Skip to the main content.
The Human Firewall: Moving from Threat to Advantage

The Human Firewall: Moving from Threat to Advantage

Survey says: poor password management, phishing, and malware downloads

The US State of Cybercrime Report found that a third of participants suffered an insider incident and most of those proved more costly than those perpetrated by someone outside the organization. Most of these cyber security breaches happened because an employee acted on a fraudulent email.

In the first nine months of last year, 15 million new strains of malware were found. Even frequent releases of virus checker software won’t catch that amount. Additionally, 11 million of the 45 million emails that Mimecast checked for email security passed the test, meaning that it was up to the employees to make sure they didn't click on a dubious link or download an executable binary file.

Check Out A Case Study

But relying on staff as the last line of defense isn’t necessarily a good idea. Some surveys have found that only a fifth of staff attended any form of cybersecurity training and a quarter didn’t know if their company had a cybersecurity policy.

The human firewall

No business has the capacity, time, or money to stay on top of all vulnerabilities or threats. For most, nurturing a workplace culture that is security-aware is a much better answer. This human firewall can learn and adapt quickly.

Training content is built around the main cyber threats – as outlined in our last post but the challenge is getting the message across.

Why the usual training approaches don’t cut it anymore

Anyone who works in regulated industries will be familiar with the monthly or quarterly cycle of required reading, which, if not completed on time, requires a humbling visit to a senior manager.  All stick and no carrot has the desired effect of making sure everyone is kept aware of the latest changes to regulations or business processes, but how much of that knowledge lasts beyond the end of the week?

The staff has heard it all before, content delivery is stale and the whole thing becomes a tick-box exercise.

So, if what we’re doing now isn’t working, what’s the alternative?

Change behavior to think secure

A better approach is using something that’s drip-fed, repetitive, fun, engaging and has some personal value for your employees. That way, you’re more likely to get a behavior change that becomes embedded in the organization.

The Human Firewall is built through a continuous cycle that helps employees and the organization think securely:

  1. Use behavioral change techniques to make people care about cybersecurity.
  2. Use learning techniques that stress fun and participation for maximum engagement.
  3. Build awareness and knowledge using techniques that make learning easier.

Behavioral change

Behavior is changed through using content that employees can relate to on a personal level.

Everyone understands the ramifications of having a purse or wallet stolen, especially if it contains a scribbled note that contains a list of PINs as an aide-memoire. Or if one of the kids downloads a game that wipes the hard disk and leaves mum the job of rebuilding the whole computer over the weekend. Make the connection between that personal pain and the pain the company will experience if they have to lay off staff because they lose a major customer.

More fun = more engagement

Employee out-of-hours activities revolve around entertainment like social media, online videos, games, and so on. So why distinguish between office and sofa? If you want to make it memorable, make it fun, fresh, and remarkable. Game-playing is inherently memorable, engaging, and fun and is fast emerging as a modern training tool. A survey by McAfee found that 96% of companies using it have seen benefits including improved teamwork and increased knowledge. And thirty seconds of fast-paced, energetic video will beat pages of dry text.

Make it easy to learn with bite-sized chunks

Brevity is the soul of wit, so keep it short. Long, arduous training sessions are boring and unnecessary. Drip feed the content and avoid the rush to meet a deadline. Use tools for learning on the move to let employees make the most of time spent traveling.

Schedule A Demo

Make it specific (don’t "pray and spray")

One size doesn’t necessarily fit all, so segment staff by job role. Content for employees who regularly have access to classified information or high-profile customers will be different from those who don’t. And time-pressed senior managers need a different set of content altogether.

Don’t forget sub-contractors or temporary staff either. A survey by IDC found that activities by third parties were often the cause of breaches or major incidents.

Keep it positive! 🙂

While the stakes are high and the stories about cyberattacks depressing, you can choose how your business responds. The language that is upbeat and positive is a better tone and is more likely to encourage employees to report any issues they find.

Monitor, learn, and adapt for continuous improvement

Cybersecurity training isn’t a one-time exercise. Content needs to adapt to reflect new threats and success should be measured to find areas for improvement. Phishing tests are useful, given how common a threat it is, just don’t turn them into punishment sessions.

With good planning and careful execution, forward-thinking businesses can turn the ‘insider threat’ into a business advantage to help avoid the pain and disruption of a cyberattack.

More from the Trenches!

9 Ideas for Cyber Security Awareness Month

9 Ideas for Cyber Security Awareness Month

If you own, run, or work at any sized company–with the threat landscape today, you should be thinking about the company's cyber security strategy....

10 min read

FBI Warning: Major Spike in Cyberattacks

FBI Warning: Major Spike in Cyberattacks

Let's discuss the elephant in the room...

6 min read

The Future of Cyber Awareness: Staying Ahead of Emerging Threats

The Future of Cyber Awareness: Staying Ahead of Emerging Threats

From advanced malware to modern phishing schemes, cybercriminals are continually developing new methods to exploit human vulnerabilities. Thankfully,...

4 min read

Subscribe Here!