Each year, around 61% of small businesses become the victims of a malware attack. While many small businesses may think no one would ever come after them because of their size, know that over half of the total global attacks hit small businesses and, for thieves, getting access to your systems is becoming increasingly lucrative.
We’re collecting more about customers than ever before: medical history, financial records, consumer preferences, payment information, and other confidential information. Some of this information could be used in malicious ways to either harm your business or directly harm the customers, so we all understand that we must protect it from cyberattacks.
Creating a human firewall is the best way to keep your system and data safe, but what exactly is a human firewall, why do you need one, and how can you build one? Let’s take a look!
What is a Human Firewall?
You already know about a “normal“ firewall that acts as a technology shield, protecting your primary systems and sensitive customer data from outside threats like viruses, malware, ransomware, and the like. Protecting your systems with a technology firewall is an important major step to protect your business and customers, but even the most advanced firewalls can be breached because people you trust, your employees, need access to that data in some capacity, putting customer data at risk.
For a timely example, we can look the public relations nightmare that Facebook has endured over the past two years with scandal after scandal related to how they protect the massive amounts of data they collect on users. In some cases, the data breaches have been related to flaws in the technology; in other cases, people who were in positions to legally access that data made what some consider poor decisions that put Facebook user data at risk.
A human firewall addresses the second part of this. It focuses on risk awareness, training, and monitoring among employees. It ensures that people and technology effectively work together to safeguard critical systems and consumer data.
How Do Humans Increase Your Risk?
If you have a firewall, you may be wondering, how can your employees put data protected by a firewall at risk? Several types of malicious hackers exploit the weakest link in these scenarios and the weakest link, in this case, is the human. They employ strategies that innocuously coax employees into helping them breach your firewall.
How do they do it? Let’s look at six common strategies.
Scenario One: Basic Phishing Scam
You get an email that appears to be from your boss’ boss and it sounds urgent. They say that your boss is not available to help them and they ask you to click on a link and log into a work program that gives you access to customer information. You click the link and it takes you to a page that looks exactly like your workstation login page.
An employee is caught between a rock and a hard place. It sounds urgent and they could be fired if they don’t help their boss’ boss. Because they’ve been told their own boss is not available, they can’t check this out. How many of your employees do you think would comply to avoid getting in trouble? That’s exactly why this scheme or something similar to it is so effective.
Scenario Two: Spear Phishing Scam
You get an email that says, “Hi, {your name}, here’s the file I promised I’d send you earlier this month. I know you’ll find these reports invaluable as a {Job Title}. Let me know how they work for you.“. It comes from someone who appears to work in your company or a company that your department often works with, making the email seem valid and trustworthy.
Do you open the file? If you decided to open the file, it just downloaded malicious key-tracking software onto your computer which can now see everything you type, including all of your passwords or it may go further, infecting your computer and those of your co-workers, overtaking your network and stealing data.
Scenario Three: Ransomware
A malicious entity used one of these or thousands of other strategies to leverage human error in order to breach your system. They’ve locked down all of your servers through encryption so that you can’t access any customer data.
They tell you via a message on the computer screen that you have three hours to pay them $1000 in cryptocurrency or they will completely wipe out all of your customer data. Not unsurprisingly, many businesses choose to pay the relatively low ransom rather than lose priceless customer information. This fuels the prevalence of these attacks and increases the chance that a business that previously paid will get hit again. They may or may not regain access after paying.
Scenario Four: 3rd Party Software
An employee unknowingly installs 3rd party software that promises to make program X that they use for work easier to use by auto-populating certain fields. They give the software access to the system. Not all 3rd party software is malicious but any 3rd party software can put your data at risk. An expert should review all such software before anything is installed.
Scenario Five: Delayed Update
Companies like Microsoft, Google, and other big names are constantly being attacked as thieves who look for vulnerabilities in their software that they can use to attack the millions of people who use these softwares. When a company becomes aware of a new breach in their software, they create and send a patch to all of their subscribers, but often each user must download the patch to become protected. The normal human tendency to put things off can leave patches uninstalled for months, leaving you at risk longer than you should have been.
Scenario Six: Password Sharing
You have an employee who has trouble remembering passwords (That’s most people!), so they use the same password everywhere, including low-security websites they visit at home. How difficult do you think it would be for a malicious entity to figure out what password they use for your work systems?
