How a Human Firewall can Protect Your Organization
November 10, 2020
By Keith Wrage
The pandemic and shift to work-from-home for many employees exacerbates the risks organizations face. It is no longer just big financial organizations that are being targeted with small to medium sized businesses and organizations reporting increased cybersecurity issues. As a CPA firm, we are vigilant with our own security and have put many solutions and tools in place to protect sensitive client information. This includes technology solutions to filter out known threats, educating our employees about what to look for and testing our readiness.
Human error or action is involved in over 90% of cybersecurity incidents. As much as it would be nice to leave the solution in the hands of the IT staff, the truth is you need to create a ‘human firewall’ to protect your organization. Whenever humans are involved in situations where there is risk of errors with significant consequences, I recommend protecting them with a set of ‘guardrails’ that includes safe systems, training, testing and accountability, and visibility/reminders.
Phishing is one of the most common cybersecurity attack vectors. It earned its name because hackers put their ‘bait’ (an email containing malicious and fake links or attachments) in front of as many users as possible via email and wait to see if anyone bites (clicks on the links or opens the attachment). Phishing emails are no longer the obvious “I’m a prince and need your help moving $1.8 million dollars.” They are sophisticated and advanced, preying on our emotions, insecurities, and instincts.
With the increased use of video conferencing technology, we’ve seen instances in the news where the camera captures more than someone intended. Hackers are now leveraging our fear related to this and we’ve seen a dramatic rise in ‘sextortion’ scams. In this attack, a user receives an email in which someone claims to have recorded an embarrassing video from your webcam and threatens to share it publicly to ruin your reputation unless you pay them a relatively modest amount of money. This preys on a person’s fear of embarrassment – even if you can’t think of anything embarrassing you’ve done, the frightening unknown of ‘something’ prompts people to pay. It feels too risky not to assume the threat is real.
Given this environment, the best tool you have to avoid falling victim to a phishing attack is a well-equipped and well-trained workforce. Take the following steps to create a ‘human firewall’ to protect your organization and your employees.
Human Error Guardrail #1: Safe Systems
Technology can be used to provide guardrails to prevent human error or to minimize the damage when the errors occur. Use of a robust email screening system should be a basic starting point. This is included with most email systems but be sure to ask and ensure this is in place. Multi-factor authentication (MFA) is another safe system that requires identity verification before completing a login. MFA provides a second line of defense against compromised credentials. If you have systems with optional MFA service, I recommend enabling it. Finally, implementing a secure password management tool encourages your users to never use duplicate or simple passwords and provides an easy secure storage option. Your employees ARE storing their passwords someplace, just not someplace secure (sticky notes, on their phone, in their email, etc).
Human Error Guardrail #2: Training
Great systems fail if people don’t know how to use them properly. You need to commit to equipping your staff with the skills needed to make the right cybersecurity decisions. This effort must include anyone accessing your email system – not just your leaders. If you expect your staff to perform well, you need to teach them how to recognize and avoid the common digital threats. Many vendors offer effective training platforms that are easy to manage. Most offer ‘set-it-and-forget-it’ scheduling keeping the issue in front of your team throughout the year. You owe it to your staff to train them well. Avoiding human error is about awareness of risk and quality training provides that.
Human Error Guardrail #3: Accountability & Testing
Usually when we train someone in a skill, we test them to demonstrate their proficiency. I recommend doing the same with regards to phishing. Several vendors provide tools to deploy fake test phishing campaigns. Prior to training, deploy a test campaign and report the results to your team. Usually when they see the actual failure rate, they are more engaged in the follow-up training. Upon completion of the training, you should conduct periodic test-phishes to keep everyone on their toes and maintain their awareness.
Human Error Guardrail #4: Reminders
With the busyness of day-to-day duties, diligence in protecting an organization’s information systems tends to take a back seat to more pressing needs. Humans need reminders to prevent us from becoming blind to the commonplace risks around us. Examples of this type of reminder include the sign that reads “Employees must wash their hands before returning to work” in restaurant bathrooms and the etched message on your car’s mirrors reminding you that “objects in mirror are closer than they appear”. You need to keep the topic of cybersecurity in front of your staff. Test phishing campaigns, frequent short reminder trainings (less than 5 minutes) and including the topic in your staff meetings are effective ways to ensure your staff keeps these risks top of mind.
For additional information in video format, please watch this video where I talk more about security.
Remember: Your staff is presented with risky cybersecurity decisions every day. They do not WANT to make mistakes so give them the skills to make great decisions. When it comes to cybersecurity, you may not ever fully know how valuable your investment to properly equip your team and put safe systems in place is because you will be stopping many problems before they occur! If your human firewall doesn’t include four guardrails, be sure to speak with your IT team.
Keith Wrage is the Training and Technology Manager at Abdo, Eick and Meyers. Keith’s professional background is diverse and includes university teaching, light manufacturing, real estate and construction, and healthcare communication and staff development. He’s passionate about helping professionals leverage their technical expertise to serve their customers and believes that strong relationships are the key to achieving goals regardless of your role in the organization.
You can contact Keith at (507) 344-9283 or click here to contact him via email.
Did you find this information helpful? Check out some of the other topics we’ve covered:
Stay up to date on future topics by joining us on social media