A human firewall encompasses every single person in an organization who plays a role in protecting the IT network. It imagines every employee joining hands and coordinating their efforts as the first line of defense against cyber threats. 

The same way you install firewalls to filter out malicious traffic, you must 'install' knowledge in your team members to filter out phishing attempts, suspicious links, and other cyber dangers.

How a human firewall thwarts attacks in company networks

Phishing attacks

Phishing is a type of cyberattack that uses trickery to get people to give up sensitive data or unintentionally install malware. It is one of the most common tactics hackers use. Phishing attacks often come through emails, text messages, or even phone calls.

A well-trained human firewall will easily recognize the signs of a phishing email—like poor grammar, unexpected attachments, or a mismatched sender address. 

In a typical phishing attack, the email might say there's a problem with your account and provide a link to "fix" it. When you click the link, it takes you to a fake website designed to steal your login credentials.

One common form is bulk email phishing. Scammers send out spam emails to countless people, hoping a few will fall for it. They often impersonate big, trustworthy brands like banks or online retailers. They might use the brand's logo and even spoof email addresses to make the message look legitimate. 

The subject lines are designed to evoke strong emotions or create a sense of urgency, like "Your invoice is attached" or "Problem with your order." The goal is to get you to click a link or open an attachment, which then leads to sensitive information being stolen or malware being downloaded.

Then there's spear phishing, which is more targeted. Here, the attacker goes after a specific person, usually someone with access to valuable information. They do their homework, gathering personal details from social media or professional networking sites. 

Imagine your finance manager getting an email that looks like it’s from the CEO, asking them to wire money urgently. Because it has specific personal details, the email looks legitimate, increasing the chances they’ll fall for it.

Business email compromise (BEC) is another variant. In this case, scammers target businesses directly to steal money or confidential data. One form of BEC is CEO fraud, where the attacker pretends to be a high-level executive and instructs an employee to transfer funds. 

A variation of BEC is email account compromise (EAC), where the attacker uses a compromised email account to send fraudulent invoices or request sensitive information. BEC attacks can be incredibly costly. For example, scammers once stole over $100 million from Facebook and Google by posing as a legitimate software vendor.

Smishing, or SMS phishing, uses text messages to trick victims. Scammers might pose as your wireless provider, offering a "free gift" or requesting you update your credit card information. Scammers may also pretend to be from the postal service and send texts asking for a fee to receive a package.

Vishing, or voice phishing, involves phone calls. With the rise of VoIP technology, scammers can make millions of automated calls a day. They often spoof caller IDs to appear legitimate. You might get a call saying there’s an issue with your credit card or you have an overdue payment, pressuring you to provide personal information or make a payment.

Social media phishing is another method. Scammers use platforms like Facebook Messenger or LinkedIn InMail to trick people. They might pretend to need help logging in to their account or claiming a contest prize. This can be particularly effective if you use the same password across multiple sites, making you vulnerable if one account is compromised.

Newer techniques include AI phishing, where scammers use generative AI tools to create convincing messages free of typical red flags like spelling errors. 

Quishing is another newer phishing scam that involves fake QR codes embedded in emails or posted publicly, leading to malicious websites. Hybrid vishing combines voice phishing with other methods, like an email instructing you to call a number where the scammer is waiting.

Ultimately, phishing is a diverse and evolving threat, exploiting human nature and leveraging technology to trick us into making harmful decisions.

Social engineering

Hackers often rely on manipulating people rather than breaking into systems directly. They imagine humans as the weakest link in the network, and devise tricks to play on their psychology and get them to lower their guard. The best human firewalls are trained to pick these tricks early in any encounter with a scammer.

Imagine an attacker posing as an IT support technician. They might call an employee and say they're conducting a routine security check. The employee, thinking it's legit, could easily reveal their password or other sensitive info. This is classic phishing, but over the phone instead of email.

Then there's baiting, when an attacker leaves a physical device, like a USB drive, somewhere it can be easily found. The device is loaded with malware. 

An unsuspecting employee might plug it into their computer out of curiosity or a sense of duty to return a lost item. Boom—network compromised. In this case, human network users are trained to never plug in strange devices.

Social media is another favorite hunting area for social engineering scammers. An attacker might gather details about employees to craft highly personalized attacks. They could use info like favorite sports teams, pet names, or recent vacations to guess passwords or answer security questions. Little bits of personal info can go a long way in building trust and getting past security barriers.

To guard against social engineering, human firewall training emphasizes employees’ need to be skeptical of unsolicited requests for sensitive information. It also recommends regular security drills. For example, sending out fake phishing emails to see who bites can be a great way to identify weak spots in employee education.

Taking simple steps like these can make a huge difference. After all, a network is only as strong as its weakest link, and sometimes that link is just a friendly, unsuspecting employee.

Insider threats

Insider threats are cybersecurity risks that come from within your organization. These threats typically involve authorized users like employees, contractors, or business partners. These insiders either misuse their access intentionally or fall victim to cybercriminals who hijack their accounts.

Building a robust human firewall entails training network users on how to recognize and report the suspicious actions of other network users. This can put a spotlight on the suspect and help stop them dead in their tracks.

While external threats often capture the headlines, insider threats can be more dangerous and costly. According to IBM’s Cost of a Data Breach Report 2023, the average cost of data breaches by malicious insiders was USD 4.90 million on average. That’s 9.5% higher than the average cost of a data breach, which is USD 4.45 million. 

Verizon's 2023 Data Breach Investigations Report revealed that while external threats typically compromise about 200 million records, insider threats have exposed over 1 billion records.

