The human firewall is a term that refers to your employees who act as a barrier to cyber security risks like phishing and social engineering attacks.

They follow best practices in cybersecurity to ensure the business is protected and keep the security team updated with any suspicious activity they’ve noticed.

An example of the Human Firewall in action is that of a financial services organisation training its customer service staff on the most appropriate way to share customer information with others within the team. For instance, this could take the form of employee notifications warning individuals when they share financial data in SaaS applications such as Slack, and encouraging them to remediate their risks. Credit card information stored indefinitely in Slack is a high risk for the business; if the environment were breached, all of this data would be accessible to unauthorised users.

Building this awareness around data security can help create a security-conscious workforce that can reduce risk to the business.

#1. Phishing

Phishing attacks have become increasingly sophisticated in recent years, with scammers pretending to be well-known companies in order to persuade individuals to share sensitive data.

According to IT Support company AAG-IT, 323,972 internet users were victims of phishing attacks around the world in 2021.

More recently, Reddit announced it had suffered a data breach due to a phishing attack that included ‘plausible-sounding prompts’ pushing them towards a website that imitated their intranet portal.

Making sure your employees can spot a phishing attack is key.

#2. Baiting

Similar to phishing, baiting lures people in with the promise of free goods, or involves leaving items like USBs lying around to appeal to people’s curiosity.

Once the victim has handed over their details or plugged the USB in to their computer, the malicious actor takes advantage and installs malware on to their device.

Keeping your employees updated on the techniques scammers might use can really help here.

#3. Scareware

Scareware is intended to look deceivingly helpful by claiming that a virus has been detected on an employees’ computer, encouraging them to download software to rectify the issue. In fact, this software itself is malicious, giving the criminal behind the attack access to data on your computer.

Ensuring your company’s computers are covered by anti-virus software, and educating your employees on the alerts they should pay attention to is a great way of combatting scareware.

#4. Pretexting

With a heavy focus on manipulation, pretexting involves someone acting as an employee’s manager or another senior colleague to pressure them into giving information out. Pretexting lays the groundwork for any of the above tactics like phishing.

If any of your employees are asked to take specific actions like letting in a delivery driver or giving an IT person access to your system.

A human firewall is not the responsibility of one person or team - it’s a collective effort which involves every employee within the organisation. It’s also not built with annual security training that is easily forgettable.

A human firewall requires continuous training that’s integrated with an employees’ role so they understand how it fits within their responsibilities.

There’s a danger around employees sharing sensitive data for the sake of speed, rather than out of any malicious intention.

In our recent webinar on the human firewall, Christopher Russell, CISO at tZERO, said the thinking behind sharing sensitive data in SaaS apps could be from employees thinking, “I’ll just share this in Slack, then delete it and it’ll be fine.”

The difficulty with this is that the modern workspace moves so quickly that if that person then forgets to delete that piece of information, it could live in Slack indefinitely. What if your Slack channels were then hit with a data breach? That information could easily fall into the wrong hands.

On the other hand, you don’t want to slow your colleagues down or block them doing their jobs entirely.

“You have to be an enabler for the business to meet their deadlines and not have this process that makes sharing these things arduous,” Chris continues. “If you make it painful, not feasible, or inefficient, they will work around that. With the amount of SaaS tools out there, it’s really hard to monitor them all. You have to give them an easy, no-brainer way, so you can at least keep it in that one lane.”

Using a data security platform like Metomic in this sort of scenario can help you to get visibility over all your SaaS apps from one dashboard so you can detect sensitive data being shared, and act early when it comes to insider threats too.

There are a few ways you can start to create your human firewall:

#1. Make yourself known

If people don’t know who you are and what your role is in the company, they won’t think to include you in crucial decisions and discussions. Or they may not know who to approach about any security concerns. Making yourself known to all your colleagues can alleviate this.

#2. Be available in the moment

Although it may be difficult, making yourself available when someone is worried about security issues can make all the difference. Once they know you’re able to help, people will begin to trust you and come to you when they suspect something is wrong.

#3. Strengthen it with interactive sessions that are tailored for each team

Generic security training just won’t cut it anymore. Engaging content that relates to a particular team’s job can improve the attention paid to your presentation.

Help each team to see how they’re connected to the bigger picture. For instance, if your customer service team are sharing sensitive customer data with each other in Slack regularly, you may want to alert them to the fact that if the company suffered a data breach, this information could put customers at risk.

#4. Use automation to put the power in their hands

You won’t be able to fix every problem yourself and putting the responsibility back on individual employees will help to maintain a culture of security-aware employees. Jonathan Jaffe, CISO at Lemonade, suggests trying “to automate as much of the responsibility and notification of the issue to the person who raised the issue. If you can automate a response that notifies them in nearly real-time of the issue, there’s proximity which increases learning and retention.”

#5. Don’t overwhelm your employees

If you can, try to spread security awareness training out over a few weeks rather than giving people information in one go. You could do this with a mixture of short videos and in-person tutorials to ensure all of your time isn’t spent giving training to your team.

#6. Get buy-in from your leadership team

Another key point highlighted in our webinar was the importance of getting buy-in from your leadership team when it comes to building your human firewall.

The time, cost and resources dedicated to security training can be a barrier for security experts who need to convince senior members of the team that it’s worth the investment.

The most important thing is to speak to the leadership team in a language they’ll understand. “Speak in terms of risk, and metrics they understand like ARR or MRR,” says Chris. “For example, it cost us this much, or this many work days, or this person’s entire week.”

With a data security platform like Metomic, you’re able to continuously educate your employees on your security policies with custom notifications. See how we’ve helped companies like TravelPerk to do the same here.