The Human Firewall in a Hyper-Connected World

portable

In the security landscape, there are few easier opportunities for hackers to compromise an enterprise than by targeting the human beings that make up the workforce. People in an organization (employees, contractors, senior executives, and board members) are almost always the weakest link in the security ecosystem. They have been taught since they were toddlers to be helpful, curious, and, as adults, customer focused. Hackers take advantage of these ingrained traits using a wide variety of social engineering techniques to exploit access to an organizations' resources and assets.

In the aftermath of the WannaCry crypto-locker worm that infected hundreds of thousands of computers in more than 150 countries earlier this month, information security advisors worldwide are preaching that enterprises need better firewalls, enhanced governance, faster patching, and more security staff. Most of these security tactics are needed to compensate for the shortcomings of the human firewall in the organization. Most compromises cannot be completed without a human security failure. The "human firewall" is essentially security awareness spanning the organization, including physical and digital security, and is an enterprise's first and last line of defense.

How do we keep an entire workforce aware of their role in the security of the organization? Traditional security awareness includes signing off on a computer use policy, once a year videos, lunch and learns, and standard employee contracts. These cannot compete against the ingenuity of today's hacker using social engineering, phishing attacks, spear-phishing attacks, business email spoofing, malware, trojans, USB thumb drive drops, and their future inventions. All it takes is one employee to click on a hacker's link and enterprise security is compromised. In a global survey conducted by consulting firm PwC, only 73% of organizations have senior executives that are actively communicating security awareness to their employees. This means that there are still significant opportunities for social engineering hacks, even if existing security awareness communications are effective.

This highlights the need for workforce security awareness training that is effective in implementing the human firewall. It is impossible for a business to get this perfect, but you can improve employee effectiveness in combating social engineering hacking techniques. The security awareness training needs to educate the workforce so that they understand not only what they should and should not be doing but also why. They need to understand the significance of security risks.

The ongoing challenge with any training is how do you get the workforce to:

Complete the training, as it takes time away from doing their job
Utilize there training effectively and at appropriate times, by making the right choices when put into different situations
Make the training pervasive in the organization, being delivered in a method that appeals to everyone

Two recent trends in security awareness training that can be used either individually or in tandem are:

Gamification, which awards points and various forms of recognition to people who do the right thing during the training modules
Social Engineering Indicators (SEI), which uses simulated social engineering breach attacks such as spear-phishing and phishing emails to train people how to identify hacking attempts

These training tools significantly improve retention and understanding of the material, particularly with respect to security awareness. Both training techniques are ongoing and not one-time events. The goal is to get the workforce thinking conscientiously in a hyper-connected world with mostly friendly, but some malevolent people.

To complement improved training techniques, technology and improved practices can make things easier for the human firewall:

Email gateways with sophisticated malware, virus, phishing and spear-phishing detection
Next-generation Layer-7 firewalls that can detect social engineering attacks
Practicing good network security "hygiene" by limiting permissions for network shares to only those roles that require access
Processes that require two-person approval of payment requests with appropriate due diligence based on the payment size
Systems and tools for device/asset management that can deal with lost or stolen devices containing corporate data
Human-friendly policies and incident management that allow for mistakes and reporting incidents
Monitoring and measuring effectiveness of security awareness and rewarding people who do well

The human firewall is the first and last line of defense for an enterprise, and with that in mind, appropriate investments and sponsorship should be made for security awareness training across the enterprise. Neglecting the human firewall could result in a security breach that would negatively impact intellectual property assets, revenue streams, corporate image or brand, resulting in the catastrophic failure of the organization.

"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.

Tags:

News & Views

Enterprise Connect

Articles You Might Like

What Gen AI Insights I’ll Be Looking for at Enterprise Connect 2024

Eric Krapf

March 22, 2024

From the keynote stage to the show floor to the conference sessions, we’ll hear about the progress that vendors and enterprises are making towards implementing generative AI.

The entrance to the Enterprise Connect show at the Gaylord Palms

BCStrategies Will Be Making Connections at Enterprise Connect

Kevin Kieller

March 06, 2024

Join eleven of our experienced independent analysts, consultants, and thought leaders as they tackle everything from unified communications to customer experience to artificial intelligence.