The Human Firewall in a Hyper-Connected World
In the security landscape, there are few easier opportunities for hackers to compromise an enterprise than by targeting the human beings that make up the workforce. People in an organization (employees, contractors, senior executives, and board members) are almost always the weakest link in the security ecosystem. They have been taught since they were toddlers to be helpful, curious, and, as adults, customer focused. Hackers take advantage of these ingrained traits using a wide variety of social engineering techniques to exploit access to an organizations' resources and assets.
In the aftermath of the WannaCry crypto-locker worm that infected hundreds of thousands of computers in more than 150 countries earlier this month, information security advisors worldwide are preaching that enterprises need better firewalls, enhanced governance, faster patching, and more security staff. Most of these security tactics are needed to compensate for the shortcomings of the human firewall in the organization. Most compromises cannot be completed without a human security failure. The "human firewall" is essentially security awareness spanning the organization, including physical and digital security, and is an enterprise's first and last line of defense.
How do we keep an entire workforce aware of their role in the security of the organization? Traditional security awareness includes signing off on a computer use policy, once a year videos, lunch and learns, and standard employee contracts. These cannot compete against the ingenuity of today's hacker using social engineering, phishing attacks, spear-phishing attacks, business email spoofing, malware, trojans, USB thumb drive drops, and their future inventions. All it takes is one employee to click on a hacker's link and enterprise security is compromised. In a global survey conducted by consulting firm PwC, only 73% of organizations have senior executives that are actively communicating security awareness to their employees. This means that there are still significant opportunities for social engineering hacks, even if existing security awareness communications are effective.
This highlights the need for workforce security awareness training that is effective in implementing the human firewall. It is impossible for a business to get this perfect, but you can improve employee effectiveness in combating social engineering hacking techniques. The security awareness training needs to educate the workforce so that they understand not only what they should and should not be doing but also why. They need to understand the significance of security risks.
The ongoing challenge with any training is how do you get the workforce to:
- Complete the training, as it takes time away from doing their job
- Utilize there training effectively and at appropriate times, by making the right choices when put into different situations
- Make the training pervasive in the organization, being delivered in a method that appeals to everyone
Two recent trends in security awareness training that can be used either individually or in tandem are:
- Gamification, which awards points and various forms of recognition to people who do the right thing during the training modules
- Social Engineering Indicators (SEI), which uses simulated social engineering breach attacks such as spear-phishing and phishing emails to train people how to identify hacking attempts
These training tools significantly improve retention and understanding of the material, particularly with respect to security awareness. Both training techniques are ongoing and not one-time events. The goal is to get the workforce thinking conscientiously in a hyper-connected world with mostly friendly, but some malevolent people.
To complement improved training techniques, technology and improved practices can make things easier for the human firewall:
- Email gateways with sophisticated malware, virus, phishing and spear-phishing detection
- Next-generation Layer-7 firewalls that can detect social engineering attacks
- Practicing good network security "hygiene" by limiting permissions for network shares to only those roles that require access
- Processes that require two-person approval of payment requests with appropriate due diligence based on the payment size
- Systems and tools for device/asset management that can deal with lost or stolen devices containing corporate data
- Human-friendly policies and incident management that allow for mistakes and reporting incidents
- Monitoring and measuring effectiveness of security awareness and rewarding people who do well
The human firewall is the first and last line of defense for an enterprise, and with that in mind, appropriate investments and sponsorship should be made for security awareness training across the enterprise. Neglecting the human firewall could result in a security breach that would negatively impact intellectual property assets, revenue streams, corporate image or brand, resulting in the catastrophic failure of the organization.
"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.