It’s fair to say that every business should have a multi-faceted approach to its cybersecurity requirements. Using effective, dedicated security software solutions will provide the cornerstone of your organization’s cybersecurity strategy, but that represents just one of the pillars of your security architecture. Education on cyber threats and scams, and the implementation of stringent procedures and enforcement policies to eliminate these threats provide the cement that holds together the foundations of cyber security for business.
The power of the people
Security software is necessary for the most effective fight against cyber attacks, but a well-developed and fully operational security plan should encompass a wide range of procedures including the education of those in the company who can pinpoint and eliminate threats. This latter element, focusing on the knowledge, training, and implementation of cybersecurity techniques within the team of the organization, is known as the human firewall.
A human firewall is a broad term, one that will be flexible to the needs of different types of organizations. But the simplest explanation is that it requires a commitment (from employees and management) to the application of the best practices of cybersecurity within a business. Threats will come in many forms – ransomware, malware, viruses, DoS attacks – and robust security software will provide safeguards against them. But the personal component, the human firewall, is an essential weapon against the most widespread type of cyber threat – phishing.
Human firewalls can thwart phishing attacks
Phishing is, for all intents and purposes, a type of social engineering; that is when scammers use psychological manipulation rather than traditional computer hacking to do the work of gaining access to private data. In fact, many types of cyberattacks can be seen as social engineering. But phishing, in particular, focuses on our human weaknesses, our propensity for becoming worried, rash, confused, and yes, even lazy. This is the reason that the implementation of the human firewall is a necessity to combat phishing scams in the modern business environment.
The first step in using the human firewall strategy to eliminate phishing threats is the acknowledgment that the dangers of phishing are real and the catching them harder than it seems. Many of us assume we can spot a fake email, website, or malicious URL, but the truth is that many of us can be tripped up by overconfidence.
Phishing attacks that target human error
Below is a list of successful phishing attacks. You will notice that the scammers did not target the business systems of the companies they were after but instead targeted employees, focusing on human weakness as their point of entry.
- In Minnesota, a drug company, Upsher-Smith Laboratories, was scammed out of $50 million after a series of fraudulent emails were sent to the accounts department claiming to be sent on behalf of the company’s CEO. The impersonation of CEOs and execs has become a common tactic in phishing scams.
- In Austria, FACC, an aerospace company that provided equipment to brands like Boeing and Airbus, saw $47 million stolen in another spoof CEO email scam. The defrauders had posed as CEO Walter Stephan, claiming that he required the payments for a company acquisition.
- In San Jose, the tech firm Ubiquiti Networks Inc was scammed out of $46.7 million when hackers posed as company executives in email communications, authorizing numerous wire transfers.
All of the examples above rely on impersonation and spoofing, a type of scam where a hacker is able to change the number that pops up on your phone so it appears to be from a legitimate source. While sometimes known as CEO fraud, it’s become common for criminals to impersonate any type of authority figure – a bank, a supplier, a manager – that can provide a reasonable basis for demanding payment or access to sensitive information – over phone, by email, or SMS.
Everyone in the organization should form the human firewall
But, as mentioned, concentrating on one point of entry for attackers does not define the human firewall. It is about promoting a culture of looking out for – and expecting – threats. This commitment is best if it permeates every level of the organization, from part-time workers to executives. Indeed, it’s worth pointing out that the CEO of FACC (in the example provided above) was fired from the company for his (unwitting) role in the phishing attack.
Education, implementation, and incentive
There are arguably three main areas through which the human firewall cybersecurity strategy should be implemented: education, implementation, and incentive.
Education refers to making employees aware of common cybersecurity risks, and training them to spot phishing scams and other cyber threats.
Implementation is putting that education into action. It requires the enforcement of policy and procedures, which could include rules related to company password management, policies around the use of company laptops and other devices on public Wi-Fi, and so on.
Incentive is about creating some kind of reward for buying into the human firewall culture. It does not necessarily have to be a financial reward, but there should be recognition (such as a mention during company-wide announcements) for those committed to the culture of stopping threats.
Human firewall: a solid business protection
Once the human firewall has been set up, meaning that personnel is educated and trained in recognizing phishing and other cyber scams, employees should be able to spot suspicious links and communications, tell the difference between a fake website and a real one, and identify all the signs of a phishing attack. But perhaps more importantly, a trained human defense will start to question every communication and not take innocuous-seeming messages at face value. It takes time and energy, and it might also require an incentive, but the outcome for a business is an extra layer of protection that stands solidly on two legs beside your up-to-date business security software.