Computer hackers don’t want to create unnecessary work for themselves. When choosing a target, they will often seek the soft, or “easy” one. The term “The Human Firewall” is more than just IT jargon. An organization’s employees play a crucial part in how we protect our systems, our data, our clients, our business partners, and our members.
The Sans Institute reports that 95 percent of the attacks on organizations’ networks today are successful as a result of spear phishing. Hackers use spear phishing for one of two reasons. The first is an attempt to successfully obtain access to your systems directly from your employees. The second method to gain access is by successfully getting your employees to launch the tools the hacker needs for entry into the system. These methods, in many respects, completely bypass many of the security measures your company puts in place to combat hackers.
Some examples include:
- An unusual email with a link to update your account information.
- An email in which the CEO asks the CFO to wire transfer money.
- A call from someone claiming to be Microsoft or another software company asking you to click a link on a webpage, so that they could help you update your computer.
Examples of Employees as Effective Human Firewalls1. An effective employee does not click on unverified links within an email.
Hackers can provide links that reroute users to unauthorized websites. Many people fall into this hacker trap by clicking before checking the links. Avoid this mistake by hovering your cursor over the link and see where the pop-up says you will be redirected.
2. An effective employee does not open unexpected attachments.
If you receive an email from someone with an attached document, think twice! Only open the attachment if you were expecting the file or if you call the sender and he or she verifies it. It seems tedious, but it will not be as tedious as trying to recover your computer or entire network after you open an attachment containing ransomware.
3. An effective employee never uses the same password across multiple systems.
Change your password frequently and be sure to follow company password complexity rules. A good standard to follow is to have a password that is 8 to 10 characters and includes upper and lower case letters, numbers, and special characters.
4. An effective employee never connects personal devices to the company network or to company devices.
Employees should not BYOD (Bring Your Own Device). Typically, employees’ personal devices lack the same security measures as company devices. When employees bring personal devices and connect them, they can potentially expose your company device or an entire network.
5. An effective employee reads, understands, and follows the company technology usage policy.
Your organization’s technology usage policy should outline practical usage examples and standard protocol for devices and business use. When employees are taught the company’s technology usage policy and not just handed one to read, they will begin to understand why these things are so important.
6. An effective employee participates in a company-provided and required security awareness training program.
Does your organization train your staff in security awareness? If not, it’s time to implement a security awareness training program. This type of training should explain the technology usage policy in detail, help employees understand what each section means, the policy’s importance, and what could happen by ignoring established guidelines.
You will see a dramatic increase in the adoption rate of your technology usage policy once employees truly understand the risks associated with their inaction. It empowers your staff and gives them an opportunity to do their part in helping to keep your company safe.
Continue training by including monthly or bi-monthly segments to your program. These should include regular emails that provide information on the latest risks such as phishing trends and what employees should do if they see them. You will be surprised by how many of your employees will appreciate this information and ask if they can share this information with family and friends.
Plan to hold training refreshers for the tools employees use as part of their jobs, such as email encryption tools, email filters, and others. Consider implementing your employee security awareness training as a human resources-driven requirement. Both methods have been shown to reinforce adoption as well.
Even with all the security measures, an employee training program in security awareness, additional segments, and an effective human firewall, the IT industry still tells us that a cybersecurity attack is “not a matter of if, but when.”
Should the “when” happen, having a recovery solution in place can mean the difference between days, weeks, or longer of a recovery time. The three essential parts of a recovery solution are:
- Regularly tested backups: There are few worse feelings than needing a backup and finding that there is no backup or the one you have isn’t working.
- Personnel: Knowing who to contact first and those involved as part of the recovery process. Identifying who you will need before a breach happens is significant.
- Cost: Is your company prepared to handle the cost of recovery? If you are not prepared to shoulder that cost, are you protected? Planning ahead to be financially prepared and protected can help you not only save cost but also save time during the recovery process.