Let's consider some real-world examples. At the outset of the COVID-19 pandemic, Christopher Dobbins, a disgruntled former employee of a medical packaging company used a previously created admin account to set up a fake new user account. This allowed him to alter thousands of files, disrupting shipments of personal protective equipment to hospitals and causing more than $200,000 in damage. 

Another case involved a former Twitter employee who sent user information to officials of Saudi Arabia in exchange for bribes. The U.S. Department of Justice stated that he acted in secret as an agent of a foreign government.

Then, there are negligent insiders. These individuals don't have malicious intent but make serious mistakes. They may fall for a phishing attack or lose a laptop that a cybercriminal later uses to access the network. Negligent insiders were responsible for 56% of insider threats among companies surveyed in the 2022 Ponemon Cost of Insider Threats Global Report.

Compromised insiders represent another category. These are legitimate users whose credentials have been stolen. For instance, in 2021, a scammer used a social engineering tactic, specifically a voice phishing (vishing) call, to gain access credentials to customer support systems at the trading platform Robinhood. 

This attack allowed the scammer to steal over 5 million customer email addresses and 2 million customer names. According to the Ponemon report, threats involving compromised insiders are the most expensive, costing an average of USD 804,997 to remediate.

Understanding these examples and the various forms insider threats can take is crucial. Each type—malicious insiders, negligent insiders, and compromised insiders—poses unique challenges that require tailored mitigation strategies.

How to build a robust human firewall

Creating a human firewall isn’t just about buying a tool or enforcing a policy. It’s about uniting people, processes, and technology. 

Craft a human firewall policy

We’re all unique. That means your perception of a good practice might be different from the next person’s. That’s where an Information Security Policy Suite comes in. It’s like a playbook that levels the field, letting everyone know what’s expected. 

An environment where employees don’t have a guide on how to detect, prevent, or respond to cybersecurity threats is  a sign of a weak or non-existent human firewall. So, put a policy in place. Ensure your policies are clear and comprehensive. 

Establish technical controls

Throwing your employees into the cybersecurity jungle without technical support is like sending them on a survival mission without any gear. Strong technical controls are your safety net. They can turn a major incident into a non-event. 

These controls should align with your policies, which in turn should align with compliance frameworks. The ASD Essential Eight is a great example of a set of controls designed to mitigate most threats with minimal effort. It’s a globally recognized set of strategies that you can use as your north star.

Develop an iterative human firewall training program

It’s not enough to just hit your team with one-off training sessions. Consistency is key. Think of it like learning to play the piano; you get better with regular practice. 

A mix of self-paced training and risk-based phishing simulations is generally recommended. Start with bite-sized training sessions monthly. This helps in keeping the material engaging and digestible.

Phishing simulations may not be popular, but they’re necessary. They’re a practical way to identify who’s prone to attacks. Risk-based phishing is a good approach because it lets you tailor the difficulty and frequency of simulations to each employee’s performance. High-risk employees get easier, more frequent tests, while low-risk employees get fewer, tougher challenges.

One foundational aspect we emphasize is being cautious with unknown sources. For instance, always advise your team to hover over links before clicking and verify the sender's email address. This simple habit can prevent many phishing attempts.

Another critical point to stress in your cybersecurity training is never sharing sensitive information online. This may seem obvious, but in the hustle of daily tasks, it's easy to slip. By regularly reminding your team, you reduce the chances of accidental data exposure.

We can't overstate the importance of strong passwords. Encourage everyone to use complex combinations of letters, numbers, and special characters. Simple passwords like "password" or the company's name just won't cut it. Regularly changing passwords is another layer of security we practice diligently.

Simply being vigilant is another habit you must cultivate in your company. If something feels off, it probably is. Suspicious emails or unfamiliar websites are red flags. Train your team to trust their instincts and report anything unusual to your IT department immediately.

Knowing how to respond to a cyberattack is equally crucial. You must drill into your team the importance of immediate reporting if your network shows any signs of being compromised. Self-fixing can sometimes worsen the situation, so your protocol must be clear: report and let the experts handle it.

Finally, keeping pace with emerging trends is crucial. The bad guys are always evolving, and so should you. Monthly cybersecurity newsletters can keep everyone updated. Use Cybersecurity Awareness Month to shake things up and introduce fresh conversations. Periodically reviewing your security awareness training can also help keep everyone on their toes.

Build a security-conscious corporate culture

Building an impenetrable human firewall means fostering positive cybersecurity behaviors. People often mirror their leaders. So a culture of good practices needs to be led from the top. 

Encourage open dialogue among employees about cybersecurity tips, and create cyber ambassadors within each team. Friendly competition can be another motivator. By the way, showing your team that even leadership follows these practices can make a big difference.

Creating a security-conscious requires getting everyone on board, understanding that security isn't just IT's job—it's everyone's responsibility. Let me share a story. 

A key practice is access control you must inculcate from the top of the organization. Not everyone needs access to everything. By limiting permissions, you minimize risk. For example, your sales team doesn't need access to financial systems. Each department gets tools tailored to their needs, ensuring productivity without unnecessary risk.

You must also promote a culture of reporting. If something seems off, you want to hear about it immediately. False alarms are better than missed threats. A seemingly harmless login attempt on an employee’s email may turn out to be a genuine threat. Early detection will help avoid a potential breach.

Lastly, practice what you preach. Leadership sets the tone. If management disregards security practices, the team will follow. So, you must lead by example. During meetings, highlight security wins and discuss lessons from any incidents. This transparency helps build trust and underscores our commitment to security. 

By fostering a culture where security is a shared responsibility, you create a stronger, more resilient organization. It’s about being proactive, staying informed, and supporting each other every step of the way.