:

Face to Face - Many organizations find that face-to-face, instructor-led, hands-on training is the best way to instill the security culture. The emphasis should be on what business users need to know to keep IT resources secure and protected. These scheduled sessions – which should last no more than 30-60 minutes – let people learn visually and practically and send a strong message about the importance of security.
Video Refreshers – When employees have quick questions or when face-to-face sessions aren’t practical, on-demand video lessons can fill an important gap. Start by taping your face-to-face sessions and edit them into quick five-minute segments. A library of key topics can be a great resource.
Start Early – Underscoring the importance of security, many employers are making security training part of their onboarding process – and asking employees to start training before their date of hire. Make sure new hires recognize their responsibilities from day one.
Keep it Going – Make sure the awareness doesn’t stop with the training. Regular newsletters about data security are a good strategy. Periodic reminders from top managers can also reinforce your security-oriented culture. Update your teams about new and emerging threat strategies and sources.

Human Firewall: Top-down

Wrapping things up, now more than ever firms must create a security-centric culture filled with “human firewalls.” And, as with anything else culture related, it needs to start from the very top of the firm (people who, ironically, due to the volume and sensitivity of the information they access and the distractions their fast-paced lives encounter, can sometimes represent the greatest source of vulnerabilities to information security). It’s essential that management visibly and fully commit their unwavering support to your efforts to improve security.