Cybersecurity needs to go beyond technology. Cyberattacks are increasingly targeting employees, so emphasizing people's role in defense work is imperative. The concept of 'human firewall' starts to be widely adapted in cybersecurity globally as organizations realize the need to go beyond traditional security awareness training and empower their users against social engineering attacks.
A human firewall is a group of employees that support your defense work by actively looking out for suspicious online and email threats; they report anything that they consider dangerous. The more employees you have onboard, the stronger the human firewall can become. As most data breaches start with an employee error, educating employees about the habit of reporting suspicious activity to the security team can have transformational effects. Errors can occur at any time—especially since attack vectors can be complex and advanced—but with training that teaches people to adopt the habit of reporting, you can minimize the risks of a successful attack.
Traditional security awareness training does not help convert your users into a strong defensive line.While security awareness training introduces a variety of topics related to security best practices and organizational policies, learnings rarely stick with people for a long time. Even when the training includes some practical exercises, like occasional phishing tests, the lack of frequency will not result in behavioral change. Modifying behavior is essential for building a strong human firewall because it is the only way to create a habit when people constantly watch out for anything suspicious, and they report because they have learned that this is the way to go.In order to start building a human firewall, compliance-based, theoretical security awareness training must be only your second priority. By all means, security awareness programs are critical and irreplaceable, but to strengthen people's participation in avoiding incidents, you need to adopt a more practical approach.
When you adopt a practical training approach, it must be frequent. Doing phishing tests quarterly just won't have the desired effect on people's learning curve.Frequency is one of the elements to reinforce the new habit of reporting suspicious-looking emails. At Hoxhunt, we send a phishing simulation every 10 days to make sure that people keep learning and they remember what they need to do. When the reporting happens frequently enough, the basal ganglia of our brains will start forming a habit. The reporting process will become almost like an automated response that people can perform without too much thought.Motivation and engagement are also playing important roles in forming the reporting habit. If the frequent practical training is not engaging enough for the users, they won't be motivated to care to report possibly malicious emails.Luckily, you can boost motivation and engagement so that people won't mind the frequent simulations.There are a few ways to do that.Make sure that the practical training program was created with the users in mind. The training should be personalized to each user's level so that it matches their skills, knowledge, culture, language, role in the organization, and more. Some people can have very advanced skills in spotting phishing emails, so they will naturally require more challenging simulations. Others may be quite beginners, so you want to start with easier examples so that they can succeed and gain confidence. Positivity plays a vital role in getting people to be on your side and fight against attacks.You can further boost motivation by spicing up the training with gamification. We have just recently published an article on why our brains love game-like elements and how that can stimulate us to participate and learn.
Just as email-filtering solutions do not provide 100% protection, the human firewall does not either. No matter how well trained your employees are, errors can always occur. It is enough if the email finds a person at the wrong time, for example, when they are tired after a long day or they are in the middle of a stressful time. Yet, counting on your people to become dedicated to reporting is the best option you can have to strengthen your defenses.At some point, your organization may get breached, but the best thing you can do is to try to make the job of attackers harder by reinforcing the reporting skills of your employees by building a culture where everyone is responsible for fighting back attacks.