Estimated reading time: 7 minutes
Just imagine: you’ve gone to great lengths to secure your corporate network, only to have a colleague click on a phishing link in an email. Unfortunately, this happens often, sometimes with far-reaching consequences. We often read about large companies falling victim to ransomware or large-scale data breaches. Perhaps you’ve taken all sorts of measures to limit the damage because you knew something like this was going to happen. In that case, we say: well done! But isn’t there something we can do to minimize the chances of things going wrong in the first place? Of course we can: you can strengthen the human firewall!
Let’s look again at what a human firewall is. The human firewall is not a magical piece of software that automatically keeps out all threats but rather involves all human factors within cybersecurity. Think about how employees behave digitally: what links they click, the programs they use, or how they manage their login credentials.
So, everyone in the organization who works with a computer in any way is part of the human firewall. As a chain is only as strong as its weakest link, it is essential to arm all employees with knowledge and understanding. This way, they are more resilient against someone with malicious intentions, and they will be less likely to fall for hackers’ tricks. Continuous training is vital to get the knowledge up to standard and keep it there. In our previous blog on this subject, we explained how to train the human firewall.
Unfortunately, a solid human firewall does not make you entirely immune to every cyberattack. Complete immunity does not exist. After all, cybercrime comes in many forms. For example, a zero-day attack exploits a vulnerability in existing software, while in the case of a DDoS (Distributed Denial of Service), the network is overloaded from outside of the organization. But many other types of attacks are preceded by some form of human error. According to Kaspersky, this occurs in more than half of all cyber incidents. We are talking about forms of scams via email, phone, or other messages, but also unknowingly installing malware of any kind. We list some examples and explain why a solid human firewall is a good defense mechanism for these kinds of cyberattacks. Share this information within your organization and take the first step towards a stronger human firewall!
With phishing, fraudsters try to get hold of valuable data, such as payment details or personal data. This is often a prelude to another attack: the data obtained is then used to log into the company’s systems or create fake invoices. The stolen data can also be used to mislead victims and make them unsuspectingly install a virus.
If employees know what to look out for, they are less likely to fall for a phishing attempt. In general, it is advisable to never click on links in emails and be very careful when handing over personal data, company information, and payment details. For organizations, it might be helpful to make clear which suppliers and customers you are working with and who the appropriate contact persons are. An email from a different party or person will look a lot more suspicious, making it easier for employees to recognize the phishing attempt.
Keep in mind that a customer or supplier can also be compromised. So even if an email comes from a reliable sender, employees must remain vigilant.
Business email compromise attacks are a bit similar to phishing but with a very specific approach. Fraudsters pretend to be the CEO or other senior colleague and instruct someone to do the dirty work for them. They usually ask directly for a payment, but criminals can also try to gain access to documents or payment details, which are then used in other scam attempts.
You can protect yourself against this by working with fixed protocols and making everyone aware of them – including the CEO, in case he or she genuinely needs to make a quick payment! Especially when many employees work from home and can’t just quickly check in to verify an email, protocols and agreements help distinguish frauds from actual colleagues. A strong password policy is also essential to prevent business email compromise. After all, if hackers get hold of a colleague’s login details and misuse a genuine internal email address, it becomes very difficult to recognize that it is a fraud.
In case of tech support scam, a malicious party pretends to offer technical support. They usually pretend to be an external party, such as Microsoft, Google, or Dell, and try to install something on the victim’s computer. Scammers can also pose as someone from the internal IT department. If employees know who is working in their own IT department and have all IT-related matters run through them, it will be easier to unmask fraudsters.
Malware is software used to disrupt systems, gather info, or gain access to restricted systems. Malware comes in many shapes and sizes, making it complicated to protect yourself and your organization from it. Usually, though, something must be installed first. This is where the human firewall plays an important role.
Trojan Horses, for example, pretend to be another program. In this case, it is the user who installs the virus – albeit unknowingly. Malware can also be distributed via an Office macro. The malware is sent along with a document, like a fake invoice. Because this is a known vulnerability, macros are blocked by default. Yet if an employee chooses to modify the document, the macro is still activated.
The more users know about the existing dangers, the greater the chance that they will recognize malware and not fall for it.
Ransomware is a peculiar form of malware. When ransomware strikes, something has already invaded the computer or network. Someone might have clicked on a malicious link, activated a macro, or installed a Trojan Horse. You can already reduce the chance that things go sideways in the first place with a solid human firewall. If things do go wrong, it is crucial that employees respond appropriately to the ransomware.
Do employees know what to do? Who should they call? Can they continue their work safely? This knowledge is also part of your human firewall. Preferably, all of these scenarios for ransomware and other cyber incidents are recorded in a CSIRP (Computer Security Incident Response Plan).
Many of the above cyberattacks exploit people’s ignorance or carelessness. With a solid human firewall consisting of aware and alert employees, you reduce the chances that these types of attacks on your organization will succeed.
Although it is a good start to share the examples and tips from this blog, it won’t be enough to create a resilient human firewall. Hackers and scammers are becoming more and more cunning and are always looking for new ways to carry out a cyberattack. Moreover, in reality, the different methods are often combined. For example, the CEO’s personal data are captured through phishing first, to make a more convincing case for a business email compromise attack. Or private devices are first compromised, so they can then provide an entry point to a corporate network.
That is why it is essential to train and strengthen the human firewall continuously. New tips and insights need to be shared instantaneously, but basic principles also need to be repeated constantly. Want to know how best to do this?
Get in touch with our consultants. They will be happy to show you how to use Netpresenter to implement a human firewall. Be sure to download our convenient cybersecurity checklist to see where you can improve your organization’s digital security even more!
Already a customer? We’ve got a free cybersecurity template pack for you, which you can share directly with your colleagues.