The Human Firewall - Make Your Employees Cybersecurity Heroes
December 01, 2017
When we talk about cybersecurity, we tend to think first of anti-virus programs and maybe even adblockers. The weakest link, though, is not software or hardware. The weakest link is always the human element; more than half of security incidents can be linked to an employee who does something negative or who simply makes a mistake. The phrase "human firewall" is starting to come into use, and it refers to various methods that can be used to plug that weak spot. Primarily, this means education; employees and users need to learn to think about security and pay attention to the areas in which they are vulnerable. No amount of money invested into hardware and software can make up for weaknesses in training.
So, what do your employees need to know? All employees need to take part in cybersecurity training. This doesn't have to be that expensive; it can include regular memos reminding people not to click on links in unsolicited email messages, cheat sheets on how to make a strong password, etc. Making it creative and fun can help people remember what to do. Quizzes, for example, can help people remember the rules. They also help to train employees about protecting their own data and identity, so that they understand that the importance of cybersecurity goes into daily life. Then, work with them on applying the following tools to create a strong human firewall:
- Strong passwords. Pass phrases are the best, but not all systems are compatible with them. Ban employees from using common passwords such as "password" or even "passw0rd" (number substitution is unhelpful). Secure password checkers are available, although be aware that they tend to say a password is stronger than it is. If employees have difficulty remembering passwords, encourage them to use mnemonics or use a password manager (so they only have to remember the master password). Do not allow passwords to be put on monitors or cubicle walls.
- Require regular password changing and train employees to change their passwords majorly rather than, say, from "jane01" to "jane02." Implementing code that prevents tight password rotation can also help (for example, if passwords are changed every 30 days, disallow the use of the same password within six months to prevent employees from doing "Password 347" "Password 365" "Password 347"). These techniques are all used because passwords are hard to remember; so, again, talk about mnemonics and other ways to make memorizing passwords easier.
- Train employees in an ongoing manner on cyber security. Employees should never click on links in emails unless they are very sure of the source and were expecting the email. Teach people about email spoofing (in which cyber criminals make an email appear to be from a trusted source) and phishing. Phishing drills (sending employees fake emails and seeing whether they click on the link, ignore the mail, or report it) can be very helpful. Also talk to employees about installing software from unknown sources and visiting potentially dangerous sites such as torrents. Employees who breach protocols should be disciplined in a fair and constructive manner (malice is grounds for termination, but stupidity and ignorance can generally be fixed).
- Develop security protocols that are seamless and as close as possible to invisible to the end user. Employees will resent protocols that make them feel restricted or spied on (for example, if you are using device wiping software, especially on their own devices, you should consider very carefully how and when it is implemented and how to keep employees in the loop and in control).
The most important aspect of building a strong human firewall is continuing education and training. Proper training can turn all of your employees, not just IT administrators, into cybersecurity heroes. It can also help them be safer and more secure in their own lives.