The role of humans in an organisation’s security is double-edged—a security threat on one side and a vital security asset on the other.
A recent Verizon study finds that most breaches involved a non-malicious human element, including people falling victim to a social engineering attack or making an error (68%).
On the other hand, when employees know and embrace their role as a human firewall, they can also play a pivotal part in enhancing an organisation’s security.
Chris Hockings, APAC CTO, IBM Security, discussed the importance of a human firewall, its vital role in protecting organisations, its risks and constraints, and how security leaders can help strengthen it for enhanced organisational security.
Just like a traditional firewall might do for IT networks, the human firewall concept is the recognition that individuals can protect and safeguard their IT assets and their employers
Chris Hockings
Weakest link?
According to the 2023 Ponemon Institute Cost of a Data Breach Report, the global average data breach cost in 2023 was USD 4.45 million, increasing by 15% over three years.
“Across both ASEAN and Australia, phishing continues to be the most prevalent entry point for attackers into organisations, and one of the most expensive in terms of the overall cost,” Hockings shared.
Hockings said that attackers usually perceive users as the weakest link in an organisation’s security, highlighting the importance of proactive zero-trust measures to help detect and prevent cyber threats.
“Just like a traditional firewall might do for IT networks, the human firewall concept is the recognition that individuals can protect and safeguard their IT assets and their employers,” acknowledged Hockings.
He explained that deploying human firewalls includes using strong protection mechanisms, such as multi-factor authentication, and detecting suspicious threats or potential phishing emails through a zero-trust mindset.
“In human-targeted cyber campaigns, having users think and act on any anomalous activities can help prevent incidents, even before they begin,” Hocking said.
Building the firewall
In the article, “Building the human firewall: Navigating behavioural change in security awareness and culture”, IBM highlights the need to foster a positive cybersecurity culture in an organisation rooted in behaviour change and psychology.
The process starts with auditing employees' capabilities, knowledge, and skills in online safety, including creating strong passwords and recognising phishing attempts.
IBM posits that organisations also need to identify opportunities for learning, the availability of resources, training programs, policies, and procedures.
Finally, organisations must evaluate employees' motivation, willingness, and drive to prioritise organisational security.
After evaluating those three crucial areas, organisations can introduce interventions for behavioural change targeting employees’ intuitive behaviours and building a first line of defence with a workforce armed with cyber awareness.
Human vulnerabilities
A human firewall works as a first line of defence or an initial detection point. However, even with heightened cyber awareness, malicious players can still exploit advanced psychological techniques to lure employees into risky actions.
“Organisations cannot simply rely on education to enable users to provide full protection, and therefore must move to a zero-blame culture,” reminded Hockings.
He said organisations must take note of human vulnerabilities, that no person is exempt from being targeted by malicious players seeking to exploit psychological vulnerabilities, and no one is perfectly capable of not falling into human-targeted cyber campaigns.
He finds it best to support education, awareness, and individual efforts with technology that can detect and respond to malicious campaigns.
“Across ASEAN, the organisations that augmented their security with AI (analytics) and automation reduced costs of attacks by almost one-third. It is also important that organisations have a well thought through, risk-based methodology for assessing particular roles, and adequate detection and response mechanisms in place around those of highest risk,” he said.
Proactive measures of CIOs and CISOs
“Education is key, and regular and effective cyber awareness training is essential,” the IBM executive said, highlighting the role of security leaders in championing programs that centre on education and cyber awareness.
He also reminded CIOs and CISOs to invest in campaigns relevant to each role, with an intensity that rises with the risk.
“If you consider the attackers' perspective, the highest valuable target will incentivise the most effort, so accounts such as privileged users or executives require specific safeguards for the valuable assets they access,” he said.
Hockings recommends making it harder for attackers to deploy successful phishing campaigns through strong prevention and detection capabilities such as Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), and passive AI-powered detection capabilities.
Hardening the firewall
As threats become increasingly sophisticated, organisations can also look within and realise that one of their most important security defences is their employees acting as human firewalls.
Through continuous education, awareness, ethics, and practice, employees have the potential to help their organisations strengthen their security posture.