You can tell people all day long not to share passwords, but because it’s hard for you to monitor, they’re on the “honor system“. How many employees really feel invested enough to always follow security rules when they think no one is watching? Well, let’s take a look by exploring just how successful attacks like these continue to be.
Why Do You Need a Human Firewall?
The average phishing scheme costs a mid-size business $1.6 million in damages. 76% of businesses say they were targeted with at least one phishing attempt last year. A Verizon study found that 30% of phishing emails get opened by employees and 12% of those employees click the link.
A single Ransomware attack costs a business $2500 per attack on average. If you’re a large corporation you can expect that amount to go up exponentially. This may not seem like much, but if you pay, you better believe they’ll keep coming after you again and again until you put a stop to it. And if the thief has even fewer scruples, they could take the money and then not un-encrypt customer data. That would cost the average business much more and if that information isn’t backed up a business could lose everything.
Recently, a Ransomware called “WannaCry“ completely shut down the single health system in the UK plus a major transportation company in the U.S. as it infected 200,000 computers in 150 countries. While many people refused to pay, the thieves walked away with $130,000. The damages incurred by those attacked by this one event are believed to have exceeded $4 billion when you factor in lost customers, delays, lost sales, and inability to service existing customers.
Ransomware attacks have proven very profitable for the thieves and have therefore increased worldwide by 350%. We have to protect our data and the human component must be part of that solution. Let’s explore the anatomy of a human firewall.
How to Build a Human Firewall Step by Step
A human firewall consists of five parts. No single part can stand alone. Only by taking an integrative and comprehensive approach can you protect your business and your customers.
1. Make Employees Feel Personally Invested in Security
Get people engaged in active security by helping them understand not just what the threats are but why security is so important and what an attack could cost the company, employees and customers.
For example:
- Customers could be victims of identity theft
- The company could become no longer financially viable (go bankrupt)
- The reputation of the company may not recover
- People may lose their jobs
Share these risks in ways that they don’t seem over-sensationalized as that could have the opposite intended effect. Encourage employees to stay alert to possible threats to protect customer data, each other and the company. Often positive peer pressure can psychologically help employees stay more engaged so look for ways to publicly, positively reinforce the right behaviors.
2. Inform & Educate
First, realize that there is no such thing as common sense. If an employee has never been exposed to a certain type of threat you can’t expect them to know that there is a threat so education that goes into specifics about types of threats is critical.
Create a security handbook for employees and update it at least annually. Cover your human security protocols thoroughly, but keep it short and use visuals as much as possible. People often remember pictures and graphics more than words.
Hold at least an annual security training. Remind employees about what’s in the manual and reiterate why it’s important.
Use online trainings, videos, quizzes, group games, or other more interactive tools to make security protocol more memorable and even fun.
Fast learning can also mean fast forgetting, so spread training and information throughout the year to enhance retention. This helps security stay top-of-mind all year long and with the interactive, personalized, and user-driven tutorials that you have available to you today, training can always take place at the best times and in the shortest amount of time to reduce its impact on productivity.
3. Build and Maintain an IT Infrastructure
Today more than ever humans and technology work together to get things done, so make sure that technology supports your human firewall in any way it can. If your employees feel that the technology that you put in place or leave in place makes it harder to do their jobs, they will create workarounds that put data at risk. Build and maintain an infrastructure that puts usability at the forefront and facilitates compliant activity.
4. Measure & Monitor
Any human firewall is only as effective as your ability to systematically measure its success. Put systems in place to:
- Track compliance with password changes, installing patches, completing training, not posting sensitive data on public forums, not using private email of company business, etc.
- Assess risk
- Get feedback from employees on unknown risks
- Evaluate employee retention of what they’ve learned
- Measure employee perception of security measures, which can help you understand how invested they are in security and how well technology balances security and usability
- Identify malicious or careless activity among employees
5. Adapt to New Threats
While many threats persist year after year, thieves are constantly looking for new ways to get into your systems. It’s important to stay informed and/or work with people who are very informed about these threats and know how to build, implement and monitor both the technology and the human side of your firewall.
The Anatomy of the Human Firewall
By applying these techniques you can build a human firewall that protects your business and customers. Don’t just assume that your employees are invested in security or know what you do. Build a human firewall today.
