The Human Firewall:
A threat actor is usually going to be patient. It takes time and skill for their malicious code to spread its way into all of your critical systems and even your data backup.
They don’t strike until they have everything they need. In many cases, the attackers will try to get so deep into financial statements that they can calculate the exact amount of ransom to ask for, in order to maximize their “revenue” but not quite destroy your business.
Long before data becomes lost or encrypted, an employee probably clicked a link or opened an email which secretly opened a gateway for a cyber criminal to gain access to your company’s network. Your employee probably noticed nothing, but their computer became the path through which the attacker worked their way much deeper into your company data. This is why EO’s security team is known to say that “social engineering always works”.
Email is often where the attack begins as bad actors attempt to manipulate well intended employees into making mistakes. These criminals are relentless. For these reasons, employee training is every bit as important as the firewall technology you employ. At, Electronic Office, we call this the “human firewall.” An organization’s people are the weakest link in their cybersecurity defense and so we must treat the “human firewall” as our most important investment.
We constantly test training systems that deliberately send your employees email, text and social media content designed to raise awareness and train people to identify threats. It’s important—and easy—to run a hands-on training program that teaches and tests employees. Nobody is looking to trick or embarrass an employee; it’s about training and prevention. It is our perspective that we can all learn a lot from our mistakes, and we might as well make them when friendly attackers are on the other side of the initiative.
This testing best practice is “easy” conceptually but, it can be hard culturally. Institutionalizing security into the culture is a leadership challenge—one that ultimately pays dividends.
Uncovering flaws in security, especially when the flaw involves human behavior, requires an experienced 3rd party that can help uncover problems dispassionately and with impartiality. There is a good cop / bad cop aspect to dealing with non-malicious employee mistakes. Management or the internal folks in IT should be the good cop, let your 3rd party advisor be the ones to call out the problems when necessary.
There are a number of solutions for testing and enhancing your “human firewall.” I recommend engaging an outside partner to help you pick the right solution for your situation and then to implement it on your behalf. “The Human Firewall” is not a DIY project. If you aren’t sure where to find that partner, give us a shout.
